GrytLabs Research Institute
Research Report · WMI Thesis Series
Accountability & Enterprise Governance
How Ceremonial Conformity Exposes the Infrastructure Gap Between Governance Prescription and Governance Evidence
Cameisha Smith, CIA
ORCID 0009-0002-8178-8380
RR-004  v1.0  ·  Research 2026-01-21  ·  Published 2026-07-06
CC-BY 4.0  ·  DOI 10.5281/zenodo.20185174
Abstract
Enterprise governance frameworks — COSO, COBIT, the IIA Three Lines Model, TOGAF, and the Sarbanes-Oxley Act — represent decades of mature development in prescribing accountability relationships. Yet governance failures persist in organizations with fully implemented frameworks. This research sprint investigates whether the gap between governance design and governance outcomes is a problem of framework quality, organizational culture, or infrastructure. Across 25 sources spanning agency theory, stewardship theory, institutional theory, accountability theory, and enterprise governance practice, a convergent finding emerges: every major framework prescribes what accountability should look like without providing the mechanism to capture evidence that it actually occurs in operational decisions. Meyer and Rowan's ceremonial conformity — organizations adopting structures for legitimacy without operational implementation — explains the persistence of the gap. The resolution is architectural: embedding governance documentation in governance activity so that decoupling becomes structurally difficult. The sprint synthesizes Bovens, Schedler, Mulgan, and Grant and Keohane into comprehensive accountability requirements that only structural decision infrastructure can satisfy, and establishes the governance theory foundation for the infrastructure arguments developed in adjacent sprints on provenance, AI governance, and organizational memory.

"Institutionalized organizations must not only conform to myths but must also maintain the appearance of evaluation and inspection."

— Meyer & Rowan (1977), *American Journal of Sociology*

Contents
§1Query Objective
§2Executive Summary
§3Literature Review
§4Scope + Limitations
§5Research Synthesis
§6Open Questions
§7Citations & Provenance
Cite As & Publication Notice

§1Query Objective

The Inquiry: Enterprise governance frameworks (COSO, COBIT, Three Lines Model, TOGAF, SOX) represent decades of mature development in defining accountability relationships — who is accountable to whom, for what, and through what mechanisms. Yet governance failures persist in organizations with fully implemented frameworks. Is the gap between governance design and governance outcomes a problem of framework quality (better frameworks needed), organizational culture (better values needed), or infrastructure (the mechanism to capture evidence that governance actually occurs in operational decisions is structurally absent)?

Falsifiable formulation: If any existing governance framework provides not just the prescription for accountability relationships but the operational infrastructure to capture evidence that those relationships are actually exercised in daily decisions — making governance evidence a structural by-product of decision-making rather than a separate documentation task — then the infrastructure gap claimed here does not exist.

§2Executive Summary

The framework-infrastructure gap is the accountability version of the "requirements without infrastructure" meta-pattern

Prior sprints identified this pattern across provenance, design rationale, institutional memory, process mining, AI accountability, and audit compliance. This sprint confirms it in enterprise governance: COSO, COBIT, Three Lines Model, TOGAF, and SOX all prescribe what accountability should look like without providing the infrastructure to capture evidence that it actually occurs. The pattern is now validated across three independent domains (data provenance, AI governance, enterprise governance), strengthening the conclusion that it is structural.

Ceremonial conformity is the deepest governance challenge — and it requires an architectural, not cultural, resolution

Meyer & Rowan's (1977) insight — that organizations adopt formal structures for legitimacy without operational implementation — explains why governance frameworks can coexist with governance failures. Enron had COSO-compliant controls. WorldCom had experienced directors. The frameworks were "present" but not "functioning" (COSO's own distinction). DiMaggio & Powell explain why this spreads: coercive isomorphism drives adoption through regulation; mimetic isomorphism drives adoption through imitation; normative isomorphism drives adoption through professional standards. All three mechanisms drive framework adoption without ensuring operational implementation.

