Summary
- Ernest Byaruhanga's name matters because AFRINIC later attached a disciplinary finding to a former hostmaster, but the durable governance question is which combinations of business authority, technical privilege and institutional trust could turn an unsupported act into an apparently valid registry record.
- Job titles are an unreliable proxy for access. A credible review must reconstruct actual accounts, group membership, maintainers, interfaces, approvals, overrides, ticket ownership, logging and supervisory sign-off for each relevant period.
- AFRINIC's later controls - role-qualified privileges, final senior review, daily inconsistency reports, stronger verification and an external investigation - indicate the classes of barrier needed to detect or contain insider action, without proving the exact pre-2019 permission set of any named employee.
- The 2019 chronology shows a serious coordination problem: suspicious activity became known, separate investigations developed, the employee remained publicly visible, and containment and dismissal came later. That sequence demands an evidence-based timeline of knowledge, access reduction and decision rights.
- Accountability should not depend on lurid claims about motive or character. It should test whether supervisors and auditors could identify incompatible powers, anomalous changes, undisclosed conflicts, ignored warnings and delayed revocation before harm became difficult to reverse.
Start with verbs, not a life story
Institutional scandals attract biography because biography offers a plot. A long-serving employee becomes trusted. Trust becomes access. Access is allegedly abused. Exposure follows. The organisation removes the person and promises reform. This plot assigns emotion and blame, but it tells the next board almost nothing about how to prevent recurrence. It turns a control failure into an exceptional personality and invites everyone else to believe that ordinary staff and ordinary procedures remain safe.
Ernest Byaruhanga should therefore be treated as a named subject in a documented institutional case, not as the article's dramatic protagonist. Public sources describe him at different times as an early AFRINIC employee, engineer, IP analyst, registration-services manager, policy coordinator and hostmaster. AFRINIC's 2021 accuracy report says a former employee, then acting as a hostmaster, abused his rights and privileges; the organisation's January 2020 update says management summarily dismissed Byaruhanga after a disciplinary hearing for very serious professional misconduct.
Reporting linked him to companies and historical records associated with address transactions. These statements are material and must be attributed. They do not licence speculation about his private life, psychology or every event during his tenure.
The correct unit of analysis is the verb. Could a person evaluate a resource request? Approve it? Create an organisation record? Change a holder's contact? Reset or use a maintainer? Reclassify a block? Alter an internal resource file? Publish a WHOIS entity? Close a ticket? Suppress an exception? View an alert? Assign work to a subordinate? Approve another employee's access? Each verb has a business purpose, a technical permission, a required approval and an expected trace.
The case becomes useful when those verbs are arranged as a map. It becomes dangerous when a title is assumed to answer them. A manager may have broad business authority but no direct production credential. A hostmaster may operate through a controlled interface but also possess an emergency maintainer. An engineer may lack formal approval power yet control the identity system that grants access to others. An experienced employee may influence junior reviewers even when the system records their separate clicks. Formal separation can therefore coexist with practical concentration.
No public source provides a complete, contemporaneous permission inventory for Byaruhanga from 2013 through 2019. That absence is itself important. It limits claims about exact acts and means a responsible account must distinguish established institutional findings from inferred control exposure. A governance map is not an accusation list. It is a method for showing what evidence the institution should preserve and what questions its board should be able to answer.
Three kinds of power occupied the same room
Access reviews often begin and end with technical permissions. That is too narrow for a registry. Three kinds of power matter: authority to decide, capability to execute and influence over interpretation.
Decision authority comes from policy, delegation and management. It determines who may decide that an applicant is eligible, that a request justifies a quantity, that a legacy claimant has established succession, or that an unusual update should proceed. A staff member can possess decision authority without an administrator account. If the operations team treats that person's email or ticket note as sufficient approval, the practical power is substantial.
Execution capability comes from credentials and interfaces. It includes access to membership systems, resource inventory, ticketing, WHOIS maintainers, administrative tools and any direct method for changing records. The relevant evidence is not a generic access policy. It is the period-specific record of user accounts, roles, keys, group memberships, privilege grants, authentication events and commands. Capabilities can change as software is replaced, responsibilities shift or emergency access accumulates.
Interpretive influence is less visible. A senior employee may define what counts as a normal exception, train colleagues, allocate cases, answer policy questions, review work and explain anomalies to managers. If that same person is implicated in an unusual case, nominal second approval may not be independent. A junior colleague who relies on the senior person's account of history is not a meaningful check merely because two names appear in the file.
