Summary
- AFRINIC's Phase 2 scarcity makes utilisation review a real economic instrument: it verifies need for the final pool, but it also consumes engineering time, exposes sensitive customer and network evidence, and can delay growth when public IPv4 is already expensive.
- The institutional test is whether audit power remains a bounded ledger discipline--clear thresholds, proportionate proof, confidential evidence, notice, cure and continuity protection--or becomes discretionary gatekeeping over working networks and capital value.
The file usually arrives before the argument does. An operator wants one more small block of IPv4 addresses, perhaps no more than a /22 under AFRINIC's current exhaustion rules, and the engineering team is asked to assemble the proof that existing holdings are already heavily used. The request sounds administrative. In practice it becomes a tour through the company's private memory: an IPAM export from a tool that has been migrated twice, DHCP scope data, CGNAT pool maps, static assignments to old enterprise customers, loopback plans, public service ranges, firewall allowlists, dormant-looking blocks tied to contracts that cannot be renumbered without customer consent, and a spreadsheet inherited from an acquired subsidiary whose naming convention no longer matches the billing system.
The legal team then asks what must be disclosed. Some records identify customers. Some logs show user activity, even if only indirectly. Some assignments are tied to government agencies, banks, hospitals, schools, payment processors or roaming partners that do not want their addressing patterns made public. The security team wants to redact enough to avoid creating a map for attackers. The finance director asks a plainer question. Is this a ledger check, meant to establish whether a request is justified, or is it the first step in a threat to the company's running networks?
That question is not paranoid. It is the institutional problem created when IPv4 scarcity turns routine registration into a gate. AFRINIC's own IPv4 exhaustion page says the region is in Phase 2. In that phase the ordinary request size is bounded by a minimum of /24 and a maximum of /22, and members seeking additional IPv4 space must show that at least 90% of all IP space delegated to them by AFRINIC is used efficiently. AFRINIC's Consolidated Policy Manual gives staff a world of categories to interpret: assignments for documented purposes, limits on sub-assignment, temporary use with return dates, Internet exchange reservations, anycast treatment, reverse DNS registration and other operating details. A number that seems simple in the policy room becomes a contested file in a live network.
Address-utilisation review is therefore a necessary discipline with dangerous edges. Without it, scarcity rewards fraud, stale paperwork, dormant holdings, shell companies and fictitious need. With too much discretion, it becomes a way to judge business models, police geography, chill leasing and transfers, demand customer-level disclosure, reopen old representations, or threaten withdrawal for a block that is already supporting paying users. The audit is no longer merely about whether the registry record is accurate. It becomes a pressure point over capital, continuity and market liquidity.
The difference matters because AFRINIC sits in a particularly charged setting. Public reporting has described alleged misappropriation of African IPv4 ranges, the Cloud Innovation dispute, court-ordered restraints, receivership, election conflict and continuing litigation. These matters should be treated carefully and, where contested, as reported context rather than final findings on every claim. They nonetheless explain why address-utilisation review has acquired political weight. When a registry has been accused of being too loose, the temptation is to show strength through audits. When members see strength turning into open-ended control, the same audit power begins to look like capital regulation.
The better answer is neither laissez-faire neglect nor discretionary command. It is a narrower, more accountable audit compact. A registry should keep the ledger reliable, verify need with proportionate evidence, allow confidential proof, correct stale records safely, and preserve continuity for users. It should not treat its database role as ownership of the networks built on top of the addresses it records. The official documents are useful as exhibits: they identify the thresholds and policy categories. They do not by themselves settle the economics of process, confidentiality or remedy. That is the harder question: scarce numbers require evidence, but evidence power must be bounded before the ledger becomes a gate.
The audit begins inside the operator
The first economic cost of utilisation review is not the fee paid to a registry. It is the internal mobilisation that begins as soon as an operator believes it may need more IPv4. The policy threshold may say 90%, but the company cannot present a percentage until it has reconstructed the life of its address estate. That estate is rarely tidy. A mobile operator may have customer pools in several regions, separate pools for enterprise services, management ranges, loopbacks, public DNS resolvers, mail gateways, peering routers, test platforms, emergency reserve and older addresses kept for customers that cannot migrate without downtime. A fixed broadband provider may have legacy DHCP pools, static business ranges, datacentre assignments, voice platforms, public Wi-Fi, network operations systems and wholesale customers.
The evidence file is assembled from systems that were not built for advocacy. IPAM tells one story. DHCP logs tell another. Radius or BNG data may show active sessions. CGNAT logs may prove that private subscriber networks are being translated through scarce public pools, but those logs are sensitive and expensive to retain. Billing data can show that a customer exists, but not always which public address is used on a given day. Routing data shows what is announced, not what is assigned behind an aggregation boundary. Reverse DNS may show delegated service, but a missing reverse entry does not prove non-use. RPKI and route records may support authorisation, but they do not reveal all internal subnetting.
This makes the audit a production exercise. Engineers must translate operations into a registry-facing narrative. Lawyers must decide what can be shared. Customer teams must explain exceptions. Finance must compare the cost of evidence to the cost of buying, leasing, renumbering or delaying growth. The work can be heavier for smaller operators because they often hold their address history in fewer specialised systems and more informal records. The spreadsheet maintained by a senior engineer may be accurate enough to run the network, but not polished enough to satisfy an external review without weeks of cleaning.
