I use Proton. Proton Mail, Proton VPN, the whole stack. I chose it for the same reason most practitioners do. The architecture is real, the encryption works, and the Swiss jurisdiction felt like a meaningful layer of protection over the alternative. I’m not writing this piece because Proton is dishonest. I’m writing it because Proton is probably the most credible privacy infrastructure company in the world, and even here, the accountability gap is structural, visible, and widening.

That’s worth understanding before you trust it with something that matters.

The Promise

Proton launched in 2014 out of CERN. The founding premise was straightforward: end-to-end encrypted email, no access to message content, Swiss jurisdiction, and a no-logs posture that meant even a valid legal order couldn’t produce what wasn’t there.

For years that premise held in the public imagination. The brand became synonymous with privacy infrastructure. Journalists used it. Dissidents used it. Activists coordinating on the ground in politically hostile environments used it. The promise wasn’t just marketing. It was the reason the product existed.

The architecture backing that promise is genuinely strong. Proton cannot read your emails. That is not marketing copy. It is a technical reality enforced by the encryption. No legal order changes that.

But encryption is not the whole promise. And the architecture is not the whole institution.

Three Cases

In September 2021, French police were investigating a group of climate activists occupying buildings near Place Sainte-Marthe in Paris. They routed a request through Europol to Swiss authorities, who issued a legally binding order to Proton. Proton handed over the IP address and device fingerprint of the account holder. The encryption held. The email contents were never accessible. But the activist was identified and arrested.

Proton’s website at the time said: “By default, we do not keep any IP logs which can be linked to your anonymous email account.” Within days of the story breaking, that language was quietly removed. The privacy policy was updated to clarify that Swiss law could compel IP logging under criminal investigation. The response was a communications update, not a structural one.

In May 2024, Proton handed over a recovery email address to Spanish authorities investigating a Catalan independence activist connected to the Democratic Tsunami movement. The request came through Swiss legal channels as part of a terrorism investigation. Again, the encryption held. Again, the metadata was sufficient. The activist was identified.

In early 2025, court documents revealed a third case. The FBI, working through Swiss authorities via a Mutual Legal Assistance Treaty, obtained subscriber information from a Proton Mail account connected to the Stop Cop City movement in Atlanta. That information was a bank card identifier, a single piece of financial metadata, sufficient to match the account to a real name. The FBI used the identification to plan an airport detention. No charges were filed. A Georgia judge later threw out all related RICO charges against 61 defendants.

Three cases. Three different countries. Three different legal routes into the same institution. Each time, the encryption held. Each time, the metadata didn’t.

The Numbers Behind the Pattern

Proton publishes a transparency report. That matters and deserves credit. But the numbers inside it tell a story Proton hasn’t told directly.

In 2021, the year the French activist case became public, Proton contested 21.2% of legal orders it received. The scrutiny was high, the reputational stakes were visible, and the institution pushed back on roughly one in five requests.

By 2024, the contest rate had fallen to 5.9%. Order volume had nearly doubled. From 2017 through 2025, Proton received 45,667 legal orders and complied with 40,389 of them.

The institution got quieter about resistance as it got bigger. That is not an accusation of bad faith. It is a structural observation. As Proton scaled to 100 million users across Mail, VPN, Drive, Pass, Calendar, and Wallet, the surface area of metadata it holds expanded significantly. More products. More payment data. More recovery addresses. More device fingerprints. More points of legal exposure. The compliance architecture stayed the same.

One data point makes the structural argument more precisely than any other. Proton VPN, the same company, denied 100% of legal orders every single year from 2020 through 2025. Not because Proton VPN is more committed to privacy than Proton Mail. Because the architecture makes compliance impossible. Proton VPN maintains no logs. There is nothing to hand over. The architecture closed the gap before the legal order arrived.

Proton Mail’s architecture did not make that same choice.

What the Gap Actually Is

This is not a story about Proton breaking its promise. The encryption promise was kept every time. The emails were never readable. The architecture performed exactly as designed.

The gap is between two different things that the brand collapsed into one: the architectural promise and the institutional promise.