The resolution is architectural: when governance documentation is embedded in the governance activity (not a separate compliance task), decoupling becomes structurally difficult. Organizations cannot maintain governance on paper without practicing it because the paper is the practice.

Figure 1Five enterprise governance frameworks share a common infrastructure gap: each prescribes accountability relationships without providing the mechanism to capture evidence that they are exercised in operational decisions
Figure 1. Five enterprise governance frameworks share a common infrastructure gap: each prescribes accountability relationships without providing the mechanism to capture evidence that they are exercised in operational decisions.
Agency and stewardship theories require dual-use governance infrastructure

Most organizations need both monitoring (agency) and empowerment (stewardship). No governance infrastructure framework in the literature addresses how to serve both through common infrastructure. Decision records naturally serve both: in agency contexts, they provide monitoring evidence; in stewardship contexts, they preserve professional judgment and expertise. This dual-use property is architecturally significant — organizations don't need separate systems for accountability and knowledge management.

Figure 2Decision records serve dual governance functions: monitoring evidence in agency contexts and knowledge preservation in stewardship contexts — eliminating the need for parallel systems
Figure 2. Decision records serve dual governance functions: monitoring evidence in agency contexts and knowledge preservation in stewardship contexts — eliminating the need for parallel systems.
Bovens + Schedler + Mulgan + Grant & Keohane = comprehensive accountability requirements

The accountability theory literature converges on what infrastructure must provide: factual information (Bovens Phase 1), explanation (Phase 2), consequence evaluation (Phase 3), answerability + enforcement (Schedler), deterrence + evaluation + dialogue (Mulgan), and support for multiple accountability mechanisms simultaneously (Grant & Keohane). Decision records with documented intent, authority, evidence, and expected outcomes serve all of these requirements through a single infrastructure.

Figure 3Four accountability frameworks converge on requirements that structural decision infrastructure satisfies: factual information, explanation, consequence evaluation, answerability, enforcement, and multi-mechanism support
Figure 3. Four accountability frameworks converge on requirements that structural decision infrastructure satisfies: factual information, explanation, consequence evaluation, answerability, enforcement, and multi-mechanism support.

§3Literature Review

F1
Enterprise governance frameworks are mature in prescription but share a common infrastructure gap.
Type  convergent (multi-framework analysis)
Strength  expert consensus (established standards)

COSO's 2013 Internal Control Framework (five components, seventeen principles) and 2017 ERM update provide the globally dominant standard for governance design. COBIT 2019 defines forty governance and management objectives across five domains (EDM, APO, BAI, DSS, MEA). The IIA Three Lines Model (2020) reframes role differentiation from defensive posture to value creation. TOGAF provides architecture governance including architecture boards, compliance reviews, and architecture contracts. SOX (2002) creates legal accountability requirements (Section 302 CEO/CFO certification, Section 404 internal control assessment, Section 802 criminal penalties for document destruction). Despite this maturity, all frameworks share a structural limitation: they prescribe WHAT organizations should do without providing the infrastructure for HOW to capture evidence that it actually occurs in decisions. COSO distinguishes "present and functioning" from "operating effectively" — the most critical distinction in governance — but provides no mechanism for the evidence that bridges them.

F2
Principal-agent theory identifies information asymmetry as the fundamental governance challenge, but traditional responses address symptoms, not causes.
Type  theoretical (foundational economic theory)
Strength  theoretical argument (Jensen & Meckling: ~100,000 citations)

Jensen & Meckling (1976) formalized the agency problem in the Journal of Financial Economics (nearly 100,000 citations): when principals delegate to agents, information asymmetry creates space for divergent interests. Agency costs decompose into monitoring costs (principal observes agent), bonding costs (agent signals alignment), and residual loss (irreducible divergence). Eisenhardt (1989) extended the framework in Academy of Management Review: information is a purchasable commodity, and organizations choose between behavior-based and outcome-based governance depending on what's observable. Gailmard (2014) synthesized: no single accountability mechanism eliminates agency loss; effective governance requires combining ex-ante mechanisms (selection, contracting, structural design) with ex-post mechanisms (monitoring, evaluation, enforcement).