The audit also changes timing. A company that could deploy a new access node or customer platform may wait while evidence is gathered. A public-sector network may have budget authority for equipment but not for an address review project. A university or hospital may have inherited space from earlier phases of internet growth and now find that a new request requires explaining decades of internal addressing decisions. None of this proves that audits are wrong. It proves that an audit is a real economic instrument. It consumes managerial attention, delays deployment and turns tacit network knowledge into formal proof.
That conversion can be healthy when the questions are predictable. It is corrosive when the operator cannot tell whether the review is limited to efficient use or drifting toward a broader judgement about commercial strategy. The address file becomes a mirror of the company's business model. If the registry asks only what is needed to verify the request, the process stays administrative. If it asks who the customers are, where they are, whether each use fits an old narrative, and whether a later use differs from a historic statement, the same process begins to resemble a licence renewal for the whole enterprise.
Phase 2 turned a percentage into rationing
IPv4 scarcity changed the moral atmosphere around utilisation. Before exhaustion, a utilisation threshold could be defended mainly as conservation. If a member asked for more, the registry needed to know that previous allocations had not been wasted. The rule was still intrusive, but the pool was large enough that many disputes remained practical. In Phase 2, the same rule allocates the last fragments of a nearly exhausted stock. Every additional /22 is a rationing choice dressed as arithmetic, because it means another applicant may wait or receive less.
AFRINIC's public exhaustion material captures the shift. The region moved through soft-landing phases and now operates under Phase 2 constraints. The minimum allocation or assignment size is /24 and the maximum is /22 for a request. Additional requests require at least 90% efficient use of all IP space delegated by AFRINIC to the member. Those facts are often stated as neutral policy mechanics. In the field they become a rationing formula, because they decide who can still obtain addresses at administrative cost when the market price of IPv4 outside the registry pool is far higher.
That price gap is what turns a file review into institutional pressure. If the requested addresses were abundant and cheap everywhere, the applicant might treat a rejected request as an inconvenience. Under scarcity, denial pushes the operator toward leasing, transfer purchase, CGNAT expansion, cloud-provider pools, delayed customer onboarding or architectural compromise. Each alternative has a cost. Some costs are visible in invoices. Others appear as customer friction, logging burden, reputational risk, lost public identity, or dependency on a platform that controls egress addresses.
The 90% rule therefore sits between two fears. The registry fears that scarce addresses will be captured by weak claims, paper companies, arbitrage schemes or dormant holders. Members fear that the registry will use scarcity to review not only need, but legitimacy. This is the classic institutional transition from abundance administration to scarcity discretion. A public-sounding rule remains in place, but the value of the thing being reviewed has changed. Because the resource has become capital, the review of efficient use becomes a review of capital access.
Scarcity also makes mistakes harder to reverse. If a registry asks the wrong questions or applies a rule inconsistently, the member cannot simply obtain equivalent space elsewhere on the same terms. If a member withholds evidence, overstates use or hides dormant ranges, the community cannot recover the lost opportunity cheaply. Both sides have reason to demand discipline from the other. That is why the design of the audit matters as much as the percentage. The institutional question is not whether there should be review. It is how review can be strong enough to protect the remaining pool without becoming a discretionary gate over existing networks.
Utilisation is not address-by-address occupancy
Utilisation is often spoken of as if every address were either visibly active or unused. Networks are not built that way. An IPv4 address can be assigned to a residential customer for a session, reserved for a business customer under contract, mapped to a NAT pool, held for infrastructure, used on loopbacks, assigned to monitoring systems, anchored to public DNS, bound into firewall rules, committed to an IXP service, or retained because renumbering would break a regulated connection. A clean ledger should distinguish these uses; a crude audit can flatten them.
Customer assignments are the easiest case to describe and not always the easiest to prove. A broadband provider can show that pools are tied to access regions or subscriber segments. A mobile provider can show public pools used by packet gateways or CGNAT systems. A hosting provider can show addresses linked to servers, virtual machines or customer services. Yet each proof may expose commercial information. Customer names, service locations, security configurations and traffic traces may be more than a registry needs to know. The question is whether the member can prove the category of use without handing over a customer catalogue.
Infrastructure use is less intuitive to outsiders but essential to operators. Routers, firewalls, load balancers, DNS resolvers, mail relays, monitoring platforms, management networks, VPN endpoints, peering links, anycast nodes and out-of-band access can all require public addressing. Some of these addresses may not generate obvious user traffic. A loopback address on a router is not idle merely because it does not look like a consumer endpoint. A public resolver address may be heavily relied upon even if it sits in a small range that appears under-populated. An emergency access range may be deliberately quiet until a failure.
Reservations are harder still. A datacentre operator may need contiguous space for a new hall because fragmentation would create routing and customer-management costs. An IXP may need a block sized for members that will join over time. A public service provider may keep spare addresses for disaster recovery, election systems, health platforms or emergency procurement. Enterprises maintain allowlists with banks, cloud platforms, regulators and vendors; changing the address later may require contract amendments and security review. A range can appear unused on Monday and be the only safe expansion path on Friday.
The policy manual recognises some of this complexity. It treats assignments as specific-purpose entries documented by specific organisations and not available for onward sub-assignment. It recognises temporary assignments with planned use and return dates. It recognises Internet exchange reservations. It treats anycast assignments as fully utilised for allocation review. Reverse DNS provisions can require registered assignment or sub-allocation for a /24 even when the whole /24 is not assigned. These categories are not decorative. They are the vocabulary through which a real network proves use.
