Summary
- The number registry chain is not devoid of authority. RIR members can exercise corporate rights, boards can direct their organisations, courts can apply host law, ICANN can act within recognition arrangements, the five RIRs can collectively replace the IANA numbering-services operator, and networks can choose which routes to accept.
- Those powers point in different directions. None of the currently cited adopted instruments supplies a complete system-wide route for withdrawing an incumbent RIR's role, transferring authoritative records and security material, protecting holders, financing continuity and designating a successor.
- ICP-2, accepted in 2001, establishes entry criteria for a proposed new RIR. The official review record through August 2025 discusses a draft governance document covering operation and derecognition, but the cited record does not prove final adoption or tested readiness.
- A credible succession regime needs more than a decision to withdraw recognition. It needs custody, authority, data, keys, contracts, staff, funding, appeals, service-region transition and a reversible technical cutover.
- Polycentric governance can be safer than one global superior. Its legitimacy under stress depends on publishing ex ante decision rules so continuity does not become an improvised negotiation among incumbents, creditors and courts.
A hierarchy without a clearly identified superior
The number registry system looks vertical. IANA maintains top-level number registries and allocates available pools to five Regional Internet Registries. Each RIR administers a service region and maintains relationships with local registries, network operators and other holders. The RIRs coordinate through the Number Resource Organization and perform the Address Supporting Organization role within ICANN. The diagram appears to have a top, a middle and a base.
But a service hierarchy does not necessarily contain a legal superior with removal power over every layer. IANA performs a defined role. ICANN operates IANA numbering services under an agreement with the five RIRs. The RIRs are separate private-law institutions. Their members and boards act under regional constitutions and host law. Operators make routing decisions through their own systems and contracts.
Each relationship answers a real question. Who allocates top-level pools? Who maintains regional records? Who elects a board? Who can enforce a membership agreement? Who recognises a proposed peer? Who can replace the IANA service provider? Who decides whether to accept a route? Yet the answers do not converge automatically on one person or institution that can remove an incumbent RIR and install another.
That missing convergence matters only occasionally. In normal periods, mutual recognition and operational continuity make the system appear self-validating. An RIR is the RIR because the other institutions treat it as such, its members contract with it, IANA serves it and networks rely on its records. The circularity is tolerable while all parts perform.
Crisis changes the question. If an incumbent becomes unable or unwilling to operate, someone must decide whether the failure is temporary, remediable or disqualifying. Someone must preserve records, keys and services. Someone must protect holders from duplicate claims and inconsistent instructions. Someone must select a successor and persuade every dependency to recognise it. Current public instruments reveal pieces of that response, but not one adopted end-to-end mandate.
Regionalisation began as a scaling solution
The 1992 Guidelines for Management of IP Address Space proposed distributed regional registries as the Internet expanded. Centralised administration could not scale indefinitely. Regional bodies would bring knowledge and service closer to local communities while remaining part of a coordinated hierarchy.
That historical origin explains much of the system's character. Regionalisation was a practical answer to growth, not the founding of five sovereign jurisdictions through treaty. Administrative responsibility moved outward because one central registry could not efficiently process the world's needs. Technical communities built institutions around the work.
The proposal's success can obscure its limited constitutional content. It described a structure and offered guidance. It did not establish a legislature, define a global electorate, convey ownership of address space or write a complete removal-and-replacement code. The institutions that later emerged acquired legal personality, contracts, policies and recognition through additional steps.
This incremental development had benefits. It let regional arrangements adapt to local conditions and avoided waiting for states to negotiate a single global convention. It supported technical expertise and kept day-to-day number administration relatively insulated from geopolitical bargaining.
Incremental growth also left boundaries. The system developed entry, operation and mutual reliance before it developed a mature theory of institutional exit. That is common in successful infrastructures. Founders concentrate on bringing capable entities in and keeping service reliable. Removal seems remote until governance failure, insolvency, injunction or internal deadlock makes it concrete.
The 1992 text should therefore be read as the start of an administrative lineage, not a permanent grant to whichever corporation later occupied a regional role. It explains why decentralisation was chosen. It does not decide who may transfer that role decades later.
