Skip to main content

CC1.5 — Holds individuals accountable for internal control responsibilities

Status: Implemented Owner: Agent #38 (Senior Compliance Lead, SOC 2 + ISO 27001) Last reviewed: 2026-05-28 Next review: 2026-08-28

Trust Services Criteria reference

The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. The control covers performance-objectives traceability, evaluation of performance, corrective action when objectives are missed, and the consequences (positive and negative) tied to the evaluation.

How ZeroAuth meets this control

Accountability is encoded into the commit trail. Every commit subject is required to reference the pain-point ID and (where applicable) the audit-finding ID it closes — the rule lives in docs/plan/bfsi-v1/06-ways-of-working.md "Definition of Done (per commit)": "Commit body explains the why; references audit-finding / pain-point ID where applicable." This means an auditor querying "who closed audit finding C-4 (audit-events tamper-evidence)?" can run a single git log --grep="C-4" and see commits a475ed8, d634b2d, and c09c081 with the corresponding agent authorship.

The Definition of Done is multi-gate. A commit only counts as done when (1) tsc --noEmit is clean, (2) eslint . is clean, (3) staged-file tests pass, (4) the secret + biometric + ADR scans are clean (per 06-ways-of-working.md "Commit-time gates"), and (5) the sub-agent review (security-reviewer or cryptographer-reviewer, scoped per "Sub-agent rules") has posted APPROVE. The pre-commit hook (per C-001) blocks --no-verify overrides; CI mirrors the gate and rejects merges that fail any of them. This is technical accountability — the agent who tries to push around the rules trips the gate.

Per-agent ticket-tracking gives positional accountability. docs/plan/bfsi-v1/05-agents.md and the daily docs/plan/bfsi-v1/agents/agent-<NN>-*.md files name an owner per ticket. The ticket has a "Done when:" condition and a "Verify:" condition. Friday status posts (per 06-ways-of-working.md "Weekly cadence") are read by all line VPs and the CEO; a missed ticket is visible the same week to the entire leadership layer. The line VP's 24-hour escalation window for "ticket not Ready" (per 06-ways-of-working.md "Definition of Ready") is the corrective-action trigger.

Phase exit gates are the consequence layer. Phase 0 closes when 21 audit findings are at the target status; Phase 1 closes when the bank demo runs end-to-end without intervention; Phase 2 closes when the SOC 2 Type I report is delivered. A role that has not delivered against their KPI block (per 03-team.md) does not earn a green at the gate review — the founder + CCO + business owner sign-off (the three-way review encoded in 06-ways-of-working.md "Monthly cadence") is the formal accountability moment.

The sub-agent APPROVE/REQUEST_CHANGES model is the in-cycle accountability that prevents accumulation. The cryptographer-reviewer reading the threat model at session start (per docs/threat_model.md opening note) and posting REQUEST_CHANGES on a PR that does not address an A-NN row creates an immediate, traceable record of the gap. The author cannot merge until the reviewer is satisfied; the merge metadata captures the reviewer's identity.

Closed audit findings are tracked perpetually. docs/security/audit-findings.md carries every Phase 0 finding with status + closing commit. Reopening a closed finding (regression) trips the closed-finding regression guard (tests/security/regression.spec.ts, scheduled to land C-023 / sprint 2 per the audit-findings doc). The current 5 closed P0 findings — C-1 (commit 02e1734), C-3 (ee6aad4), C-7 (e98d158), C-4 (commits 5e3b79d + a475ed8 + d634b2d), C-8 (c09c081) — are the evidence pool.

Evidence references

  • docs/plan/bfsi-v1/06-ways-of-working.md "Definition of Done (per commit)" — multi-gate accountability per commit.
  • docs/plan/bfsi-v1/06-ways-of-working.md "Commit-time gates" — automated technical gate enforcement.
  • docs/plan/bfsi-v1/04-commits.md — every commit indexed by ID with owning role.
  • docs/plan/bfsi-v1/05-agents.md — per-agent week-by-week tickets with Done-when conditions.
  • docs/security/audit-findings.md — closed findings with closing commit hashes.
  • Commit 02e1734 — closure of audit finding C-1 (demo bypass), authored by Agent #6.
  • Commit e98d158 — closure of audit finding C-7 (circuit-key drift), authored by Agent #6.
  • Commit a475ed8 — closure of audit finding C-4 (audit hash chain), authored by Agent #8.
  • ADR 0011-branching-workflow.md (commit 51bc705) — PR + CI + sub-agent review gates.
  • .claude/agents/security-reviewer.md, .claude/agents/cryptographer-reviewer.md — sub-agents that backstop accountability.

Open gaps + remediation roadmap

  • Closed-finding regression suitetests/security/regression.spec.ts lands C-023 in sprint 2 per audit-findings.md "Closed-finding regression guard". Target week 6 (2026-07-06).
  • Quarterly performance evaluation rubric — first cycle target week 26 (2026-11-09), per compliance-roadmap-v1.md §3.2.
  • Disciplinary policy for repeated CI bypass — pre-commit --no-verify is forbidden; needs an HR-aligned consequence policy. Target week 22 (2026-10-12).

Test or audit query

git log --grep="C-4" --oneline lists every commit that touched audit finding C-4 with its author SHA; the same idiom works for any closed P0/P1 finding. Cross-check with the closing commit column in docs/security/audit-findings.md.