The registry's task is to test that vocabulary without pretending that each address must look like a busy web server. Efficient use includes public service resilience, operational stability and reasonable growth buffers. It does not mean hoarding. It also does not mean that every quiet address is waste. The line between reserve and waste is exactly where a good audit earns its legitimacy.
Evidence comes from systems built for operations, not persuasion
A utilisation file is never a perfect photograph of the network. It is a set of traces produced by systems with different incentives. IPAM aims to prevent internal collision. Billing aims to charge customers. DHCP and subscriber systems aim to deliver service. CGNAT logs aim to support abuse handling, lawful requests and troubleshooting. Routing tables aim to carry reachability. DNS aims to support naming. RPKI aims to make origin authorisation verifiable. None of these systems exists mainly to persuade a registry reviewer that a percentage has been met.
That mismatch creates evidence friction. IPAM may list a range as reserved for enterprise access, while the billing system lists the customer under a parent company name. A merger may have changed legal names while old contracts and network labels stayed in place. A subsidiary may use addresses delegated by the parent, but the registry file may not reflect the current group structure. A wholesale customer may have downstream users whose details are not visible to the upstream provider. A government contract may use code names or restricted site names. A long-standing static customer may be known to network staff but absent from a modern customer portal.
Logs add a second difficulty. A registry may ask for proof that a pool is active. Session logs, NAT logs and firewall logs can show activity, but they also carry privacy and security risk. In many jurisdictions, retaining detailed logs creates obligations; sharing them across borders or with a private registry may require legal basis, redaction and retention controls. A responsible operator may have deliberately minimised log retention to reduce risk. That decision should not automatically count against it in an audit. Otherwise the review rewards surveillance-heavy operations and punishes privacy-conscious design.
Routing proof has its own limits. A prefix announced to the global table is not necessarily fully used inside. A prefix not separately announced may still be used behind a covering aggregate. More-specific announcements may be suppressed for routing hygiene, which should not be punished as non-use. Route records and RPKI authorisations can show that the holder controls announcement, but they do not by themselves prove customer assignment. Reverse DNS can provide another signal, but many legitimate uses do not maintain granular reverse entries, and some reverse names reveal customer or security information.
The best audit method treats evidence as layered. IPAM establishes the internal plan. Assignment records show customer or infrastructure categories. Routing and RPKI show control and reachability. DNS and reverse DNS provide supporting signals. Logs, where necessary, can be sampled, hashed, redacted or summarised. Contracts and invoices can be shown in controlled form. The registry should ask for the least intrusive combination that can answer the question. If a less sensitive record proves the point, the more sensitive record should not be demanded merely because it is available.
This is not indulgence toward weak documentation. It is institutional accuracy. A registry that ignores imperfect traces will overfit to whatever evidence is easiest to disclose. That favours large firms with clean systems and hurts older, smaller or more complex networks. A registry that accepts any trace without scrutiny invites sham evidence. The difficult middle is where audit credibility lives.
The 90% test needs category law
The phrase "90% used efficiently" sounds precise. It is not self-executing. The first question is the denominator. AFRINIC's exhaustion page refers to all IP space delegated by AFRINIC to the member. Does the review treat each historical allocation uniformly? How are temporary assignments counted? How are anycast assignments treated? How are Internet exchange reservations, public-service reserves or infrastructure pools handled? What about addresses delegated to a parent but operated by subsidiaries? What about a block undergoing migration after a merger? A percentage cannot answer these questions until policy categories have done the work.
The second question is the unit of efficient use. The public internet still treats /24 as an important operational minimum for many IPv4 routing purposes. A provider may not be able to slice address space into perfectly filled fragments without creating routing, filtering or customer-management problems. A /24 that is 70% full may be a sensible unit if the remaining addresses are reserved for customers in the same access area or for failover. Another /24 that is 20% full may be waste if it has no plan and no dependency. The same percentage means different things depending on the operating context.
The third question is time. Networks grow and shrink. Customer churn releases addresses, but not always in clean blocks. Public-sector procurement may award a contract months before service activation. A datacentre build may require address planning before racks are live. Enterprise customers may demand future ranges as part of a rollout plan. A mobile network may need pool capacity before a campaign or seasonal traffic surge. If the audit recognises only addresses active at the instant of review, it will misread growth and resilience. If it accepts all forecasts without discipline, it will authorise hoarding.
The fourth question is risk. Renumbering is not a clerical act. It can break allowlists, certificates, DNS, security policies, monitoring, geolocation assumptions, partner integrations and customer documentation. An obsolete-looking range may be tied to an industrial control customer that can only change during a yearly shutdown. A bank may require months of paperwork to alter a source address. A public agency may require procurement amendment. Efficient use must account for the cost of reclaiming fragments from within a live estate. The cheapest theoretical packing is not always the efficient network outcome.
Anycast shows why policy must be explicit. AFRINIC's manual says staff will consider anycast IPv4 and IPv6 blocks assigned for that purpose to be fully utilised when considering first or additional allocation to an LIR. That rule exists because anycast's value is not measured by filling every address with a separate host. It is measured by distributed service at the same address. Many other categories do not receive such crisp treatment, but the lesson is broader. Utilisation is a policy judgement about how addresses support service, not a mechanical occupancy count.