The architectural promise is technical. It is verifiable. It has been independently confirmed. Proton cannot read your emails. That is true.

The institutional promise is organizational. It lives in compliance decision frameworks, in legal resistance thresholds, in what metadata gets retained and under what conditions, in how payment processing integrates with account identity, in how the contest rate is determined when an order arrives. None of that is in the encryption. All of it is invisible to the user until a court order makes it visible.

The people most reliant on Proton’s promise, journalists, dissidents, activists operating in politically hostile environments, are the least positioned to discover where the institutional promise ends and the architectural promise begins. They chose Proton because they believed the brand. The brand implied a unity that the institution never formally established.

That is the accountability gap.

What Accountable by Design Looks Like

The Vordan Accountability Framework measures accountability posture across six components: Origin, Voice, Traceability, Timing, Response, and Transparency. A score of 100 means the gap is closed. Here is what Proton looks like at 100.

Origin. Every compliance decision has a documented decision owner and a published legal resistance threshold. The framework for determining when to contest an order, and when not to, exists in writing before the order arrives, not assembled case by case under legal pressure.

Voice. Users with high-risk threat models have a functional path to understand what Proton can and cannot protect them against before they rely on the service. That path is not buried in a threat model page three clicks from the homepage. It is part of onboarding for any account that fits the activist, journalist, or dissident profile.

Traceability. A published legal resistance log. Not aggregate statistics. A documented record of the threshold applied to each category of request, the reasoning behind contest and compliance decisions, and what changed structurally after each public case.

Timing. The institutional promise is defined before a legal order forces its definition. The 2021 privacy policy update happened after the activist was arrested. At 100, that clarification exists on day one of the product, not day one of the crisis.

Response. When a gap is identified, the correction is structural. The response to each of the three cases described above was a communications update. At 100, the response to the 2021 case produces a published resistance framework, a redesigned metadata retention policy, and a documented decision on what payment data is retained and why. Not a revised homepage.

Transparency. The brand promise matches the actual capability. “We do not keep IP logs” is replaced, before any court order, with a plain-language threat model that tells a journalist or activist exactly what Proton can protect them against, what it cannot, and under what conditions each applies. The architecture and the institution are described separately, honestly, and visibly.

At 100, the user who needs Proton most understands its limits before their life depends on not knowing them.

The Doctrine

Proton did not fail because its encryption broke. It failed, three times, in three countries, across a decade of growth, because the accountability architecture was never built to match the promise the brand was making.

The encryption was Accountable by Design. The institution was not.

That distinction is not unique to Proton. It is the defining accountability gap of privacy infrastructure at scale. The architecture gets the investment, the audit, the public verification. The institutional layer, the compliance decisions, the metadata retention choices, the legal resistance posture, operates largely in the dark until a court order or a news story turns the light on.

Proton VPN proves the alternative is possible. Zero compliance, not because of ideology, but because the architecture made compliance impossible. That was a design decision. It was made before the legal order arrived.

That is what Accountable by Design means. Not a better response when the gap becomes visible. Architecture that closes the gap before anyone has to find it.

Vordan covers the accountability gap between advancing technical capability and the institutions meant to govern it. The Accountability Report publishes every Sunday. The Gap Alert publishes when the intelligence warrants it.

If this piece was useful, forward it to someone who needs to understand the difference between an architectural promise and an institutional one.

Something changed this week and most of the people it will affect have not noticed yet.

Google announced that autonomous AI agents can now detect threats, hunt attackers, and execute security responses without waiting for a human to approve the action. The Triage and Investigation agent processed five million alerts last year. A thirty-minute manual analysis now takes sixty seconds. Three more agents are coming for threat hunting, detection engineering, and contextual enrichment.

The direction is not subtle. Human-in-the-loop defense is becoming human-aware defense. The agent acts. The human learns about it afterward.

This is the right response to a real problem. Mandiant’s M-Trends 2026 report showed that threat actors now hand off access from an initial breach to a secondary attacker in 22 seconds. Three years ago that took eight hours. At 22 seconds, waiting for a human to review an alert and approve a response is not a philosophy. It is a losing position.

