The Control Plane Is the Product

Why institutional digital asset infrastructure will be defined by governance at the signing layer

‍

In November 2025, IOSCO published its Final Report on the Tokenisation of Financial Assets. Most of the digital asset industry read it as a tokenization paper - focused on DLT adoption, settlement efficiency, and cross-border scalability. It is better understood as a control paper.

Read closely, and IOSCO is not debating whether assets move on-chain. It is identifying where systemic risk will concentrate when they do: at the operational layer governing transaction authorization, key control, and cross-network coordination. In other words, custody; but not as traditionally marketed.

As tokenized bonds, repos, funds, and collateral instruments scale, the signing layer becomes a balance sheet control point. If that layer is architected as a keystore rather than a governance system, institutions will accumulate operational and regulatory risk faster than they accumulate yield.

‍

“Same Activities, Same Risks” - Applied to Infrastructure

IOSCO reiterates a core principle: same activities, same risks, same regulatory outcomes. In practice, this means:

If a $500 million fixed income desk requires dual control, exposure limits, counterparty restrictions, and independent audit trails in traditional markets, those controls must exist — and be enforceable — at the point of authorization in digital markets.

Not reconciled after the fact.
Not layered onto a vendor dashboard.
Not dependent on manual review.

Enforced at the signing layer. Regulatory direction is converging on this point:

• MiCA requires demonstrable control over private keys and recovery mechanisms with appropriate technical and organizational safeguards.
• DORA mandates ICT resilience and independently verifiable operational controls.
• NYDFS Part 500 emphasizes governance, cryptographic integrity, and auditability.

Across jurisdictions, the message is consistent: governance over digital assets must be architectural. A wallet that merely stores keys and coordinates signatures is not sufficient infrastructure for regulated balance sheets.

‍

Data Plane vs. Control Plane

In network architecture, the data plane executes. The control plane governs. Most institutional wallet infrastructure today is a data plane:

• It holds keys.
• It orchestrates threshold signatures.
• It broadcasts transactions.

Necessary, but not sufficient. A capital markets control plane must determine:

• What assets may move
• To which counterparties
• Under what conditions
• Within what limits
• Under which organizational approvals
• With a verifiable, immutable audit trail

The difference is not semantic. It is systemic. When tokenized treasuries are used as repo collateral, when private credit settles on-chain, when intraday liquidity moves across networks, the authorization layer becomes a real-time risk control surface. What good is it if your 4-eye check passes and your wallet signs a transaction to pledge US T-Bills as collateral, only to find it is hit with a 100% haircut because it is ineligible per the Credit Support Annex...

‍

What a True Control Plane Requires

For capital markets participants, a control plane is not a feature set. It is an infrastructure design decision. At minimum, it requires:

‍

1. Policy Enforcement at the Signing Layer

Compliance rules, counterparty restrictions, asset limits, and exposure caps must be evaluated before a transaction can be authorized. Not after it is broadcast. Critically, the policy engine must operate within infrastructure the institution controls. If governance logic resides solely in a vendor-operated environment, then enforcement becomes a service dependency rather than an institutional capability.

Outages disable policy. Vendor misconfiguration alters rules. Breach exposes governance logic.

‍

That is not control.

‍

2. Intent Verification. Not Just Approval Workflows

Dual approval is not equivalent to transaction validation. See previous example on pledging T-Bills as collateral. However many wallet architectures fail in more fundamental ways, the transaction presented for signing is assembled using external RPC data (balances, contract state, nonces) that the wallet does not independently verify.

Approvers believe they are authorizing a defined action. In reality, they are signing a byte payload constructed from external inputs. Approval-aware governance ensures the right people sign. Intent-aware governance verifies what is being signed. Consider a treasury desk authorizing a $50M USDC transfer to a counterparty smart contract. The UI displays a vault address. The underlying calldata routes funds to a different function because the contract was upgraded. If your wallet does not verify intent independently of the UI, dual approval only authorizes a mistake faster.

For institutions managing material balance sheet exposure, that distinction is non-trivial.

‍

3. Organizationally Accurate Authorization

Institutional governance is not admin / viewer / signer. These templates are too basic and don't offer the enterprise the option to enforce their control framework as they want to and lacks fine grain control.

They need:

• Role-based authority
• Asset-class segmentation
• Counterparty-specific permissions
• Transaction-size thresholds
• Least-privilege enforcement
• Separation of duties

Authorization workflows must reflect how capital markets firms actually operate. Anything less creates lateral movement risk inside the organization.

‍

4. Multi-Chain Policy Consistency

Tokenized assets will not consolidate onto a single network. Fragmented controls across chains create precisely the operational risk IOSCO highlights: inconsistent enforcement, incomplete audit trails, and governance blind spots. A control plane must be chain-agnostic while maintaining a single source of policy truth. Some traditional financial market infrastructure firms are even talking about special purpose chains which spin up and spin down as required in certain use cases... now think about how most wallet takes several months to add a new-chain today, that is a non-starter.

‍

‍

Three Misconceptions in the Market

As institutions evaluate wallet infrastructure, three recurring assumptions deserve scrutiny.

“We use MPC, so our keys are secure.”

Threshold cryptography is foundational. But implementation matters. True distributed key generation ensures that no single party ever reconstructs the private key. Not all implementations follow that model. More importantly, MPC secures the signing ceremony. It does not verify the transaction’s economic or contractual intent.

Perfectly generated keys will sign whatever they are presented. Key security is necessary. It is not governance.

‍

“We have a policy engine.”

The relevant questions are:

• Where does it operate?
• Can you independently verify its execution?
• Does it validate transaction elements, or merely coordinate approvals?

A workflow engine that controls who signs is not equivalent to a policy engine that validates what is signed. Governance that depends on vendor infrastructure is operational reliance, not institutional control.

‍

“We use a big brand name.”

Market share reflects distribution and longevity. It does not answer architectural questions. Zero-trust evaluation requires technical clarity:

• Is key generation fully distributed?
• Can you self-host?
• Are audit logs exportable and immutable?
• Can you conduct independent red-team and disaster recovery exercises?
• Is policy enforcement cryptographically bound to transaction authorization?

These are infrastructure questions, not commercial ones.

‍

The Capital Markets Inflection Point

Tokenization is moving beyond experimentation. Central banks are exploring tokenized collateral frameworks. Market infrastructures are piloting digital asset settlement rails. Private credit, funds, and repo markets are beginning to adopt on-chain representations. As this accelerates, the signing layer becomes a systemic risk boundary. When something fails in digital asset operations, regulatory inquiry will not focus on user interface design or marketing claims. It will focus on the control architecture.

Who had authority?
What policies were enforced?
Where did governance reside?
Could the institution independently verify the outcome?

‍

In traditional markets, custody is governance. In digital markets, governance lives at the signing layer.

‍

The Structural Shift

The first generation of institutional wallets solved for access and key security. The next generation must solve for enforceable control. Institutions that treat the wallet as a keystore with workflow features layered on top are accumulating structural debt: operational, regulatory, and architectural. Institutions that treat the control plane as the product are aligning their infrastructure with where capital markets are moving.

The question is no longer whether assets will move on-chain. It is whether the control architecture will scale with them. In capital markets, authorization is risk management. If your wallet cannot enforce policy architecturally, it is not institutional infrastructure. It is a convenience tool.

‍

Reach out via the "Contact" button to learn more about how Cordial is helping traditional finance institutions to bring capital markets on-chain.