The 90% threshold can still be useful. It forces members to show discipline and prevents endless requests from companies sitting on unused stock. But it must be administered with category rules that operators can understand before they invest. Otherwise the number becomes a discretionary instrument: exact enough to sound fair, flexible enough to surprise.
Fragmentation makes neat arithmetic expensive
The most seductive audit error is to imagine that every network can be packed like a warehouse shelf. If a holder has many small gaps, the reviewer asks why those gaps are not combined and reused before any new request is made. Sometimes that is the right question. Other times the gaps are in the wrong places, attached to the wrong customers, inside the wrong routing plan or too costly to recover without reducing reliability.
Fragmentation is a technical and economic condition. A provider may have twenty half-empty pools, each tied to a city, access technology or customer class. In theory the free addresses add up to a usable block. In practice moving them requires renumbering customers, updating access policies, altering DHCP or subscriber systems, changing firewall and abuse processes, and possibly announcing more-specific prefixes. The reclaimed addresses may not be contiguous. They may not form a /24. They may be unusable for a customer that needs a clean public range accepted by filters across the internet. Arithmetic free space does not always become deployable free space.
Aggregation matters because global routing has costs. A network that keeps addresses in larger aggregates helps routing stability and reduces operational complexity. If audit pressure forces the network to carve more-specific announcements simply to demonstrate use or recover fragments, the review has created an external cost. It has made the ledger look more efficient while pushing complexity into the routing system. A registry should not demand address neatness at the expense of route hygiene unless the benefit is clear.
Public-sector and enterprise procurement intensify this problem. Contracts often specify fixed ranges or require approval for changes. Banks and government agencies keep allowlists that are difficult to update quickly. Security teams may have embedded ranges into tools that were never designed for frequent renumbering. The network engineer may know that a block could be packed more tightly, but the contract manager knows that doing so would take six months and create outage risk. A good audit distinguishes waste from locked-in dependency.
The /24 minimum is especially important. For many operational purposes, a /24 remains the smallest IPv4 prefix that can be widely routed without filtering risk. A company may need a full /24 for a service even if the service uses fewer than 256 addresses. An IXP, anycast service, public DNS platform or regulated enterprise connection may require a unit whose value lies in routability and administrative clarity, not in address-by-address occupancy. Treating each unused address in that unit as evidence of inefficiency would punish the operator for obeying the practical rules of the internet.
This does not mean fragmentation should be an excuse for every request. Operators should maintain credible recovery plans, retire abandoned reservations and avoid leaving historic pools untouched merely because no one wants to clean them. But the audit should recognise a hierarchy of costs. Recovering a free address inside an active customer block is not the same as using a free address in an unassigned pool. Collapsing all gaps into a single percentage hides the very facts a review should understand.
Confidential proof is not a courtesy
The most sensitive part of utilisation review is not the address count. It is the customer map. To prove use, a provider may be asked to show who uses which range, for what service, in which country, and under what plan. That information can identify customers, reveal business relationships, disclose security architecture and expose commercially valuable expansion plans. In some cases it may also touch personal data, because subscriber logs, NAT records or abuse traces can link public addresses to individuals or households at specific times.
The registry has a legitimate interest in preventing fictitious need. A member that claims millions of addresses for phantom customers should not be able to hide behind confidentiality. But the solution is not unlimited disclosure. It is staged proof. The first layer can show categories: residential pool, mobile CGNAT pool, enterprise static range, public service infrastructure, datacentre customer, IXP reservation, anycast service, management, loopback, emergency reserve and reserved continuity space. The second layer can show counts, dates, internal ticket references and responsible business units. Only if those layers are insufficient should the review move toward customer-level samples, and even then with redaction, confidentiality obligations and clear handling rules.
Redaction standards are not a courtesy. They are a condition of proportional review. Customer names may be replaced with stable pseudonyms. Contracts may be shown with commercial terms removed. Logs may be sampled and time-bounded. Hashes may prove that a record existed at a date without disclosing every field. A third-party auditor may inspect sensitive material and provide an attestation to the registry. The registry may require enough detail to prevent fabrication, but should not accumulate customer dossiers as a routine by-product of address administration.
This is especially important in the AFRINIC region, where operators serve a wide mix of markets, legal regimes and institutional customers. A network may connect public agencies, financial institutions, civil-society groups, media organisations, health services and cross-border businesses. A demand for country-level or customer-level detail can have political and security consequences beyond the utilisation file. Even if the registry acts in good faith, the mere centralisation of sensitive evidence creates breach, subpoena and misuse risk.
Privacy-conscious audit design also improves truthfulness. If members know that every disclosure may become a broad customer inventory, they will resist, litigate or over-redact. If they know the process accepts proportionate evidence and protects sensitive material, they are more likely to correct stale records and explain exceptions early. The registry obtains better information by asking narrower questions.
The central distinction is between proof and exposure. Proof establishes that addresses are used for legitimate network purposes. Exposure gives the reviewer more commercial and customer knowledge than necessary. An audit charter should make that boundary explicit. It should say what must be shown, what may be redacted, who can see unredacted material, how long evidence is kept, and when sensitive proof must be destroyed or returned. Without those rules, the utilisation review becomes a confidentiality risk in its own right.