These powers should be mapped separately. Consider a hypothetical legacy-holder update. The employee who receives the request may decide what evidence is sufficient, direct another staff member to create a replacement contact, use a privileged maintainer to update WHOIS, and explain to a supervisor that the change is routine. Four people may touch the matter, yet one person controls the premise on which all act. The institutional record will look distributed while the judgment remains concentrated.
Conversely, one person may perform several technical steps safely if the approval is independently fixed, the interface limits the action to the approved parameters, and reconciliation immediately identifies divergence. Small organisations cannot always dedicate a different employee to every click. They can separate the source of authority from the power to depart from it.
The access map must therefore ask two questions for every consequential action. Who could make the system accept the change? Who could make colleagues believe the change was proper? Insider resistance fails when the same person can answer both.
A six-column reconstruction
A serious post-incident review should reconstruct each relevant transaction with six columns: requested act, asserted authority, technical actor, approving actor, independent evidence and alert outcome. The columns prevent current WHOIS data from becoming a substitute for the missing past.
The requested act identifies the smallest meaningful change. "Update account" is too broad. The file should say whether the request changed an organisation name, corporate successor, administrative contact, technical contact, maintainer, prefix status, allocation date, resource holder or route-related entity. Different changes carry different risks.
Asserted authority records why the requester and staff believed the change was permitted. For a resource member, that may be a registered contact acting under an agreement. For a legacy holder, it may involve historical registration and corporate succession. For a new allocation, it should be a completed policy evaluation and approval. The authority must predate execution; a later explanation cannot retroactively authorise an earlier act.
The technical actor is the credential that changed the authoritative store. It may be an individual account, service account, maintainer or privileged administrative tool. Shared credentials should be treated as control failures because they make attribution uncertain. If a service account executed the command, the record must preserve which person initiated the service request.
The approving actor is the person who accepted responsibility for the decision. Approval should identify the exact entity and proposed values. A general statement that a case is "in order" is not enough for a large prefix or holder change. If the approver and technical actor are the same, the exception should be visible and justified.
Independent evidence is material not created solely by the person advocating the change. It may include original ticket correspondence, a signed agreement, verified company records, historical delegated files, prior registry data, payment evidence or confirmation from a known holder. The standard varies by transaction, but the file must allow a reviewer to reproduce the conclusion.
The alert outcome shows whether monitoring observed the event, who reviewed it and how it closed. This is where many nominally logged environments fail. The existence of a timestamp proves only that a system recorded an event. It does not prove that anyone compared the event with approved authority.
Applied to the AFRINIC period, this reconstruction would identify whether suspicious allocations and legacy changes shared actors, credentials, approvers, destination organisations, contact domains, prefix sizes or explanations. It would also show whether warnings arrived through operational data, external researchers, member complaints or law enforcement and whether those warnings were linked to the same transactions. The result would be a control map, not a portrait of an employee.
What AFRINIC's own later account establishes
AFRINIC's WHOIS accuracy report gives a bounded institutional finding. It says that, after suspicious activity and investigations involving APNIC, disciplinary proceedings were brought against a staff member who was dismissed. It describes the person as the then hostmaster and says he had abused his rights and privileges. It further says the employee was found to have misappropriated resources from AFRINIC's pool for the benefit of a private company he owned and controlled, which then engaged in transactions with third parties.
Those are AFRINIC's conclusions, not neutral judicial findings. The report was produced by the organisation whose systems and reputation were at issue, and it acknowledges continuing police and legal matters. A careful analysis can say what AFRINIC found without converting the report into proof of every alleged transaction or criminal offence. The distinction is not indulgence. It protects the credibility of the institutional case.
The same report is much more revealing about controls than about motive. It says later measures included automation of resource and membership steps, a change-control policy intended to add checks and traceability, final review by senior staff, stronger business rules for legacy updates, daily inconsistency reports, PGP authentication, role-qualified privileges, escalation for changes outside ordinary interfaces and a permanent audit mechanism. It also says a fraud and corruption policy was adopted in June 2019 and an independent whistleblowing platform launched in June 2020.
Each measure implies a governance question. If final senior review was a significant improvement, which requests previously could reach invoicing or publication without it? If change traceability needed strengthening, were earlier logs incomplete, unlinked to authority, weakly reviewed or all three? If role-qualified privileges were emphasised, had access grown beyond current duties? If daily inconsistency reports became important, how often had MyAFRINIC, WHOIS and resource files diverged without prompt closure?
