Opening Claim Lagos has published cybersecurity guidelines. The guidelines describe expected behaviour. They do not describe enforced system state. That distinction is the entire problem. A policy document is not a control. A control is a mechanism that prevents an action or denies an outcome at the point of execution. The Lagos guidelines, as a policy artefact, instruct organisations and individuals on what good hygiene looks like. They do not change what a system permits at the identity layer, the network layer, or the application layer. An attacker does not interact with a guideline. An attacker interacts with whatever the system actually allows. From an operator perspective, this is a familiar pattern. Compliance frameworks repeatedly produce the same outcome: organisations attest to behaviours that are not technically enforced, auditors confirm the attestation, and the underlying system continues to permit the exact actions the policy prohibits.…