The case for review is real
A sceptical view of audit power should not become a defence of weak records. IPv4 scarcity makes review necessary. A registry that cannot verify need invites abuse. Dormant companies may be revived on paper to claim addresses. Historic ranges may be shifted without proper authority. Shell entities may manufacture demand. Applicants may exaggerate customer counts or treat speculative business plans as current need. Stale registration data may make abuse handling harder and routing disputes more dangerous. The remaining pool is too small, and too valuable, for blind trust.
The alleged African IPv4 address heist reported by KrebsOnSecurity in 2019 helps explain why audit power became attractive. The report described claims by researcher Ron Guilmette and journalists that significant African address holdings had been diverted or sold through companies linked to an AFRINIC insider, with alleged use by marketers and others outside the rightful context. AFRINIC said at the time that it was investigating. The details belong to their own history, and allegations should not be treated as final findings against every participant named in public debate. But the lesson for utilisation review is straightforward. If a registry cannot detect stale, misdirected or unauthorised records, scarcity will reward the party best able to exploit administrative weakness.
Fraud prevention is not the only legitimate aim. A review can improve public record quality. It can reveal name changes, mergers, obsolete contacts, abandoned reverse DNS, missing abuse contacts, mismatched routing authorisations and ranges that should be returned. It can distinguish a real operator from a paperwork shell. It can make future transfers cleaner by ensuring that the registration record matches operational control. It can discourage applicants from asking for more than they can justify. In a scarcity regime, these are valuable public goods.
Review can also protect smaller and newer networks. If large incumbents can obtain additional space while leaving old allocations loosely documented, late entrants bear the cost. If speculative holders can warehouse addresses through vague plans, genuine access providers face shortage. An audit that is predictable, evidence-based and proportionate can make scarcity less arbitrary. It can say to all members: show real use, clean your records, explain reserves, and the remaining pool will be distributed by rule rather than influence.
The legitimate case depends on restraint. The registry's strongest argument is that it keeps a reliable ledger for unique number resources. The further it moves from ledger accuracy and justified need into commercial judgement, the weaker that argument becomes. It may ask whether a range is assigned to a customer category, reserved for a documented service, supporting infrastructure or safely recoverable. It should be much more cautious about deciding whether a member's leasing model, customer geography, pricing strategy or platform choice is desirable. Those questions invite regulatory power the registry is not built to hold.
The audit is most defensible when it corrects evidence problems before they become existential disputes. Safe-harbor correction matters. A member that discovers stale contacts, outdated organisation names or inconsistent internal records should be able to fix them without assuming that every correction will be treated as evidence of bad faith. If the review punishes confession, it will get concealment. If it rewards timely correction, it will get a better ledger.
How review becomes discretionary control
The danger begins when utilisation review stops asking whether addresses are efficiently used and begins asking whether the registry approves of the member's business. The shift may be subtle. A request for assignment data becomes a request for customer identities. A question about actual use becomes a question about whether use matches an old purpose statement. A need review becomes a regional-use inquiry. A discrepancy becomes grounds for threatening termination. The audit remains wrapped in policy language, but the practical effect is to place running networks under open-ended administrative review.
Retroactivity is the most corrosive form. Networks evolve. A provider that justified space for one service may later use part of it for another legitimate service after markets change. A hosting company may add security products. An access provider may add cloud connectivity. A group may reorganise subsidiaries. A customer base may become more international. If every commercial evolution requires re-justifying historic address holdings under a new interpretation, the registry becomes a permanent business approver. That is not ledger stewardship. It is a capital-control function without the accountability normally attached to capital controls.
Selective timing is another risk. An audit launched during a transfer, litigation, policy dispute or membership conflict will be viewed differently from a routine review under published sampling rules. Even if the questions are defensible, timing can make them coercive. A member seeking to sell, lease, finance or reorganise address holdings may face uncertainty if the registry can initiate a broad review at a decisive moment. The value of the address estate then carries an audit-risk discount. Buyers and lenders will ask not only whether the registration record is correct, but whether a future reviewer may reinterpret the history.
Regional-use policing requires particular caution. AFRINIC serves Africa and parts of the Indian Ocean, and its policies include regional assumptions in various contexts. But the internet is not a customs union. Customers, traffic, cloud platforms, roaming, security services and enterprise networks cross borders. A provider may be incorporated in the region while serving customers elsewhere. A regional registry can verify eligibility and policy compliance without pretending that packets, customers or commercial value remain neatly inside a map. If it polices geography too aggressively, it risks turning address administration into industrial policy.
Threat language amplifies all these concerns. A request for information is one thing. A request paired with possible termination or withdrawal is another. When a registry says it may reclaim addresses, the member hears more than paperwork pressure. It hears the possible interruption of customers, contracts, routing, DNS, security operations and business value. The registry may intend the threat as an enforcement backstop. The market prices it as confiscation risk.
The discretionary turn is not inevitable. It occurs when policy categories are vague, evidence demands are elastic, remedies are disproportionate and appeal routes are weak. A well-designed audit stops before that point. It asks: what question are we answering, what evidence is necessary, what privacy protections apply, what cure is available, what continuity risk exists, and what independent review can test our judgement?
A reported dispute, not a template for every member
The Cloud Innovation dispute is the most visible example of how utilisation review can become an institutional crisis. It should be handled with care because the public record is contested and litigation has spanned years. The Internet Governance Project's 2021 account reported that AFRINIC reviewed Cloud Innovation's use of IPv4 resources, identified discrepancies between registered usage descriptions and countries where the resources were allegedly used, questioned consistency between expressed need and actual purpose, demanded detailed information about use, country and planned utilisation, and threatened termination and reclaim. Cloud Innovation disputed the allegations and argued that the demands were excessive and intrusive.
