Lagos published guidelines, not controls

Opening Claim

Lagos has published cybersecurity guidelines. The guidelines describe expected behaviour. They do not describe enforced system state. That distinction is the entire problem.

A policy document is not a control. A control is a mechanism that prevents an action or denies an outcome at the point of execution. The Lagos guidelines, as a policy artefact, instruct organisations and individuals on what good hygiene looks like. They do not change what a system permits at the identity layer, the network layer, or the application layer. An attacker does not interact with a guideline. An attacker interacts with whatever the system actually allows.

From an operator perspective, this is a familiar pattern. Compliance frameworks repeatedly produce the same outcome: organisations attest to behaviours that are not technically enforced, auditors confirm the attestation, and the underlying system continues to permit the exact actions the policy prohibits. The gap between stated policy and enforced state is where attackers operate. Lagos publishing guidelines does not close that gap. It defines an aspiration. The aspiration is not the system.

The Original Assumption

The assumption embedded in this kind of guidance is that prescription drives behaviour, and behaviour drives security. The model is: tell people what to do, train them to do it, audit that they did it, and exposure decreases. That model treats the human operator as the enforcement layer. It treats password rules, access reviews, and incident reporting as actions humans perform, rather than as conditions a system maintains.

This assumption breaks under contact with how attackers actually work. Credential theft does not require a user to violate policy. It requires a system that accepts a stolen credential as proof of identity. Phishing does not require a user to be careless. It requires an authentication boundary that treats a valid password and a one-time code as sufficient, regardless of the device, network, or behavioural context surrounding the request. Lateral movement does not require a privileged user to misuse access. It requires a trust relationship between systems that is never re-validated after the initial authentication.

In each case, the policy layer has nothing to grip. A guideline that says “use strong passwords” does not change what the authentication system accepts. A guideline that says “limit privileged access” does not change what permissions the directory service has actually granted. A guideline that says “report suspicious activity” does not change what the detection pipeline is configured to surface. The assumption that documented expectations translate into enforced state is the original error. Every layer below the guideline operates on its own configuration, not on the policy text.

What Changed

What has changed in the Lagos context is that the guidelines now exist as a published reference. What has not changed, based on the available facts, is the technical enforcement posture of the systems they apply to. That status is not confirmed. The guidelines describe the desired end state. Whether identity systems, endpoint controls, network segmentation, or logging pipelines have been reconfigured to enforce that state is a separate question, and the answer is not contained in the policy document.

This is the operative shift. Publishing guidelines creates a measurement surface for compliance, not for control effectiveness. Organisations can now be assessed against the document. They can produce evidence of training, of policy acknowledgement, of written procedures. None of that evidence describes what the system permits at runtime. An attacker probing an environment does not encounter the policy. They encounter the authentication endpoint, the API gateway, the file share, the misconfigured cloud bucket, the over-privileged service account. Those surfaces are governed by configuration, not by guidance.

The practical change for defenders is narrower than the policy implies. The guidelines may create regulatory pressure, reporting obligations, and a baseline vocabulary for incident response. They do not, by themselves, alter the conditions an attacker must satisfy to gain access, escalate privilege, or exfiltrate data. Treating publication as progress conflates two different things: the existence of a standard, and the enforcement of that standard at the system level. Until the second condition is demonstrably true, the first condition is documentation. Documentation does not stop intrusion.

Mechanism of Failure or Drift

The failure mechanism is straightforward. A guideline operates at the documentation layer. An attacker operates at the execution layer. Between those two layers sit the systems that actually decide what is permitted: the identity provider, the authorisation engine, the network policy enforcement point, the workload runtime. None of those systems read policy documents. They read configuration. If the configuration does not match the policy, the policy is a description of intent, and the system continues to behave according to its actual settings. The drift between intent and configuration is where every credential reuse, every standing privilege, every unmonitored egress path lives.

This drift is not accidental. It is structural. Policy is written once and revised on a slow cadence. Configuration changes continuously, driven by deployments, integrations, exception requests, and operational pressure. Each change is a local decision. Each local decision can move the system further from the documented baseline without anyone observing the cumulative effect. The guideline does not detect this movement. It cannot. It is a static artefact. The only mechanism that can detect drift is one that compares the documented state to the enforced state on a continuous basis, and that mechanism is itself a system, not a guideline. Whether such a mechanism exists in the Lagos context is not confirmed.