The critical gap: traditional agency responses — monitoring, incentive alignment, bonding — reduce information asymmetry at the margins but do not fundamentally restructure the information architecture. Decision lineage represents a structural reduction in information asymmetry: principals can see what agents intended, what authority they invoked, what evidence they considered, and what outcomes they expected.

F3
Stewardship theory provides an alternative assumption that governance infrastructure must accommodate simultaneously with agency theory.
Type  theoretical (organizational behavior theory)
Strength  theoretical argument

Davis, Schoorman & Donaldson (1997) proposed in Academy of Management Review that under certain conditions (professional environments, mission-driven organizations, strong-culture contexts), agents function as stewards whose interests naturally align with organizational objectives. Stewardship governance emphasizes empowerment and trust rather than monitoring and incentives. The critical insight for governance infrastructure: most organizations contain both agency and stewardship dynamics simultaneously. Some roles require monitoring (financial controllers); others benefit from empowerment (researchers, clinicians). Governance infrastructure must serve both — providing accountability evidence (agency function) and knowledge preservation (stewardship function) through the same mechanisms.

F4
Bovens' three-phase accountability framework defines what governance infrastructure must provide.
Type  theoretical (accountability framework)
Strength  theoretical argument (foundational in accountability studies)

Bovens (2007) defined accountability in European Law Journal as "a relationship between an actor and a forum, in which the actor has an obligation to explain and to justify his or her conduct, the forum can pose questions and pass judgment, and the actor may face consequences." Three phases: (1) Information — the actor provides factual information about conduct, (2) Explanation/Debate — the forum examines and engages in dialogue about reasoning, (3) Consequences — the forum evaluates and determines outcomes. Bovens (2010) distinguished accountability as virtue (personal quality) from accountability as mechanism (institutional structure). Governance infrastructure is an accountability mechanism — it enables accountability regardless of individual attitude.

Decision lineage directly serves all three phases: decision records provide the factual information (Phase 1), documented intent, authority, and evidence provide the basis for explanation (Phase 2), and documented expected outcomes provide the standard against which actual outcomes can be evaluated (Phase 3).

F5
Schedler's two dimensions (answerability + enforcement) reveal that answerability without enforcement is merely transparency.
Type  theoretical (definitional analysis)
Strength  theoretical argument

Schedler (1999) identified accountability as inherently two-dimensional: answerability (obligation to inform and justify) and enforcement (capacity to impose consequences). Answerability without enforcement is merely transparency — organizations report but face no consequences. Enforcement without answerability is authoritarianism. Genuine accountability requires both. Schedler further identifies overlapping accountability-adjacent concepts: surveillance, monitoring, oversight, control, and accountability proper. Decision lineage infrastructure supports the first three (surveillance, monitoring, oversight); integration with governance consequence systems enables the remaining two (control, accountability).

F6
Institutional theory explains why organizations adopt governance ceremonially without operational implementation.
Type  theoretical (institutional sociology)
Strength  theoretical argument (Meyer & Rowan: foundational; DiMaggio & Powell: 68,000+ citations)

Meyer & Rowan (1977) introduced "ceremonial conformity" in American Journal of Sociology: organizations adopt formal structures as "rational myths" that confer legitimacy regardless of operational effectiveness. Organizations "decouple" formal structures from actual operations — policies exist but aren't followed, committees meet but don't decide. DiMaggio & Powell (1983) explained how this spreads through three isomorphic mechanisms in American Sociological Review: coercive (regulatory pressure), mimetic (uncertainty-driven imitation), and normative (professional standards). Scott (2001) synthesized three institutional pillars: regulative (rules), normative (values), and cultural-cognitive (shared assumptions). For governance infrastructure to achieve institutional stability, it must be supported by all three pillars — legally required, professionally expected, and culturally assumed.