ICP-2 defines admission more clearly than succession
The ICP-2 criteria, accepted on 4 June 2001, provide the clearest adopted entry standard. A proposed RIR must serve a region of sufficient scale, show broad support, commit to bottom-up policy, remain neutral and impartial, demonstrate technical expertise, present an activity plan, secure funding, keep reliable records and protect confidentiality.
These conditions reflect sound institutional judgment. A registry cannot be recognised merely because a promoter incorporates a company and declares a territory. It needs operational capacity, community legitimacy and a plan for durable service. Recognition also has to preserve global uniqueness and coordination with existing registries.
Entry criteria can supply substantive benchmarks for an incumbent. If neutrality, funding and record keeping were essential at recognition, their collapse later cannot be irrelevant. The criteria help explain why a crisis may warrant review.
Yet a benchmark is not a removal procedure. The 2001 text does not fully identify who opens a derecognition case, who investigates, what interim measures apply, which threshold decides, how conflicts are managed, what appeal is available, who takes custody of data, how a successor is chosen or when the technical cutover becomes final.
Nor is recognition withdrawal identical to corporate dissolution. ICANN might change how it recognises an institution while the legal corporation continues under host law. Members might replace directors while recognition remains. A court might appoint an administrator without selecting a new regional registry. A creditor might control assets without possessing the technical legitimacy to operate the service region.
ICP-2 is therefore essential but incomplete for crisis governance. It tells a candidate what must be shown to enter. It does not yet function, in its adopted 2001 form, as a tested succession charter for an incumbent that fails after decades of operation.
The 2019 ASO memorandum coordinates peers rather than naming a superior
The 2019 ASO memorandum places the NRO within ICANN's structure for address policy. It defines global policy procedures, appointments, recognition recommendations, service-region concepts, review and dispute handling among its parties.
The arrangement gives ICANN a meaningful role. Recognition of a proposed new RIR is not solely a unilateral declaration by the existing registries. Recommendations and Board action matter. This can produce substantial practical consequences for IANA-facing administration and peer coordination.
The same instrument refuses to create a principal relationship among the parties. One party cannot make binding commitments for another without prior written consent. That clause fits a system of distinct institutions coordinating as peers. It does not identify ICANN as the owner of the RIRs or the NRO as their global parent.
This design has protective value. A single centre cannot casually take over a regional corporation, rewrite its contracts or commit its assets. Each RIR retains its governing bodies and legal obligations. Regional communities retain a measure of autonomy. The system avoids one political chokepoint.
The price of that protection appears during failure. If no party is another's principal, a decision to withdraw system recognition does not automatically transfer corporate assets or contracts. ICANN may have one institutional decision. Members may have another. A host-country court may control records or servers. Other RIRs may need to coordinate continuity. Holders may challenge changed service relationships.
The memorandum can frame the recognition question, but the cited adopted text does not disclose the complete succession route. It coordinates capable peers more clearly than it governs the replacement of an incapable one.
IANA is a role, not the owner of the chain
RFC 7020 describes IANA as a role at the root of the numbers registry hierarchy. It allocates to RIRs under global policy. RIRs serve local registries and others. Accurate registration supports uniqueness and operational coordination.
The role can look like ownership because it sits at the top of the diagram. But top-level administration and ownership are different propositions. IANA maintains registries and performs allocations under defined arrangements. The public description does not say that IANA owns every regional database, employs every RIR staff member or can assign every holder agreement to a successor.
RFC 7020 also records that the former final appeal from RIR decisions to IANA was no longer considered appropriate. That historical change is revealing. It moves away from the idea of IANA as a general appellate superior over regional decisions. The registry hierarchy retained technical coordination while reducing a simple command-chain interpretation.
The document further separates registry administration from routing. A network can choose which routes to announce or accept. Registry records can influence that choice, especially through routing-security systems, but no top-level registry entry mechanically controls every router.
These distinctions prevent two overstatements. One is that IANA can solve regional succession merely because it sits at the top-level allocation point. The other is that IANA has no influence because operators remain autonomous. In reality, top-level recognition and registry state can make a successor viable or unviable even without conveying regional assets.