The second mechanism of failure is the assumption of human enforcement. When a guideline says an action must be taken, the implicit enforcement model is that a person will perform that action and another person will verify it. People do not scale. Systems do. An identity system can revoke ten thousand sessions in a second. An access review performed by humans against a directory of ten thousand identities will produce errors, omissions, and stale attestations. The guideline assigns the work to the slower, less reliable enforcement layer. Attackers operate at machine speed. The defender’s enforcement layer must operate at the same speed or it loses by default. Policy text does not run at machine speed. It does not run at all.

Expansion into Parallel Pattern

The same mechanism appears in every compliance regime that mistakes attestation for enforcement. A regulator publishes requirements. Organisations document their alignment. Auditors confirm the documentation. The systems remain governed by their actual configuration, which is not the subject of the audit. Breaches occur in environments that hold current certifications because the certification measured the existence of policy and process, not the runtime state of the controls. The pattern is not specific to any one framework. It is the consequence of treating a written standard as if it were an enforcement boundary.

The pattern also appears inside organisations that have mature internal policies. A security team publishes a standard requiring multi-factor authentication on all privileged accounts. The directory service contains accounts that predate the standard, accounts created through automation that bypassed the standard, and accounts granted exceptions for operational reasons. The standard exists. The enforcement does not match the standard. An attacker enumerating the environment finds the gaps, not the standard. The same dynamic plays out for service accounts with non-expiring credentials, for legacy authentication protocols left enabled for compatibility, and for administrative interfaces exposed to networks the policy says they should not reach.

The Lagos guidelines sit inside this pattern. They are an instance of it, not an exception to it. The mechanism that allows policy to drift from configuration inside a single organisation operates identically when the policy is published by a city, a sector regulator, or a national authority. The scale of the policy does not change the enforcement model. The enforcement model is determined by whether the systems being governed are configured to deny the prohibited actions, not by who published the prohibition. A guideline issued by a municipality has the same enforcement power as a guideline issued by a vendor’s security team if neither is wired into the systems that decide what runs.

The parallel extends to detection. Policy can require that suspicious activity be reported. It cannot define what suspicious means in a way that a logging pipeline can act on. The translation from policy language to detection logic is a separate engineering effort, performed by a separate team, against telemetry that may or may not contain the signals the policy assumes are available. If the telemetry does not exist, the detection cannot exist, and the reporting requirement produces silence rather than visibility. The guideline does not know what the pipeline collects. The pipeline does not know what the guideline requires. The gap is permanent until someone closes it in code.

Hard Closing Truth

A guideline is not a control. A control is a mechanism that denies an action at the point of execution. Until the Lagos guidelines are translated into enforced configuration on identity systems, network boundaries, endpoint agents, and detection pipelines, they describe a desired state that the underlying systems are not obligated to produce. Attackers will continue to operate against the actual configuration. The actual configuration is the only thing that determines exposure.

The operator position is that publication is the start of work, not the end of it. Every clause in the document corresponds to a configuration change, a detection rule, a policy enforcement point, or an identity boundary that must be implemented and continuously validated. If that implementation work is not happening, the guidelines are a measurement surface for compliance theatre. Compliance theatre does not stop intrusions. It produces documentation that an intrusion occurred despite stated controls, which is the standard post-incident finding in environments that confused policy with enforcement.

What must now be true is narrow and testable. The systems in scope must deny the actions the guidelines prohibit, at the point those actions are attempted, without depending on a human to intervene. Identity must be the boundary, and that boundary must be re-validated continuously rather than once at session start. Trust relationships between systems must be enumerated, scoped, and revoked when the conditions that justified them no longer hold. Detection must be wired to telemetry that actually exists in the environment, not to events the policy assumes are being collected. Until those conditions are demonstrably enforced, the guidelines are a document. Attackers do not read documents. They read what the system permits.

See also: NordVPN for tunneled traffic when operating outside controlled networks.

---

#ad Contains an affiliate link.