The important point for address-utilisation economics is not to re-try the case. It is to observe the escalation pattern as reported by public sources. A registry concerned about scarce addresses and past misuse moved from review into a high-stakes remedy. The member, facing what it said was an existential threat to its business and customers, responded with litigation. Courts became part of registry governance. AFRINIC's operations were affected. Later reporting described bank-account freezes, receivership, election disputes, ICANN concerns, board recovery efforts and continuing legal conflict. A resource review had become part of a much larger struggle over institutional power.
This pattern shows why proportionality is not a soft value. It is risk management. If the alleged violation concerns misdescription, regional use, changed purpose or insufficient disclosure, the first remedy should rarely be total withdrawal from running customers. The remedy should begin with clarification, record correction, prospective compliance, cure periods, narrower restrictions, or independent review. Termination may be necessary in cases of proven fraud, non-payment, deliberate deception or refusal to cure. But if it is threatened too early, the registry converts a compliance question into a survival contest.
The Cloud Innovation episode also illustrates the burden problem. A registry may believe it needs granular customer and country data to test policy compliance. The member may see that same demand as a request to expose its customer base and commercial model. Both positions can be intelligible. The solution cannot be to let each side define necessity for itself. It must be a published evidence protocol that separates aggregate proof, confidential proof, third-party attestation and exceptional disclosure.
The case also warns against using one dispute to define an entire sector. Leasing, transfers, cross-border customers and changing uses are not automatically fraud. Nor are they automatically immune from review. They are commercial realities that require clear rules. If the registry treats them as suspect by default, it suppresses liquidity and encourages defensive structuring. If it ignores them entirely, it may enable paper need and hidden warehousing. The middle path requires institutional humility: verify what the registry is competent to verify, and resist the temptation to become the business judge of last resort.
The lasting lesson is not that audits should disappear. It is that audit power must be designed for the worst day. If a review can put a large address estate under threat, the process needs a charter, notice, evidence limits, cure, appeal and continuity protections before the first letter is sent.
Scandal can make strength look safer than process
Institutions often overcorrect after scandal. A weak control environment is exposed; the public asks why no one acted; the next leadership team demonstrates vigilance; enforcement becomes a symbol of renewal. AFRINIC's recent history makes that temptation understandable. Allegations of misappropriated African address space, public criticism of governance, and later litigation created pressure to show that the registry could police its records. In such a climate, a strong audit posture can look like proof of seriousness.
But strength is not the same as legitimacy. A registry that failed to detect stale or diverted records may need better audits, better internal controls, better staff separation, better public reporting and better member verification. It does not follow that it should claim broad discretion over every later use of every address block. The scandal of under-enforcement can become the justification for over-enforcement. Both damage trust, though in different ways.
The distinction is between forensic repair and ordinary administration. If there is evidence that a range was diverted through fraud, insider abuse, forged documents or a defunct company, the registry should investigate and seek appropriate remedies. That is different from treating every discrepancy in use, geography or business model as if it were part of the same pattern. A company with messy but genuine records is not the same as a company with fictitious need. A provider with customers outside the region is not the same as a thief. A changed purpose is not automatically a sham.
Audit design should reflect this gradient. Routine utilisation review should use limited questions and standard evidence. Enhanced review should require defined triggers: material inconsistency, credible fraud reports, non-response, contradictory registration data, suspected unauthorised control or severe abuse-handling failure. Emergency measures should require even stronger evidence and independent approval because they can threaten continuity. Without this gradient, every audit carries the shadow of the harshest remedy.
Public reporting on AFRINIC's receivership and later board recovery also matters here. An institution under governance stress should be more cautious, not less, with high-discretion tools. The Internet Governance Project in 2023 described receivership as a continuity mechanism. The Register reported in 2026 that AFRINIC accused Cloud Innovation, Larus and associated campaigns of trying to paralyse it; those parties contested important parts of that framing. The Register also reported in May 2026 on ICANN intervention and a Mauritian winding-up application, while noting Cloud Innovation's position that reported orders and allegations did not amount to final judgments on leasing, ownership or its business model. These reports do not decide utilisation policy. They remind members that review power sits inside a stressed institution. The more stressed the institution, the more important it is to separate routine ledger work from contested enforcement.
This is why an independent review layer is not bureaucratic luxury. It is a way to preserve legitimacy when trust is thin. If the registry asks ordinary questions under published rules, staff can handle the file. If it intends to make adverse findings that threaten continuity, an independent panel or appeal body should test necessity and proportionality. Strength without review is merely discretion with better branding.
The liquidity discount sits beside the utilisation file
Address-utilisation audits affect not only new requests. They also shape the market for existing IPv4. A buyer, lessee, lender or investor wants to know whether a block can be used, transferred, financed or pledged without later administrative surprise. If the registry can reopen historical need, question a changed business model, demand customer disclosures or delay approval through discretionary review, the asset carries a liquidity discount. The price reflects not only scarcity and reputation, but also institutional risk.
This does not require the registry to announce capital controls. The market can infer them from practice. If transfers are delayed by broad questions, parties will shorten deal horizons or avoid the region. If leasing is treated as presumptively suspect, holders will hide arrangements or move value through less transparent structures. If a purchaser fears that historic utilisation by the seller may be reinterpreted, it will demand indemnities or a lower price. If a lender cannot predict whether address rights will remain stable, it will refuse to underwrite them. The registry's discretion becomes a cost of capital.
