Five risks every board fears.
Five ways to catch them before they land.
Directors are personally liable. Policies on shelves don’t protect anyone. These are the scenarios that keep risk committees up at night — and what changes when governance is enforced at the point of action, not reviewed after the fact.
Unauthorised public communication
Someone in your organisation publishes something — social media, press release, member newsletter — that the board didn’t approve, enters political territory, or makes claims that expose the organisation.
Today
Post goes live. Gets screenshotted.
Board finds out when a journalist calls.
Damage is done. You’re scrambling to explain why there was no approval process.
With Constellation
Before the publish action executes — HubSpot, Twitter, Mailchimp, whatever — Constellation checks it against the org’s comms constraints.
“Only approved spokespeople can publish externally.” “No political positions without board resolution.” “No member-facing comms without CEO sign-off.”
If it violates, the action is blocked before it happens. The right person is notified immediately.
Full audit trail exists showing the constraint, the violation, and who approved or denied it.
You never have to reconstruct what happened.
Data leaving the building
Staff member exports member data into a spreadsheet and emails it externally. Or pastes client information into ChatGPT. Or shares a report with a third party that includes personal information. You find out when the Privacy Commissioner calls.
Today
You write policies. You run training.
You hope people follow them.
You find out about breaches in the next audit — or from a journalist.
With Constellation
Constraints are encoded: “No member data shared externally without privacy officer approval.” “No personal data entered into third-party AI tools.”
For integrated systems — CRM exports, email platforms, AI assistants — the governance gate checks every action before it executes. Bulk export from your member database? Checked. Client notes pasted into ChatGPT? Blocked.
The staff member tries to share, the system checks the constraint, and the privacy officer is notified in real time. No handbook required.
The board never has to explain why they didn’t have controls in place — because they did, and they can prove it.
Spend above delegation
Someone commits expenditure above their authority. A department head signs a $50K contract that needed CEO or board approval. Or worse — a pattern of small transactions designed to stay under the threshold. You discover it at year-end audit.
Today
Delegation authorities exist in a policy document.
Compliance depends on people reading and following the document.
Nobody checks until after the money is spent.
With Constellation
Delegation authorities are encoded as constraints with dollar thresholds and role-based permissions.
Any financial commitment is checked against the person’s authority envelope before it executes.
Over-threshold spend is blocked and routed to the appropriate approver immediately.
Every approval and escalation is logged.
Auditors don’t have to reconstruct the decision chain — it’s already there.
Compliance drift
The organisation has 40 pieces of legislation, 12 funding agreements, and a stack of regulatory obligations. Nobody is actively monitoring day-to-day operations against all of them. You’re compliant on paper. In practice, you’ve drifted. You find out when the regulator audits.
Today
Compliance lives in annual attestations and committee reports.
Three months of activity gets reviewed in a two-hour meeting.
Directors sign off on things they can’t practically verify.
With Constellation
Regulatory obligations and funding conditions are encoded as constraints.
Every relevant action — grants, reporting, procurement, communications — is checked continuously against these rules.
Drift is detected in real time, not 12 months later.
The board can demonstrate, at any point, that a live governance system was monitoring compliance and flagging issues as they arose.
That’s the difference between “we had a policy” and “we had a system.”
AI agent sends unauthorised regulator communication
An AI agent deployed by a financial services firm automatically responds to a regulatory inquiry. The response contains commitments the institution hasn’t approved and discloses data that should have been restricted. The three questions from ASIC v Bekier land immediately: who was responsible, what did they know, what did they do?
Today
The delegation chain is unclear — the agent was deployed by IT, configured by compliance, and triggered by an external event. No one owns the action.
The agent had access to internal data but no one documented what data it could access or what constraints governed its communications.
By the time anyone noticed, the communication was sent. There is no contemporaneous record of any governance check. Executives reconstruct the incident from email chains and Slack messages over six weeks.
Directors are personally exposed because they cannot demonstrate governance was in place at the time the agent acted.
With Constellation
The governance gate blocks the communication before it is sent. External regulatory communication requires human approval — this constraint is encoded and enforced structurally.
The constraint check, the escalation to the appropriate approver, and the delegation boundary are all recorded in the governance trace at the moment of action.
The three questions are answerable immediately: who was responsible (the delegation chain is explicit), what did they know (the constraint and data access rules are recorded), what did they do (the block, escalation, and resolution are in the trace).
No six-week reconstruction. No personal liability exposure. The evidence exists because the governance infrastructure produced it contemporaneously.
The difference between "we had no idea the agent could do that" and "our governance system caught it, blocked it, and escalated it before any damage was done."
See it in action
This is what a single day looks like when governance runs at the point of action. Watch events appear as they would in real time — pass, blocked, or escalated — all checked automatically.
Governance feed — simulated day
Waiting for events…
What the board actually receives
Instead of a self-assessed attestation and 200 pages of committee minutes, the board gets a governance summary backed by real data.
Governance Summary Report
Q3 2025 — 1 July to 30 September
247
Actions checked
14
Violations blocked
9
Escalations resolved
100%
Resolution rate
Activity by domain
Finance
82
5 blocked
Communications
64
6 blocked
Data & Privacy
48
3 blocked
Procurement
31
—
Grants
22
—
Notable events
12 Aug
Social media post blocked — political content without board resolution
23 Aug
Member data export blocked — missing privacy officer approval
5 Sep
$48K vendor contract escalated to CEO — approved in 12 minutes
19 Sep
Compliance constraint added: ACNC reporting obligations encoded
Board attestation basis: 247 governance checks executed, 14 violations prevented before execution, 9 escalations resolved within authority. All actions logged with full audit trail.
Generated automatically by Constellation. No manual compilation required.
The committee meeting goes from “reviewing what happened” to “deciding what to do next”. The data is already there. The board attests based on evidence, not memory.
This is running right now
These are real numbers from institutions using Constellation today. Every check, every violation, every escalation — live from the platform.
The pattern underneath
Every one of these scenarios has the same structure: rules exist on paper, compliance depends on human memory, and the board finds out after the damage is done.
Constellation changes the architecture. Rules become constraints. Constraints are checked at the moment of action. Violations are caught before they execute. Everything is logged automatically.
The board doesn’t need to govern differently. They need a system that makes their existing governance actually enforceable.
Corporate governance infrastructure that enforces your existing rules at the point of action, so the board never has to explain why the controls didn’t catch something.
See where your governance stands
Take the governance health check to identify which of these risks you’re exposed to today. Then see the full business case.