Your Control Plane Is Incomplete — And Your Collaboration Stack Is the Gap 

May 12, 2026

Uncategorized

Three years ago, sovereignty was a procurement footnote — a question about where a cloud workload was hosted and whether the contract held up under a regulator’s scrutiny. In the last eighteen months it has moved onto board agendas in regulated industries, where it sits alongside cyber resilience and AI governance. The shift is overdue. Most security programs are responding to it credibly. Where they are still lagging is in the collaboration layer. 

The Most Active Surface. The Least Governed. 

Talk to a security leader for an hour about their identity provider, their detection coverage, or how they handle key management in a sovereign cloud, and the depth of the answers reflects a decade of investment. Ask the same person to describe how the platform their organization uses to coordinate during an incident maps to that same security architecture — who owns the data, where it sits at any given moment, which AI systems read it, what jurisdiction it falls under when an investigator wants a copy — and the answers get vaguer. Collaboration grew up looking like a productivity tool, and most security programs treated it that way. 

That made sense in 2015. It does not in 2026. Collaboration platforms now carry incident response decisions, legal and regulatory discussions, sensitive operational plans, and executive-level communications. The most active surface in the environment is the one least governed to the standard of the rest of the stack. The gap is structural, and regulators are starting to notice. 

Three Shifts That Make This Impossible to Ignore 

The first is cyber resilience. It used to be adjacent to security; it is now a board-level CISO accountability. Disaster recovery, executive communications during a crisis, and the integrity of the after-action record are core deliverables for the security team. The platform leadership uses to make decisions under pressure is part of the response. If it cannot be audited to the standard the rest of the stack meets, what you have is improvisation dressed up in a playbook. 

The second is sovereignty. Gartner projects more than 75 percent of enterprises will implement digital sovereignty strategies by 2030, and CIO Dive reports sovereign cloud spending will grow roughly 35.6 percent in 2026 to around US$80 billion. What is increasingly hard to defend is a sovereign infrastructure strategy that stops at the collaboration boundary — board conversations, legal discussions, and incident coordination running on a platform whose data residency, AI access, and audit posture were negotiated to a different standard. Whatever justifies a sovereign cloud justifies bringing collaboration inside the same boundary. 

The third is regulatory fragmentation. NIS2 in the EU is forcing critical-infrastructure operators to demonstrate response readiness with documented evidence chains. DORA holds financial services accountable for the same. KRITIS, FedRAMP, and a thickening layer of sector-specific rules in healthcare, energy, and life sciences are converging on the same question: can you produce a defensible, jurisdictionally scoped record of who said what to whom, when, and under what controls? Most regulated organizations can answer that for their identity systems and their data lakes. Most cannot answer it for the platform on which the conversation actually happened. 

What Governed Collaboration Looks Like 

Governed collaboration is the same idea security leaders have spent a decade operationalizing identity, applied to communication. Access is contextual: who you are, what you are connecting from, where, when, and what you are trying to reach. 

The principle is to mature identity architecture. We are building it in collaboration. What ships in Mattermost Enterprise Advanced this month gets us part of the way there: attribute-based access controls — now spanning channels, team membership, and file permissions — that enforce policy against user, profile, and clearance attributes; integration with authoritative identity systems through User Attribute Sync; data spillage controls; channel auto-translation for cross-jurisdiction coordination. With v11.7, shipping later this week, those controls extend into team admin policy and file upload/download decisions, closing one of the gaps regulated customers flag most often. 

What these primitives accomplish in a regulated workflow is straightforward but consequential. A clearance attribute updated at the identity provider flows into channel membership automatically, so an engineer whose clearance changed on Friday is out of the program channel by Monday. A file uploaded into a channel whose policy permits posting but not downloading stays where it should. A spillage event triggers a containment workflow that captures what landed, where, and what was done with it, rather than a frantic thread asking everyone to delete and not screenshot. None of these are exotic capabilities. They are the operational form of an attribute-based policy applied to where decisions actually get made. 

The full picture — collaboration that adapts dynamically to device posture, network context, location, and behavioral patterns the way a modern identity stack does — is the architectural direction, not the product today. The category is moving from “productivity tool we secure at the perimeter” to “control surface we govern on the same terms as the rest of the stack.” Security leaders are being asked to make decisions in that gap right now. 

The Test Most Organizations Fail 

A simple way to take the measure of where any security program sits on this curve. Four questions, asked plainly: 

  1. Where does your collaboration data reside at any given moment, and under what jurisdiction? 
  1. Who has access to it, and under what conditions can that access change? 
  1. Which AI systems read it, write to it, or learn from it? 
  1. How would you produce it, intact and unaltered, as evidence under regulatory scrutiny? 

Few large, well-resourced organizations can answer all four with precision today. Most have answered them for their identity stack but not for the collaboration platform underneath it. The category only recently became a place where these questions had to be asked. 

Closing the Gap 

Gartner Security and Risk Management Summit 2026 is anchored on AI governance, post-quantum security, and identity at machine speed — themes that all assume a mature, governed substrate beneath them. The collaboration question belongs in that conversation. The platform where your incident commander coordinates, your legal team annotates, and your executives decide is part of your control plane. 

If you are at SRM 2026 in National Harbor, find us at Booth 303. The most useful conversations are the ones that start from the harder question — not “are we secure,” but “are we governed” — about the collaboration layer. We can pull up the four questions and work through them against your stack, ending with a short list of where the gap is structural and where it is configurable. That is a conversation worth having now, before someone asks the same questions under audit or in the middle of an incident. 

Leigh Dow is CMO at Mattermost, Inc. Leigh is an accomplished marketing and growth executive with a background in the Fortune 100 and startup technical marketing, public/private partnerships, and public policy. She holds an MBA specializing in Technology Management and a BS in Geopolitical Strategy.

Read More Uncategorized Articles