The ceremonial conformity problem is the deepest challenge for governance: organizations can adopt COSO frameworks for legitimacy without operationally implementing them. The resolution is architectural — embedding governance documentation in the governance activity itself so that decoupling becomes structurally difficult. When the documentation is the decision, organizations cannot easily maintain governance on paper without practicing it.

F7
IT governance research demonstrates that governance clarity outperforms governance design.
Type  empirical (250-enterprise study)
Strength  experimental (large-scale empirical)

Weill & Ross (2004) studied 250 enterprises at MIT CISR and found that governance is "not about making specific decisions — management does that — but rather determines who systematically makes and contributes to those decisions." Their key empirical finding: high-performing organizations tend toward clear, integrated governance rather than diffuse or anarchic arrangements. The critical variable is not who decides but clarity about who decides. Even imperfect governance that is clearly understood outperforms theoretically superior governance that is ambiguously implemented. Three governance mechanisms: decision structures (who has authority), alignment processes (decisions align with strategy), and communication approaches (decisions are announced and explained).

This finding validates the focus on decision infrastructure: the primary governance problem is not better decision rules but clearer decision documentation — who decided, under what authority, why, and with what expected outcome.

F8
Corporate governance theory traces to the separation of ownership and control, creating a structural need for decision transparency.
Type  theoretical (corporate governance theory)
Strength  theoretical argument (Berle & Means foundational; Cadbury established practice)

Berle & Means (1932) identified the foundational problem: in large corporations with dispersed shareholders, owners cannot directly control managerial decisions. The Cadbury Report (1992) established corporate governance principles including the "comply or explain" approach — organizations either follow standards or explain deviations. Useem & Zelleke (2006) found that boards increasingly treat delegation of authority "as a careful and self-conscious decision" with annual governance calendars and written protocols. This evolution validates the need for formal authority allocation infrastructure.

F9
The Three Lines Model defines role differentiation but cannot verify whether roles fulfill their functions without decision evidence.
Type  theoretical (governance framework analysis)
Strength  expert consensus (IIA standard)

The IIA's 2020 Three Lines Model reframes governance from defense to value creation, defining first-line (operations/risk management), second-line (oversight/expertise), and third-line (independent assurance) roles. The governing body delegates authority and defines risk appetite. Six principles govern: governance structures, governing body roles, management roles, third-line roles, third-line independence, and value creation alignment. The critical quote: "Because of internal audit's independence from management, the assurance it provides carries the highest degree of objectivity." This independence principle creates a governance requirement: decision lineage must be accessible to third-line assurance without first/second-line ability to alter records. Immutability is a governance requirement, not merely a technical feature. But role definition without decision documentation means whether roles actually fulfill their functions is unknowable without retrospective investigation.

F10
AI accountability extends governance challenges by introducing opacity, diffused responsibility, and regulatory lag.
Type  convergent (AI accountability literature)
Strength  meta-analytic (Wieringa: 242 articles reviewed)

Busuioc (2021) identified three AI-specific challenges in Public Administration Review: opacity (algorithmic decisions may be unexplainable), diffusion of responsibility (multiple actors share accountability), and regulatory lag (governance frameworks designed for human decision-making). Wieringa (2020) systematically reviewed 242 articles on algorithmic accountability at FAccT, finding lifecycle-based accountability across development, deployment, operation, and evaluation phases. These challenges extend principal-agent information asymmetry: with AI agents, even the principal (deploying organization) may not fully understand the agent's (AI system's) decision process.

F11
Multiple accountability theorists converge on the need for combined mechanisms rather than any single solution.
Type  convergent (multi-theorist synthesis)
Strength  theoretical argument

Mulgan (2003) identified three dimensions: external constraint (deterrence), retrospective judgment (evaluation), and social interaction (dialogue). He also identified the network accountability challenge — mechanisms designed for hierarchies work poorly in distributed governance. Grant & Keohane (2005) identified seven mechanisms: hierarchical, supervisory, fiscal, legal, market, peer, and public reputational. No single mechanism suffices. The convergence: effective accountability requires infrastructure that supports multiple mechanisms simultaneously — providing the common decision record that each mechanism can access for its specific accountability function.