If the whistleblowing channel arrived only in 2020, what protected route existed earlier for staff or outsiders who suspected a senior colleague?
The answers cannot be inferred solely from the remedy list. A control may have existed and later been improved. A report may describe current practice without dating each implementation. But these are exactly the questions an independent review should answer with dated policies, access records, configuration history, tickets and audit workpapers. Reform language should open inquiry, not close it.
Titles obscure privilege drift
Byaruhanga's long tenure makes role history especially important. Public material describes changing responsibilities over many years. In technology organisations, access often accumulates faster than it is removed. An employee moves from engineer to manager to policy work, retaining old group membership because it is convenient or because colleagues still depend on informal expertise. The result is privilege drift: current duties justify one set of powers while historical duties leave another set active.
Privilege drift is not proof that it occurred in this case. It is a risk that the evidence should test. Investigators should reconstruct every joiner, mover and role-change event. For each date, they should compare the employee's job description, actual duties, approved access request and live permissions. Old keys, dormant accounts, shared maintainers and emergency credentials deserve explicit treatment. Revocation records matter as much as grant records.
The review should also distinguish ordinary and exceptional paths. A standard hostmaster interface may enforce a ticket reference and prefix limit. A power maintainer, command-line tool or administrator request to a database manager may bypass those constraints. AFRINIC's later report says changes that ordinary Registration Services privileges could not perform were directed to the Database Manager after manager or department-head approval. That design can be safe if the approval is specific and the Database Manager independently verifies it. It can also become a bypass if senior staff assertions substitute for evidence.
Emergency access should leave an unusually bright trace. The purpose, approving executive, start time, expiration, commands and retrospective review should all be recorded. Permanent emergency access is simply ungoverned privilege with a dramatic name. A registry handling high-value resources should report every use to an assurance function outside operations.
Service accounts need equivalent scrutiny. Automated publication may make changes under a system identity, masking the originating human. The system should carry the human approval reference into the event log. If several applications can submit changes through one publisher, each request needs cryptographic or otherwise tamper-resistant attribution. Otherwise a complete technical history can still be institutionally anonymous.
Finally, influence should not survive recusal. If an employee has an outside interest in a requester or counterparty, removing their approval click is limited public evidence if they can assign the case, advise the reviewer, alter supporting records or use another path to execute it. Conflict containment must remove the person from all stages and preserve the reason for that removal.
Alerts should connect records that insiders hope remain separate
An insider scheme benefits when each system sees only a plausible fragment. Ticketing sees a support request. WHOIS sees a contact update. Inventory sees a status change. Finance sees an invoice or perhaps no transaction at all. Routing data sees a new origin. Corporate records show a new company. No single fragment necessarily proves abuse. The alerting function earns its value by connecting them.
The first class of alert is absence. A delegated prefix without a valid request ticket; a large change without an approval; a legacy update without succession evidence; a holder without a verified contact; or an administrative command without a linked case should be exceptional by definition. AFRINIC's later audit found nine of 2,824 checked prefix records without ticket numbers, associated with allocations to Fiber Grid in 2012-13. Nine is numerically small. The address volume and common context make the exceptions significant.
The second class is contradiction. WHOIS and MyAFRINIC may disagree on organisation handle or status. The resource file may show a block as available while public statistics show it delegated. A ticket may approve one prefix while publication creates another. The organisation name may suggest continuity while its contact domain was registered recently. AFRINIC's later report says daily inconsistency reports were generated for such mismatches. The relevant historical question is when equivalent comparisons began, who owned the exceptions and whether aging was reported.
The third class is concentration. One actor repeatedly handles unusually large allocations, dormant legacy holders, status reclassifications or the same external contacts. One approver appears on every exception. Several apparently unrelated organisations share domains, addresses, phone numbers, maintainers or counterparties. Concentration does not prove wrongdoing; it identifies where independent review offers the greatest return.
The fourth class is sequence. A holder contact changes, then a maintainer changes, then a route object appears, then the block is sold or leased. A pool resource becomes labelled legacy before a transaction. A warning arrives and access remains unchanged while related records continue to move. Sequencing converts isolated events into a testable hypothesis and gives supervisors a point at which containment should have occurred.
The fifth class is external contradiction. Researchers, anti-abuse organisations, networks and supposed historical holders may report that the public record does not fit observed reality. Such reports require validation and can be wrong. They should still enter a managed queue, receive a case reference, be checked against internal history and be escalated when multiple sources converge. An institution that treats outsiders as adversaries can miss the only people comparing its records with the wider Internet.
