Accountability Model

1. Purpose

Enterprise compliance requires clear ownership and accountability at every level. This document defines who is responsible for what within Govula and how that responsibility is tracked and enforced.

2. Workspace Ownership

Every workspace has a designated owner. The workspace owner is responsible for:

• The accuracy of the Statement of Applicability
• The completeness and freshness of evidence
• The appropriateness of control justifications
• Authorising audience bindings

Workspace ownership is recorded in the audit trail and cannot be anonymous.

3. Report Attribution

Every generated report carries provenance metadata identifying:

• The generating platform and version
• The workspace context
• The authenticated user who triggered generation (if manual)
• The scheduled job that triggered generation (if automated)

Report attribution is part of the canonical Authority & Provenance section and cannot be removed.

4. Control Ownership

Individual controls within a workspace may have designated owners. Control owners are responsible for:

• Maintaining evidence freshness
• Providing control justifications
• Responding to drift alerts

Control ownership is advisory — it does not override workspace-level governance.

5. Decision Attribution

All governance decisions record:

• The identity of the preparer
• The identity of the approver (must be different from preparer)
• The decision class and truth level
• The timestamp and context

Separation of duties is enforced — no user can approve their own decisions.

6. Audit View Ownership

Auditor walkthrough sessions are attributed to the specific auditor identity. All evidence accessed during an auditor session is logged. Audit view operations create immutability locks on accessed artefacts.

7. Accountability Guarantees