So the agents make sense. That part is not the problem.

The problem starts the moment the agent acts.

Picture the scenario. An autonomous response agent on your network detects anomalous behavior, evaluates context, and executes a block. The threat is neutralized. Logs are generated. The agent moves to the next alert.

Three weeks later a regulator submits a request. They want the decision trail for that block. Who authorized it. What logic drove it. What information the system had at the time. What alternatives were considered and why they were not selected. Whether the action was proportionate to the threat. Whether it complied with relevant data handling obligations.

The agent cannot answer those questions. It executed a function. It does not carry accountability for the outcome.

Your team has the logs. But logs are not answers. Logs are raw material. Someone has to convert that raw material into an accountable explanation that holds up under scrutiny from a party that does not have to accept your interpretation of what happened. That someone is a human being inside your organization. And right now, in most organizations deploying agentic defense, that human being has not been identified, empowered, or given the tools to do that job.

That is the gap nobody announced at Google Cloud Next.

The natural response to this problem, and you will hear it more as agentic defense scales, is to use AI to audit AI. Run an agent over the decision logs. Generate an explanation. Automate the accountability record the way you automated the response.

It sounds elegant. It does not work. Not because the technology cannot produce a document. Because a document is not accountability.

Accountability requires someone who can be questioned, who can be held to a standard, and who can be sanctioned if the standard was not met. A machine-generated explanation of a machine-made decision satisfies none of those requirements. A regulator who understands what they are looking at will see the generated explanation for what it is. A record of what happened, produced by the same system whose behavior is under review, with no independent human judgment applied to it.

More fundamentally, if the decision happened too fast for human review, it also happened too fast for human accountability. Those are not two different problems. They are the same problem arriving at different times. The agent closes the speed gap. The accountability gap widens in its wake.

No framework published today answers this. Not NIST. Not ISO 42001. Not the EU AI Act. Not anything announced this week. They were not written for a world where the decision was made in milliseconds and the accountability question arrives weeks later from a party with legal authority to demand an answer.

That is not a criticism. It is a statement about where we are. The capability arrived. The governance is still in transit.

Here is the part that does not get said enough. The organizations deploying agentic defense are not making a reckless decision. They are making a rational one inside a system that has not yet built the infrastructure to support it.

The vendors built the response layer. Nobody built the accountability layer. That is not a failure of individual judgment. It is a structural condition. The tool arrived. The governance architecture that should exist alongside it has not been designed yet, let alone deployed.

What that architecture looks like is the question Vordan is here to work out. But its absence has a specific shape that is worth naming right now because understanding the shape of what is missing is the first step toward building it.

When an organization deploys an autonomous agent without accountability infrastructure it is not just missing a policy. It is missing six specific things simultaneously and each one compounds the others.

It is missing the record of where the decision came from. Who defined the agent’s criteria, when, under what authority, and against what standard. Not the vendor’s default settings. A deliberate organizational decision with a named owner and a documented rationale.

It is missing the input of the people closest to the risk before that decision was made. The practitioners who know what the agent will touch, what a false positive costs operationally, and what the downstream consequences of an automated block look like at three in the morning. Those people were almost certainly not in the room when the deployment scope was defined.

It is missing a trail that an outsider can follow. Logs that require an insider to interpret are not a trail. They are a liability dressed as documentation. The organizations that will fare best when the accountability question arrives are the ones that built their records for the party asking, not the party answering.

It is missing concurrent thinking. The accountability questions that feel urgent after an incident were answerable before deployment. They just were not asked. Not because the people involved were careless. Because the system they were operating inside gave them no structure for asking them at the right time.

It is missing a response architecture. When the agent does something unexpected, what happens next. Not in the vendor’s incident workflow. In the organization’s own process. With a human owner. With a timeline. With a record that demonstrates the correction actually happened.

And it is missing visibility for the practitioners working alongside these agents every day. The engineers and analysts who interact with the outputs of autonomous decisions and have no clear path to raise a concern, no confidence that the concern will reach someone with authority to act on it, and no understanding of the accountability structure they are operating inside.