The problem is not that every address claim should be freely tradable without evidence. Scarce number resources require accurate registration and authority checks. The problem is that a utilisation audit can blur present control with moral approval of past and future commerce. A registry should know who is registered, who has authority, whether records are accurate, and whether a request for additional free-pool space is justified. It should be cautious about using that role to decide whether market leasing, cross-border service or asset financing is good policy unless the community has adopted clear rules with clear remedies.
Liquidity matters for network development, but this point should remain adjacent to the utilisation question rather than consuming it. When addresses can move from low-value or dormant use to higher-value use through predictable channels, scarcity is eased. When movement is risky, holders sit on addresses defensively, buyers overpay for certainty elsewhere, and operators expand NAT or platform dependency. Enforcement creep can therefore produce the very hoarding it condemns. If selling, leasing or reorganising triggers unpredictable review, the rational holder waits.
Utilisation audits can improve liquidity if designed well. Clean records make transfers easier. Safe-harbor corrections allow holders to fix legacy files before a transaction. Published evidence categories let buyers assess risk. Time-limited review prevents old issues from haunting every later deal. Confidential proof lets commercial arrangements be verified without public exposure. Narrow registry discretion lowers the discount.
The capital question is not a replacement for address-utilisation policy. A member seeking additional space from the remaining pool should prove efficient use. But the proof system should not make all existing holdings feel conditional. If every record is subject to perpetual re-judgement, scarcity turns from a technical constraint into an institutional tax on market movement.
Withdrawal risk changes the audit bargain
Withdrawal is the nuclear remedy of address administration. It may be necessary in cases of fraud, abandonment, non-payment, court order or clear policy breach after cure fails. But when it is used as a routine shadow over utilisation review, it changes the bargain between registry and member. The member no longer experiences the audit as a request to clean the record. It experiences it as a threat to customers, contracts, financing and operational continuity.
The reason is simple. IP addresses are not decorative entries. They are embedded in routing, DNS, RPKI, security rules, logs, contracts, customer systems and reputation. Removing or freezing a block can affect thousands or millions of users who are not parties to the compliance dispute. Even a threat can be damaging. Customers may ask whether service is safe. Lenders may mark the asset as risky. Buyers may delay. Engineers may stop deploying on the questioned space. The registry may believe it has only sent a notice. The market hears a continuity warning.
This is why notice and cure are essential. A member should know the alleged deficiency, the policy basis, the evidence needed, the deadline, the possible remedies and the path to appeal. It should have a meaningful chance to correct stale records, provide additional proof, reduce a request, return genuinely unused space, or agree to prospective conditions. Immediate escalation may be justified for fraud or urgent harm, but not for ordinary documentation gaps.
A continuity firewall should also separate review from service disruption. While a dispute is pending, existing customers should not be placed at avoidable risk. The registry can mark a record under review, restrict new allocations, pause certain transactions, or require escrowed evidence without withdrawing operational registration. If final adverse action is necessary, the transition should be staged to protect end users where possible. The point is not to make enforcement toothless. It is to recognise that the registry's remedy can harm third parties.
Appeal must be real, not decorative. An internal reconsideration by the same staff is useful but insufficient for high-impact remedies. A member facing withdrawal or severe restriction should be able to obtain independent review, with confidential evidence procedures and a published decision framework. The reviewer should test whether the policy basis is clear, whether the evidence demand was proportionate, whether cure was offered, whether less disruptive remedies were available, and whether continuity risks were considered.
The threat of reclamation belongs near the end of the process, not at the beginning. Used sparingly, it protects the integrity of the registry. Used casually, it converts a stewardship role into a coercive gate. The economics are predictable: the higher the perceived withdrawal risk, the lower the willingness to invest around AFRINIC-administered addresses.
A charter for bounded review
The institutional solution begins with a charter. It should state that address-utilisation review exists to verify efficient use, protect the remaining pool, improve registration accuracy and correct material misstatements. It should also state what the review is not: a general business-model approval process, a routine customer-disclosure channel, a regional industrial-policy tool, or a way to re-price existing networks through uncertainty.
The charter should publish utilisation categories. Customer assignment, dynamic access pools, CGNAT pools, infrastructure, loopbacks, management, public services, IXP reservations, anycast, enterprise static ranges, public-sector reserves, emergency reserve, documented growth buffers, obsolete-but-not-safely-renumbered ranges and temporary assignments should each have evidence expectations. The categories need not be generous. They need to be knowable. Operators can then maintain records in the form the registry will later require.
Evidence should be proportionate by tier. A routine small request can be supported by summaries, IPAM exports, category counts, routing evidence, contact verification and selected samples. A larger request or inconsistent file can require deeper proof. A suspected fraud case can justify enhanced review, independent attestation and more granular disclosure. Sensitive data should be redacted by default unless a specific policy question requires otherwise. The registry should keep only what it needs and should define retention periods.
Safe-harbor correction is crucial. Members should be encouraged to fix stale records, update names after mergers, register assignments, correct reverse DNS and align routing authorisations without fear that every correction will trigger punitive inference. The safe harbor can exclude deliberate fraud or concealment, but routine cleanup should be rewarded. A registry that wants a clean ledger should not make cleanup dangerous.