A successful cutover would need both institutional and operational alignment. IANA-facing records would have to recognise the successor. Regional databases and services would have to move. Operators and counterparties would have to trust the new state. The first step is powerful, but it is not the whole chain.
Current IANA operations preserve the hierarchy's narrow purpose
The IANA Number Resources page describes the present operating model. IANA allocates unallocated pools to the five RIRs according to global policy rather than assigning ordinary resources directly to end users or service providers. The RIRs are the regional counterparties for that level of administration.
This account shows why regional recognition matters. A body outside the accepted set cannot simply demand top-level pools and become a peer. It also shows why IANA is poorly placed to substitute for an RIR overnight. Its ordinary function is not retail or regional registration service.
The distinction protects subsidiarity. Regional organisations maintain local relationships, languages, policies and records. A central operator does not need to administer every account. It reduces concentration and preserves expertise near the affected communities.
In crisis, however, the ordinary division creates a continuity puzzle. If an incumbent cannot operate, IANA can preserve top-level information and coordinate within its function. It does not necessarily possess the regional account data, confidential files, payment histories, membership records, reverse-DNS systems or private key material needed for full service.
Nor does an operational web description create coercive authority. It records what IANA does and with whom. It is evidence of current dependence, not a legal instrument transferring assets from a failing RIR or overriding host-country orders.
The practical conclusion is not that IANA is irrelevant. Recognition at the top-level is one of several gates a successor must pass. But a gatekeeper is not always a principal. The ability to accept or refuse a new regional counterparty does not alone supply the power to obtain everything the new counterparty needs.
The 2016 agreement proves that operator replacement can be designed
The Service Level Agreement for IANA Numbering Services, signed on 29 June 2016, creates an explicit relationship between ICANN as operator and the five RIRs. It includes service standards, review, failure handling, non-renewal, termination, continuity and successor provisions.
The five RIRs must exercise specified rights collectively and unanimously. That rule makes abrupt or factional replacement difficult. It recognises that the IANA numbering function serves all regions and that a divided transition could damage uniqueness and trust.
The agreement is notable because it rejects institutional permanence. ICANN may be the incumbent operator, but the contract provides a route to another provider. Continuity duties and successor planning reduce the risk that dependence becomes a veto over accountability.
Its direction is equally notable. The RIRs collectively oversee the operator for this service. The operator does not receive a symmetric power to remove one of its five counterparties. The contract governs top-level service delivery, not regional corporate succession.
This asymmetry reveals the missing principal. The system has a clear answer to “who can replace the IANA numbering-services operator?” It has a less complete adopted answer to “who can replace one RIR, and how does every regional asset and relationship follow?”
The agreement supplies a drafting model. Define performance. Measure failure. Require notice and cure. Identify the decision threshold. Protect continuity. Establish data and cooperation duties. Provide for a successor. A regional succession regime would need comparable discipline, expanded for the far wider set of records, contracts, staff and local-law constraints held by an RIR.
Protocol parameters show what a clearer principal relationship looks like
The IETF-ICANN memorandum published as RFC 2860 offers another comparison. For IETF protocol-parameter work, the IAB can designate the IANA function, the IESG provides technical direction and either party can cancel on six months' notice.
This is a recognisable direction-and-exit arrangement. The relevant community institutions, operator and scope are identified. A reader can see who supplies technical direction and how the relationship ends.
The text also expressly excludes policy issues concerning assignment of Internet Protocol address blocks. That exclusion matters more than any analogy. It prevents the clear protocol-parameter relationship from being treated as the missing authority over regional number registries.
The comparison demonstrates two points. First, Internet coordination is capable of writing express designation and cancellation powers. Ambiguity is not technically inevitable. Second, the functions remain separated. A well-defined power in one part of IANA does not migrate to another by institutional association.
A future regional succession arrangement should emulate the clarity, not borrow the authority. It should identify the body entitled to begin review, the evidence standard, the interim operator, the decision threshold, the successor designation and the termination conditions. It should state whose contracts and assets are not automatically transferred, then provide lawful mechanisms to address them.