None of those gaps exist because organizations are negligent. They exist because the industry built the response layer first and assumed the accountability layer would follow. It has not followed. It has not even started.

The visibility layer is being built. The response layer is getting faster. The accountability structure underneath both of them is the work the industry has not started and that no product announcement this week replaced.

At 22 seconds, the agent acts before you can stop it. The question that follows it moves at a different speed entirely. It arrives weeks later, from a party with the authority to demand an answer, in language the agent was never designed to speak.

Nobody has built the infrastructure to answer that question at scale yet. That is not a vendor failure or a practitioner failure. It is the accountability gap doing what it always does. The tool arrived before the rule. The only difference this time is that the tool is making decisions faster than any human ever has, and the rule has never been further behind.

That is the gap this publication exists to close.

Vordan publishes every Sunday. If someone in your network is the person in the room asking the accountability questions before the memo arrives, forward this to them.

You already know the answer. You’ve watched it happen enough times to have a name for the feeling, even if you don’t have a name for the pattern.

A new tool arrives. It moves fast. Someone in leadership approves it, or doesn’t disapprove it fast enough, which amounts to the same thing. Six months later you’re sitting in a meeting trying to explain a problem that was visible from the beginning to people who are only now willing to see it.

This is not bad luck. It is not a failure of individual judgment. It is a structural condition with a name: the accountability gap.

The tool always arrives before the rule.

The AI governance problem you’re already inside

Right now, somewhere in your organization, an AI tool is running in production with no governance framework attached to it. Not because nobody cared. Because the vendor moved faster than the policy team, and the policy team moved faster than the compliance framework, and the compliance framework was written for a world where AI was a research concept rather than a feature in your project management software.

According to IBM’s 2025 Cost of a Data Breach Report, 97 percent of surveyed organizations lacked controls governing internal AI use. 63 percent had no AI governance policy at all. These are not small organizations with limited resources. These are enterprises that have passed audits, satisfied regulators, and checked every box on their compliance checklist.

The checklist didn’t have a box for this. It rarely does.

The problem you don’t know you have yet

Here is something most practitioners are not tracking: your encryption is on a clock.

Quantum computers capable of breaking current asymmetric cryptography are not science fiction. NIST finalized its first post-quantum cryptographic standards in 2024. Gartner projects that by 2029, most conventional asymmetric cryptography will be unsafe to use. The migration window is known. The timeline is public. The work required is significant and cannot be done in a quarter.

Most organizations have not started.

Not because the threat isn’t real. Because it hasn’t triggered a compliance requirement yet. Because the rule hasn’t caught up with the capability. Because the institution is optimizing for what it has to do today, not what it needs to have done before the window closes.

This is the accountability gap in its most dangerous form. Not a breach that already happened. A breach that is being scheduled, years in advance, by inaction.

Why the audit won’t save you

Both of these problems share a common root. It is the same root that produces what practitioners call compliance theater: the gap between passing an audit and actually being secure.

An audit is a point-in-time snapshot. It measures whether your controls satisfied a framework written in the past for threats that existed at the time of writing. It says nothing about the AI tool your dev team started using last quarter. It says nothing about your post-quantum readiness. It says nothing about the governance gap that is widening right now, in real time, between what your technology stack can do and what your institutional structures are equipped to govern.

The organization that passes its SOC 2 and deploys AI tools without governance frameworks is not being reckless. It is being rational within a broken incentive structure. The audit rewards what it measures. It does not measure what it cannot see.

This is the pattern. Not a technology story. Not a compliance story. A timing story. About what happens in the gap between what a tool can do and what the rule says to do with it.

What this means for practitioners

You are operating inside this gap every day. The question is not whether the gap exists. The question is what you do while the institution catches up.

That is what Vordan is here to work out. Not from above the gap, not from the policy layer, not from the vendor layer. From inside it, where the decisions actually get made and the consequences actually land.

The tool always arrives before the rule. The practitioners who understand that pattern are the ones who stop being surprised by what happens next.

That is where we start.

Vordan publishes weekly. If someone in your network is the person in the room who sees what’s coming before the memo arrives, forward this to them.