§4Scope + Limitations

§5Research Synthesis

C1
Enterprise governance frameworks prescribe accountability without providing infrastructure to evidence it.
Confidence  strongly supported
Based on  F1, F7, F8, F9

COSO, COBIT, Three Lines, TOGAF, and SOX represent decades of mature framework development. All share a structural gap: they specify what governance should look like without providing the mechanism to capture evidence that it occurs in operational decisions. This is the accountability domain's instance of the "requirements without infrastructure" meta-pattern.

C2
The ceremonial conformity problem requires architectural, not cultural, resolution.
Confidence  strongly supported
Based on  F1, F6

Organizations adopt governance frameworks for legitimacy (Meyer & Rowan) without operational implementation. Isomorphic pressures (DiMaggio & Powell) drive adoption without ensuring effectiveness. The resolution is to embed governance documentation in governance activity so that decoupling becomes structurally difficult.

C3
Agency theory's information asymmetry is structurally addressable through decision transparency infrastructure.
Confidence  strongly supported
Based on  F2, F4, F5

Traditional agency responses (monitoring, incentives, bonding) reduce information asymmetry at the margins. Decision infrastructure that captures intent, authority, evidence, and expected outcomes fundamentally restructures the information architecture.

C4
Governance infrastructure must serve both agency (monitoring) and stewardship (empowerment) contexts simultaneously.
Confidence  strongly supported
Based on  F3

Decision records naturally serve both: accountability evidence in agency contexts, knowledge preservation in stewardship contexts. Same structure, dual function.

C5
Accountability theory requires infrastructure that supports information + explanation + consequences across multiple mechanisms.
Confidence  strongly supported
Based on  F4, F5, F11

Bovens (three phases), Schedler (two dimensions), Mulgan (three dimensions), and Grant & Keohane (seven mechanisms) converge on comprehensive requirements that only structural decision infrastructure can satisfy across all types.

§6Open Questions

Questions carried forward to the open-question registry
1
How do ESG reporting frameworks extend the accountability infrastructure gap?
2
Can Bovens' three-phase model be operationalized as a governance infrastructure completeness test?

§7Citations & Provenance

Enterprise Governance Frameworks
1. COSO (2013). Internal Control — Integrated Framework.
2. COSO (2017). Enterprise Risk Management — Integrating with Strategy and Performance.
3. ISACA (2019). COBIT 2019 Framework: Governance and Management Objectives.
4. IIA (2020). "The IIA's Three Lines Model."
5. The Open Group (2022). TOGAF Standard, 10th Edition.
6. U.S. Congress (2002). Sarbanes-Oxley Act. Public Law 107-204.
Agency, Stewardship & Accountability Theory
7. Jensen, M. C. & Meckling, W. H. (1976). "Theory of the Firm." Journal of Financial Economics, 3(4), 305–360.
8. Eisenhardt, K. M. (1989). "Agency Theory: An Assessment and Review." Academy of Management Review, 14(1), 57–74.
9. Davis, J. H., Schoorman, F. D. & Donaldson, L. (1997). "Toward a Stewardship Theory of Management." Academy of Management Review, 22(1), 20–47.
10. Gailmard, S. (2014). "Accountability and Principal-Agent Theory." In Oxford Handbook of Public Accountability, Oxford.
11. Bovens, M. (2007). "Analysing and Assessing Accountability." European Law Journal, 13(4), 447–468.
12. Bovens, M. (2010). "Two Concepts of Accountability." In Accountability and European Governance, Routledge.
13. Schedler, A. (1999). "Conceptualizing Accountability." In The Self-Restraining State, Lynne Rienner, pp. 13–28.
14. Mulgan, R. (2003). Holding Power to Account. Palgrave Macmillan.
15. Grant, R. W. & Keohane, R. O. (2005). "Accountability and Abuses of Power in World Politics." American Political Science Review, 99(1), 29–43.
Institutional Theory
16. Meyer, J. W. & Rowan, B. (1977). "Institutionalized Organizations: Formal Structure as Myth and Ceremony." American Journal of Sociology, 83(2), 340–363.
17. DiMaggio, P. J. & Powell, W. W. (1983). "The Iron Cage Revisited." American Sociological Review, 48(2), 147–160.
18. Scott, W. R. (2001). Institutions and Organizations (2nd ed.). Sage.
IT & Corporate Governance
19. Weill, P. & Ross, J. W. (2004). IT Governance. Harvard Business School Press.
20. Berle, A. A. & Means, G. C. (1932). The Modern Corporation and Private Property.
21. Cadbury Committee (1992). Cadbury Report.
22. Useem, M. & Zelleke, A. (2006). "Oversight and Delegation in Corporate Governance." Corporate Governance, 14(1), 2–12.
AI Accountability
23. Busuioc, M. (2021). "Accountable Artificial Intelligence." Public Administration Review, 81(5), 825–836.
24. Wieringa, G. (2020). "What to Account for When Accounting for Algorithms." Proc. FAccT 2020, pp. 1–18.
25. Raji, I. D. et al. (2020). "Closing the AI Accountability Gap." Proc. FAccT 2020, pp. 33–44.
Cite As

