The Nine is a product-neutral discipline for building digital systems that earn trust by refusal rather than by claim. Not a tool you install, not a checklist you complete, not a certification you buy. A practice kept.
What follows is what changes for a company that keeps it.
No single point of failure
P1 — minimize the secret.
A secret split across parties cannot be stolen whole. Threshold cryptography makes master keys, biometric templates, and root credentials mathematically impossible to recover in full from any single location, party, or process. The architecture stops asking "what if the vault is breached" and starts asking "what fragment is recoverable from the breach." A successful attack captures a useless piece. The thing that could destroy the company is not held in one place.
Replaceable cryptography
P3 — architect for change.
Algorithms, keys, and credentials become configuration rather than concrete. When a primitive falls — when post-quantum becomes urgent, when a CA fails, when a standard moves — the rotation is a deployment, not an architecture. The system outlives its own cryptography. The cost of a 2030 migration is paid in the 2026 design choice, not in the 2030 engineering bill.
No false certainty
P4 — never claim more than you can verify. P9 — trust itself cannot be generated by the architecture.
Where the system defends, it shows the proof. Where it rests on assumption, it names the assumption. The threat model is open; the residual-risk register is open; the things it cannot do are listed alongside the things it can. Regulators, defense contractors, and enterprise CISOs discount claims of invincibility on sight. Naming the limit, in daylight, is what is read as serious.
The rule binds its keeper
P5 — the architect is not above the architecture.
Founders, executives, and original architects appear in the same audit streams as every other operator. No quiet exemption for emergency access. No back door for the maker. The most common point of organizational compromise — the one justified by "I need this for a critical fix" — is structurally absent because the asymmetry that would be exploited is not there.
Resilience as a property, not a layer
P6 — be safely endable. P7 — let entry be freely chosen. P8 — do not trap, coerce, or extract.
Secrets are split. Human action requires quorum. Detection runs as deception rather than surveillance. The system can be wound down — the data exported, the credentials retired, the records stewarded or destroyed — without becoming, in dying, the breach it spent its life preventing. Resilience is not a bolt-on layer. It is the structural consequence of refusing to centralize what could fail.
It composes — it does not replace
The Nine does not stand alone in the field, and does not claim to. It is a layer of governance and discipline that composes with established open standards:
- Verifiable Trust / Verifiable Public Registry (Verana Foundation) — the "verify first, then connect" model. The Nine shares the verify-first principle and composes above the connection substrate.
- W3C Verifiable Credentials, DIDs, ToIP — the credential and identifier mechanisms P2 can be implemented with.
- NIST post-quantum standards; certificate-management lifecycle — what makes P3 concrete.
- IEC 62443, MITRE ATT&CK — domain standards the profiles align to.
The Nine is the governance-and-discipline layer, not the wire. It earns trust by composing with the field, not by claiming to replace it.
What it does not cover
A discipline earns trust by naming its edges (P4). The Nine hands the following to qualified others:
- The autonomy decision — whether a system, especially one that can act physically, should act autonomously at all is a safety, legal, and ethical question. The Nine governs whether an action is authorized and verifiable; it does not decide whether autonomy is permissible.
- Legal and regulatory specifics — jurisdiction, airspace, export control, sector regulation. The Nine aligns to standards; it does not substitute for counsel.
- Human interiority — The Nine governs actions, access, and records, not the profiling of persons. It does not endorse behavioral surveillance of individuals as a control.
- Residual human trust — separation and recording shrink the trust any individual must be given; they do not reduce it to zero. The irreducible remainder is a matter for independent oversight.
Built in observance — the way a building is built in stone, or in light. Kept, not owned. Applied, not approved. A practice, not a possession.
Set down by Riaan Kleynhans, author and first keeper, bound by the same rule. The Nine is its own articulated discipline — not an external certification or standard, and not the property of any product. Granted by no authority and verifiable by anyone. We hold ourselves to it; you are invited to hold us to it, and to keep it yourself.