The charter should also include notice, cure and appeal. A review letter should identify the policy basis and the issue. A deficiency finding should explain facts and remedy. A cure period should be available where continuity is not at immediate risk. Appeals should be independent for serious adverse action. Aggregate metrics should be published: number of reviews, categories of findings, average time, cure rates, returned space, escalations and appeals. Such reporting allows the community to see whether audits are routine hygiene or selective pressure.
Under governance stress, the charter should require extra restraint. If the registry lacks a stable board, faces receivership, or is in significant litigation with a member, high-impact audit actions should receive independent review before enforcement. That protects the registry as much as the member. It prevents later claims that staff used audit power as a factional weapon and helps courts see that the institution followed a disciplined process.
A narrow charter is not weakness. It is how a registry preserves authority by refusing powers it cannot legitimately wield.
Continuity should govern the remedy ladder
The end user is usually absent from utilisation disputes, yet bears much of the risk. A residential subscriber does not know that the address used by a NAT gateway sits inside a block under review. A hospital does not know that a provider's old range is being questioned. A merchant does not know that its payment API allowlist depends on a contested registration. A registry, member and court may argue over policy while the public experiences only service failure.
Continuity should therefore be an explicit audit principle. The registry can preserve scarcity discipline without making abrupt disruption the default remedy. For existing use, the first question should be how to correct the record while keeping service stable. If an address range is genuinely unused, return is sensible. If it is used but poorly documented, documentation should be improved. If it is used in a way that violates a clear policy, the remedy should consider transition, customer notice and less disruptive alternatives. If fraud is proven, stronger remedies may follow, but even then the operational blast radius should be managed.
Disclosure should follow the same principle. The registry should not ask for customer-level detail when aggregate proof suffices. It should not ask for raw logs when utilisation graphs, pool configs, sampled attestations or third-party review can answer the question. It should not retain sensitive records longer than needed. It should not use evidence collected for utilisation to pursue unrelated aims unless a clear policy and due process allow it. Evidence discipline cuts both ways: members must show real use; the registry must show why it needs what it asks for.
This approach would also reduce litigation incentives. Many disputes escalate because each side fears the other's next move. Members fear that disclosure will be used against them beyond the immediate review. Registries fear that limited evidence hides misuse. A staged process with confidentiality rules narrows the trust gap. It lets the registry escalate when answers are inadequate, but requires it to explain escalation rather than begin there.
Continuity and scarcity are not enemies. In fact, continuity is one reason scarcity matters. IPv4 addresses remain valuable because they support running networks, customers and services. A review that protects the pool while damaging the networks built on prior delegations has misunderstood the asset. The ledger describes a reality that exists in routers, contracts and users' daily connectivity. It does not own that reality.
AFRINIC's challenge is to demonstrate that utilisation review can be disciplined without becoming discretionary control. The institution can ask for proof. It can deny unsupported requests. It can correct stale records and investigate fraud. But it must do so with narrow discretion, accountable process and a bias toward preserving service. In a scarce market, the registry's legitimacy depends less on dramatic enforcement than on boring predictability.
The post-exhaustion bargain
After exhaustion, a registry's role changes even if its constitution does not. It no longer mainly distributes abundant addresses. It administers scarcity, records transfers, verifies need at the margin, supports routing trust, and keeps the public ledger credible while markets, leasing, cloud platforms and NAT absorb demand. That role is important. It is also narrower than the role scarcity tempts the institution to claim.
The post-exhaustion bargain should be explicit. Members accept that additional requests from the remaining pool require evidence. They maintain records, document reserves, clean stale assignments, support routing and reverse DNS hygiene, and explain growth. In return, the registry limits review to defined purposes, protects confidential information, offers safe correction, uses proportionate remedies, provides independent appeal and does not treat its administrative position as ownership of the address estate.
Such a bargain would make the 90% threshold more credible. Operators would know what counts, what does not, how exceptions are handled and how sensitive proof can be submitted. The registry would obtain better data and face fewer claims of arbitrariness. Buyers and lenders would price AFRINIC-administered addresses with less uncertainty. Smaller networks would face a clearer path to justified requests. Fraud would become easier to distinguish from messy but real operations.
The alternative is a slow conversion of every utilisation question into an institutional contest. The registry asks for more detail because it distrusts members. Members disclose less because they distrust the registry. Reviews take longer. Lawyers become involved earlier. Address blocks carry a governance discount. Cloud platforms and large upstreams gain bargaining power because independent address control feels risky. Scarcity is not solved; it is mediated by fear.
AFRINIC does not need to choose between being passive and being a sovereign. It can be a careful bookkeeper with enough audit power to keep the ledger honest and not enough to govern every business built on the ledger. That may sound modest, but modesty is the virtue scarce infrastructure needs. The more valuable IPv4 becomes, the more damaging unchecked discretion becomes. A scarce resource can survive strict evidence rules. It cannot easily survive a registry whose members no longer know whether an audit is a measurement or a threat.
The economics of address-utilisation audits therefore ends where the opening file began. The operator's IPAM exports, logs, customer assignments and reservations should answer a defined question: is the request justified, and are existing records accurate enough to support it? If the answer is yes, the registry should proceed. If the answer is no, the registry should explain and allow cure where possible. If the evidence reveals fraud, stronger action may be needed. But the audit should remain an evidence discipline, not a capital gate. In the age of IPv4 scarcity, that distinction is the difference between stewardship and control.