Smith, C. (2026). Accountability & Enterprise Governance (Research Report RR-004, WMI Thesis). GrytLabs Research Institute. https://doi.org/10.5281/zenodo.20185174

© 2026 GrytLabs Dynamics Inc. Licensed under CC-BY 4.0.

Research Ethics Statement

This research is conducted under the GrytLabs Research Code of Ethics, derived from the IIA Code of Ethics and the GAO Yellow Book ethical framework, adapted for a research-institute context.

Four principles govern all research activity:

Integrity — findings are reported as found, not as convenient. Unfavorable results are published with the same rigor as favorable ones.

Objectivity — research questions are framed to be falsifiable. Conflicts of interest (including the founder's dual role as researcher and patent holder) are disclosed, not resolved by assertion.

Confidentiality — disclosure levels (L0–L3) govern what appears in public research. Embargoed findings, IP-critical details, and pre-publication material are withheld per the Disclosure Discipline (GOV-PS-006), not suppressed.

Competency — claims are bounded by the evidence that supports them. Architectural claims cite spec sections. Empirical claims cite research artifacts. Claims that exceed available evidence are flagged as open questions, not presented as conclusions.

The Executive Director is a Certified Internal Auditor (CIA), Institute of Internal Auditors, personally bound by the IIA Code of Ethics as a condition of that credential. This is a personal attestation, not an institutional conformance claim — GrytLabs has not undergone an IIA Quality Assessment Review and does not claim IPPF conformance.

The governing traditions (IIA, GAO, AICPA, COSO) are formally mapped to the operating model in GOV-PS-001. This research applies the principles those traditions codify; it does not claim endorsement, review, or certification by any standards body.

Publication Notice

Disclaimer

This publication is provided for research and informational purposes. GrytLabs makes reasonable efforts to ensure accuracy but does not warrant that this publication is free of errors or omissions.

If you believe this publication contains errors, omissions, or misattributions, please contact the lab at research@grytlabs.ai. Corrections will be acknowledged in subsequent versions.

AI-Assisted Research Statement

This work was produced through AI-assistive collaboration under GrytLabs' AI-assistive collaboration disclosure protocol. Claude (Anthropic) participated in literature synthesis, cross-domain pattern identification, and argumentation structuring. OpenAI Codex participated in citation and accuracy verification. AI actors participate with delegated authority, never inherent authority. Responsibility for all findings, claims, and conclusions rests with the named author.

Provenance

Full workpaper with attestation and provenance chain available at research.grytlabs.ai/docs. DOI: 10.5281/zenodo.20185174