When we assess an estate, we do not produce a single pass or fail verdict. An IT environment is made up of distinct dimensions, each of which can be strong in one area and weak in another, and a single overall score would hide exactly the detail a board needs to act on. That is why the Sovereignty Index™ is built around five pillars: Identity, Velocity, Resilience, Security, and Cognitive. Each measures something different, and each has its own typical failure pattern.
Identity
Identity measures how tightly the business controls who can access what, and how confidently that access can be proven and revoked. It covers everything from how accounts are provisioned when someone joins, to whether access is removed promptly when they leave, to whether privileged accounts are kept separate from everyday ones.
In a typical uninspected estate, identity sprawls. Former employees retain working logins months after departure. Shared accounts are used for convenience. Nobody can produce a clean answer to “who currently has access to our finance system” without a half-day investigation. The sovereign benchmark looks almost boring by comparison: access is granted on a defined basis, removed automatically on departure, and a complete answer to “who has access to what” is available in minutes, not days.
Velocity
Velocity measures how quickly the business can make a change to its own technical environment without that change becoming a project. This includes onboarding new starters, rolling out a new application, or responding to a request from the business with a working answer rather than a multi-week ticket.
The typical uninspected estate treats every change as a small emergency. Nobody is quite sure what depends on what, so even simple requests get treated with caution and delay, and IT becomes known internally as the place where things go to wait. The sovereign benchmark has documented dependencies and a known change process, so routine changes happen in days, and the business stops routing around IT because it has stopped being the bottleneck.
Resilience
Resilience measures what happens when something goes wrong, whether that is a hardware failure, a ransomware event, or simply human error. It covers backup integrity, recovery time, and whether the organisation has actually tested its own ability to recover, rather than assuming it works.
In a typical uninspected estate, backups exist but have never been tested as a full restore, disaster recovery plans are documents that nobody has opened since they were written, and a serious incident becomes an exercise in improvisation. The sovereign benchmark treats recovery as a rehearsed capability: backups are tested on a schedule, recovery time is known rather than hoped for, and the plan reflects how the business actually runs today, not how it ran three years ago.
Security
Security measures the estate’s exposure to compromise: patching discipline, perimeter controls, monitoring, and whether suspicious activity would actually be noticed. This is the pillar most boards assume is covered because there is a firewall and an antivirus product, which is rarely the same thing as genuine coverage.
The typical uninspected estate has gaps that nobody has gone looking for: unpatched systems, no real-time monitoring, and a worrying number of services exposed to the internet for reasons nobody can quite explain. The sovereign benchmark is continuously monitored, patched on a defined cadence, and built on the assumption that prevention will eventually fail, so detection and response are taken just as seriously as the perimeter.
Cognitive
Cognitive measures how well the organisation actually understands its own estate: whether documentation reflects reality, whether knowledge sits in systems rather than in the heads of one or two individuals, and whether decisions about the estate are made with evidence or with guesswork.
In a typical uninspected estate, the real knowledge of how things work lives with a single long-serving administrator or an external contractor, and documentation, where it exists at all, is years out of date. The sovereign benchmark holds that knowledge in accessible, current records, so the organisation does not face an existential risk every time a key individual is unavailable or leaves.
A single overall score would hide exactly the detail a board needs to act on.
How the pillars come together
No estate scores identically across all five. A business might have strong Security but weak Velocity, or solid Resilience undermined by poor Identity controls. That is the point of separating them: a single combined score would average away the very weaknesses that need attention first.
The Sovereignty Index assesses an estate against each pillar independently, then rolls the results into a single diagnostic view that shows where the estate sits today, where the gaps are, and which of the five would deliver the most benefit if addressed first. It replaces a vague sense that “IT is probably fine” with a structured picture the board can actually act on.