Alert quality depends on independence. If the person whose activity generated an alert can close it without review, monitoring is cosmetic. If a supervisor routinely accepts that person's explanation, the alert is socially captured. High-risk alerts should go to an assurance team or senior officer outside the operational line, and unresolved items should reach the audit committee by age and address volume.
The supervisor's problem was not mind-reading
Supervisors cannot infer hidden intent. They can observe incompatible duties, unusual volume, repeated exceptions, unexplained wealth only where lawfully relevant, outside interests, bypass use and resistance to review. Their job is not to psychoanalyse staff. It is to create conditions in which no person's honesty is a critical single point of failure.
That begins with clear ownership. Every privileged capability should have a business owner who certifies quarterly that each user still needs it. The identity team should provide the actual permission list, not ask managers to certify a vague role name. Users should confirm their accounts and keys. Internal audit should test a sample against live systems rather than rely on self-attestation.
Supervisors should also review activity, not only entitlement. A person may legitimately hold a privilege but use it in an unusual way. Reports should show large prefixes changed, legacy status amendments, out-of-hours actions, bypass paths, failed attempts, mass edits and reversals. Review should compare activity with assigned cases. Unassigned action is a stronger signal than mere access.
Mandatory leave and rotation can expose concealed dependencies. If no one else can understand a senior employee's cases, the institution has both continuity and fraud risk. During leave, another qualified person should reconcile open work and privileged activity. This is not a presumption of guilt; it is ordinary resilience.
Performance incentives matter. A team rewarded solely for rapid allocation or ticket closure may treat review as obstruction. Supervisors should measure documentation completeness, exception quality, timely escalation and accuracy after publication. A reviewer who stops a flawed high-value change should be recognised, not blamed for delay.
Conflicts require a usable process. Staff should disclose outside directorships, ownership, paid advisory work and close relationships relevant to members, brokers or resource transactions. The institution should match declarations against applicant and counterparty data. A conflict committee or designated officer should decide recusal and access restrictions. Silence should not be the only test; verification is necessary where the risk is material.
The board's role is to make these supervisory duties measurable. It should not ask whether management trusts a long-serving employee. It should ask whether any employee can both originate and complete a high-risk change, whether privileges have owners, how many conflicts led to recusal, how old the largest unresolved alert is, and whether audit has tested the answers.
The 2019 chronology exposes coordination risk
The public chronology is incomplete but important. AFRINIC's later audit says that in about March 2019 a Mauritian court order following an FBI application brought suspicious activities concerning several address blocks to AFRINIC's attention. It says a preliminary internal examination indicated that staff may have acted without authority with third parties. MyBroadband later reported that former CEO Alan Barrett informed the board about manipulation of WHOIS data in April. AFRINIC says it adopted a fraud and corruption policy in June and that the board commissioned an investigation with APNIC's assistance in July.
Public reporting emerged in September and deepened in December. On September 26, AFRINIC publicly recognised long-serving staff, including Byaruhanga, for 15 years of service. That fact does not prove the interim chief executive or communications staff knew the confidential investigative evidence. It does show that HR recognition, communications and investigation could proceed on separate tracks. A well-governed incident structure should decide whether continued public endorsement is compatible with the risk and what can be done without prejudging the employee.
Reports in October said Byaruhanga had resigned, while AFRINIC's later January update said management held a disciplinary hearing on December 13 and summarily dismissed him. The apparent difference may reflect reporting based on sources, the status of an attempted resignation, suspension and later employment action. The public material available here does not reconcile it. The responsible conclusion is not to choose the most dramatic version, but to require a definitive employment and access timeline from primary records.
AFRINIC's December 16 board update said the former CEO had informed the board after resigning that unauthorised WHOIS changes might have occurred and internal investigations were under way. It said APNIC's report confirmed some allegations, the matter was referred to police on December 10, and the chief executive was tasked with limiting access, preventing manipulation and suspending or revoking implicated or suspected parties' access. The wording places explicit containment after months of developing concern, although confidential actions may have occurred earlier and are not established by the announcement.
This is the central timeline question: at each point of knowledge, what access remained, who accepted the risk and why? Awareness is not binary. A court-related request may justify preservation and a narrow inquiry. A preliminary indication of staff involvement may justify secret monitoring, temporary privilege reduction or dual approval. An external investigation may require stronger containment. Public allegations may alter reputational and evidentiary risks. Each threshold should have a documented decision.
