Expansion into Parallel Pattern
The same mechanism appears in every compliance regime that mistakes attestation for enforcement. A regulator publishes requirements. Organisations document their alignment. Auditors confirm the documentation. The systems remain governed by their actual configuration, which is not the subject of the audit. Breaches occur in environments that hold current certifications because the certification measured the existence of policy and process, not the runtime state of the controls. The pattern is not specific to any one framework. It is the consequence of treating a written standard as if it were an enforcement boundary.
The pattern also appears inside organisations that have mature internal policies. A security team publishes a standard requiring multi-factor authentication on all privileged accounts. The directory service contains accounts that predate the standard, accounts created through automation that bypassed the standard, and accounts granted exceptions for operational reasons. The standard exists. The enforcement does not match the standard. An attacker enumerating the environment finds the gaps, not the standard. The same dynamic plays out for service accounts with non-expiring credentials, for legacy authentication protocols left enabled for compatibility, and for administrative interfaces exposed to networks the policy says they should not reach.
The Lagos guidelines sit inside this pattern. They are an instance of it, not an exception to it. The mechanism that allows policy to drift from configuration inside a single organisation operates identically when the policy is published by a city, a sector regulator, or a national authority. The scale of the policy does not change the enforcement model. The enforcement model is determined by whether the systems being governed are configured to deny the prohibited actions, not by who published the prohibition. A guideline issued by a municipality has the same enforcement power as a guideline issued by a vendor's security team if neither is wired into the systems that decide what runs.
The parallel extends to detection. Policy can require that suspicious activity be reported. It cannot define what suspicious means in a way that a logging pipeline can act on. The translation from policy language to detection logic is a separate engineering effort, performed by a separate team, against telemetry that may or may not contain the signals the policy assumes are available. If the telemetry does not exist, the detection cannot exist, and the reporting requirement produces silence rather than visibility. The guideline does not know what the pipeline collects. The pipeline does not know what the guideline requires. The gap is permanent until someone closes it in code.
Hard Closing Truth
A guideline is not a control. A control is a mechanism that denies an action at the point of execution. Until the Lagos guidelines are translated into enforced configuration on identity systems, network boundaries, endpoint agents, and detection pipelines, they describe a desired state that the underlying systems are not obligated to produce. Attackers will continue to operate against the actual configuration. The actual configuration is the only thing that determines exposure.
The operator position is that publication is the start of work, not the end of it. Every clause in the document corresponds to a configuration change, a detection rule, a policy enforcement point, or an identity boundary that must be implemented and continuously validated. If that implementation work is not happening, the guidelines are a measurement surface for compliance theatre. Compliance theatre does not stop intrusions. It produces documentation that an intrusion occurred despite stated controls, which is the standard post-incident finding in environments that confused policy with enforcement.
What must now be true is narrow and testable. The systems in scope must deny the actions the guidelines prohibit, at the point those actions are attempted, without depending on a human to intervene. Identity must be the boundary, and that boundary must be re-validated continuously rather than once at session start. Trust relationships between systems must be enumerated, scoped, and revoked when the conditions that justified them no longer hold. Detection must be wired to telemetry that actually exists in the environment, not to events the policy assumes are being collected. Until those conditions are demonstrably enforced, the guidelines are a document. Attackers do not read documents. They read what the system permits.
See also: NordVPN for tunneled traffic when operating outside controlled networks.
#ad Contains an affiliate link.