Containment also needs care. Abruptly removing access can alert a subject or disrupt critical operations. Leaving full unsupervised access can permit further harm or evidence alteration. The solution is risk-based: preserve logs independently, rotate credentials outside the subject's control, require dual approval, shadow privileged activity, separate investigation data, and plan continuity before suspension. A mature response records why each measure was proportionate.
Internal audit had to audit power, not policy prose
AFRINIC's public audit remit extended beyond accounts. Its 2018 material described the Audit Committee as reviewing internal control, risk management, internal auditing, information systems and technology governance. Board minutes from August 2018 discussed recruiting an internal auditor. Minutes from April 2019 described an internal audit plan that included Registration Services and business continuity alongside finance and compliance.
The critical question is what tests followed. Reading a policy would not reveal privilege drift. Interviewing managers would not establish which credentials could edit a large block. Sampling only ordinary allocations might miss concentrated exceptions. Internal audit needed to inspect live permissions, trace high-value records backward to authority, compare logs with assigned tickets, test privileged changes, review conflict declarations and confirm that alerts reached someone independent.
The audit universe should have treated number-resource administration as core. A registry's financial statements can be accurate while its authority record is corrupted. Addresses may not appear as owned inventory with a conventional carrying value, yet control over their registration is the institution's reason for existence. Audit planning based mainly on accounting materiality will therefore underweight the largest legitimacy risk.
Auditors also need direct access and protected reporting. A senior operations employee should not select the sample, mediate every document or answer for junior staff. The auditor should obtain logs from system custodians, compare them with policy and ticket data, and report significant findings directly to the Audit Committee. Management responses belong in the report, but management should not edit the finding away.
Closure requires evidence. A promise to improve access is not remediation. The auditor should verify that excessive groups were removed, old keys revoked, dual approval enforced, alerts generated and exceptions reviewed. Findings should be reopened if a control is bypassed. The committee should see aging and repeat findings, not merely a percentage marked complete.
The Byaruhanga case is thus a test of audit design. If the relevant permissions and patterns were visible but untested, planning failed. If they were tested and not recognised, the audit method failed. If findings existed but did not reach the board, reporting failed. If they reached the board and remained open, remediation failed. The name of the employee does not answer which link broke.
What must remain unknown
Good governance analysis preserves uncertainty. The public record examined here does not establish the complete list of Byaruhanga's accounts, the precise command used for each disputed change, the content of APNIC's confidential report, every warning received by AFRINIC, or the final outcome of all police and legal questions. It does not prove that every company or person mentioned in reporting knowingly participated in an unauthorised act. It does not establish a judicial finding for each resource.
Nor should the article infer guilt from tenure, technical skill, nationality, family relationships or public silence. Long service can create privilege and trust, but it is not misconduct. Technical competence explains capability, not action. A failure to answer a journalist may have many reasons. Responsible analysis uses attributed records and institutional findings, not insinuation.
The limits strengthen rather than weaken the case for controls. A well-designed registry should not need a public verdict about character before reducing dangerous privilege combinations. It can act on control facts: one person has incompatible powers; an allocation lacks authority; systems disagree; a conflict is undeclared; an alert is unresolved; a privileged change falls outside an assigned case. Those findings support proportionate containment without sensationalism.
The same discipline protects other employees. A complete access map can show that an accused person lacked the capability attributed to them, that a shared account prevents attribution, or that another system generated the change. Controls are not merely instruments of suspicion. They are evidence that can exonerate as well as implicate.
The governance map that should survive the scandal
AFRINIC and every comparable registry should maintain a living map with five linked registers. The first is a decision-rights register: who may approve each class and size of allocation, legacy update, status change and exceptional action. The second is a technical-entitlement register drawn from live systems. The third is an activity register connecting human actors to executed changes. The fourth is a conflict register with recusal and restriction decisions. The fifth is an assurance register containing alerts, reviews, findings and closure evidence.
The map should be versioned so investigators can reconstruct a past date. Quarterly snapshots are not enough for high-risk privileges; every grant and revocation should be preserved. Access should expire automatically unless renewed. High-risk roles should require stronger authentication and no shared credentials. A privileged user should never approve their own entitlement or review their own alerts.
For every large allocation or legacy-control change, the registry should be able to produce a compact proof: verified requester, applicable policy or historical authority, evaluator, independent approver, executed values, actor, publication result, reconciliation status and any later amendment. The proof can protect confidential evidence while preserving references and integrity.
Supervisors should receive address-weighted activity and exception reports. Internal audit should conduct both random and risk-based reconstruction. The Audit Committee should receive the largest unresolved items, repeated bypasses, conflicts, privilege-review failures and remediation delays. Members should receive notice of consequential changes and a secure way to challenge them.
Incident response should define knowledge thresholds in advance. A credible external anomaly triggers preservation and triage. Evidence of an unsupported change triggers dual control and scope expansion. Evidence implicating privileged staff triggers independent investigation and access containment. Confirmed abuse triggers disciplinary, legal, recovery and notification decisions. Each threshold has an owner and a maximum response time.
Most importantly, the map should not disappear when one employee leaves. The scandal will have been reduced to biography if the institution remembers a name but cannot show how powers changed. The durable record is a set of controls that makes extraordinary trust unnecessary.
Test the map against an honest employee
An access design should be judged not only by whether it can stop a malicious insider, but by what it does for a conscientious employee facing an ambiguous request. That counterfactual is useful because it separates control from punishment. Imagine a senior hostmaster receives apparently credible papers from someone claiming authority over a dormant legacy holder. The company name is familiar, the old contact is unreachable and the claimant wants a rapid update. The request might be legitimate. It might also be a carefully prepared takeover.
In a weak environment, experience becomes the principal safeguard. The hostmaster decides which documents look persuasive, searches historical records, changes the contact and explains the decision if anyone later asks. An honest employee may reach the wrong result because the evidence is difficult. A dishonest employee can exploit exactly the same discretion. The institution cannot reliably distinguish the two after the event because the decision was not forced through independent steps.
In a strong environment, the system helps the honest employee resist pressure. The claimant's identity is verified by a separate function. Corporate succession is checked against an approved evidence standard. A second reviewer receives the original material, not merely the first analyst's summary. A consequential maintainer or holder change is executed only within the approved parameters. The historical state remains visible. The known contact receives notice through independent channels. An alert records the unusual age and size of the resource, and assurance confirms that the file is complete.
None of those steps assumes misconduct. They make a difficult decision reproducible. If the change is later challenged, the employee can show what evidence was available, which standard applied and who concurred. Good control therefore protects staff from retrospective scapegoating as much as it protects the registry from abuse.
The same test applies to a new allocation. A capable analyst may be persuaded by a sophisticated network plan that later proves false. Independent identity checks, address-weighted approval thresholds and post-allocation verification reduce the chance that professional judgment becomes personal exposure. If an applicant pressures the analyst to bypass a step, the system rather than the individual can refuse.
This counterfactual also sharpens board accountability. Directors should not demand a culture in which every employee is suspicious of every colleague. They should fund a structure in which trust is bounded by evidence. Staff can collaborate, share expertise and act quickly because the highest-risk decisions leave a durable, independently verified trail. The measure of reform is not whether the organisation trusts the next long-serving expert. It is whether that expert can do excellent work without becoming the only person on whose integrity the registry depends.
Access was the institutional fact
AFRINIC's later findings were severe, and Byaruhanga is not an invented figure attached to an abstract governance lesson. The organisation named him in its employment action, and public reporting assembled extensive allegations. It would be evasive to erase that. It would be equally evasive to stop there.
An employee cannot make an unsupported registry record authoritative merely by wanting to. The institution must grant capability, accept a decision, publish the result, fail to challenge the anomaly and allow reliance to grow. That chain may contain deliberate acts, errors, deference, weak software and missing oversight. Governance exists to keep them from aligning.
The right memorial of the case is therefore not a villain's biography. It is a dated map of what could be done, what was done, who should have seen it, what they knew, how they responded and which barriers now make repetition harder. Anything less removes the person while preserving the possibility.
Sources and analytical boundaries
AFRINIC's WHOIS Database Accuracy Report provides the organisation's retrospective findings, methods and description of strengthened controls. AFRINIC's December 2019 board update establishes the board's public chronology of notification, APNIC assistance, police referral and access-containment instructions. The January 2020 chief executive update records the disciplinary hearing and dismissal in AFRINIC's own words. KrebsOnSecurity and MyBroadband provide attributed investigative reporting and public-record links; neither is treated as a court judgment.
This article does not determine criminal liability, the rightful custodian of a disputed prefix, the knowledge of unnamed colleagues or the exact permission set attached to any account. It does not infer conduct from personality or status. Its conclusions concern the access, alerting, supervision and audit evidence a registry must be able to produce when a privileged insider is implicated.