This is less glamorous than declaring a guardian of the Internet. It is more useful. Clear power can be reviewed. Implied power discovered during crisis tends to be contested precisely when rapid coordination is most necessary.
Members control a corporation, not automatically the system role
RIRs have members, boards and corporate rules. Depending on the institution, members may elect directors, approve constitutional changes, receive reports, call meetings or challenge decisions. These are real accountability mechanisms and may be the fastest route to correct management failure.
Corporate control should not be underestimated. Replacing a board or executive can restore operations without destabilising the registry role. Members understand regional needs and have direct stakes in continuity. Host law supplies courts and remedies when internal rules fail.
But control of the legal person is not automatically authority to transfer the regional system role to another legal person. Members may amend bylaws while the same corporation remains the recognised RIR. They may remove directors but lack power to assign every contract. Insolvency law may constrain asset transfers. Confidential data may not move without a lawful basis. Creditors may have claims.
Membership also has a denominator problem. Members are a defined corporate constituency, not necessarily every holder, downstream customer, route operator, government or Internet user in the service region. A valid member vote can govern the corporation without proving that all affected parties authorised regional succession.
Conversely, ICANN recognition cannot erase member rights. If ICANN ceases to recognise an institution, its members and corporation still exist under host law. Servers, employment contracts and bank accounts do not vanish. A technical successor cannot simply take them because wider coordination favours continuity.
Succession therefore needs a bridge between corporate action and system action. Ideally, the RIR's governing documents, member agreements and continuity arrangements would anticipate the recognised decision route and permit transfer under defined safeguards. Without those connections, institutional actors can reach conflicting decisions that are each valid within their own domain.
Courts can rescue assets without choosing the Internet's successor
Host-country courts possess powers that global technical bodies do not. They can enforce contracts, preserve assets, appoint administrators, supervise insolvency, restrain directors, compel disclosure and decide corporate disputes. In a crisis, those powers may determine whether registry operations survive.
Yet a court's jurisdiction is tied to law and parties before it. A judge can decide who controls a corporation or how assets are handled. The court may not have an adopted global role for selecting the institution that every RIR, ICANN, IANA and network should recognise as the regional successor.
This separation can create a hard case. A technical community may favour a new operator. A court may require the incumbent corporation's assets to remain under administration. Member contracts may restrict assignment. Data rules may constrain transfer abroad. Staff may owe duties to the incumbent. Creditors may resist uncompensated movement of valuable systems.
Calling the technical decision “derecognition” does not resolve those legal claims. Calling the court's order “control” does not ensure that IANA or peer registries accept the court-appointed operator. Both sides can hold meaningful powers without either completing the transition.
A mature continuity regime should anticipate the intersection. It should identify governing law, escrow or replication arrangements, rights to essential records, emergency service licences, funding, confidentiality safeguards and cooperation duties. It should avoid depending on a court to invent global coordination from local corporate remedies.
Courts remain indispensable. The aim is not to bypass lawful orders. It is to reduce the number of critical technical questions left to emergency litigation by creating valid arrangements before crisis.
Routing choice is neither registry succession nor a trivial afterthought
Autonomous networks can decide which routes to originate, propagate and accept. This freedom means that no registry institution can guarantee global reachability merely by changing a database entry. Operators apply commercial, technical and security policies of their own.
Routing choice provides a form of exit. Networks can continue to exchange traffic despite an institutional dispute, or they can reject announcements they consider unsafe. This distributed judgment is a safeguard against total administrative control.
It is not a substitute for registry succession. Operators need a stable basis for transfers, reverse DNS, routing-security credentials, contact records and future allocations. Bilateral routing choices cannot reconstruct a lost regional database or decide which claimant may issue valid credentials.
Routing also has coordination effects. If major transit providers and validation systems follow the incumbent's records, a successor may be nominally recognised yet operationally weak. If operators divide between competing sources, uniqueness and security suffer. Practical acceptance is therefore part of cutover planning.
The system should state where operator choice begins. A successor designation can establish the accepted registry counterparty. It should not be described as a command to every router. Operators should know which data changed, why, when and whether the state is final or contested. They need rollback and key-transition information.
Routing autonomy makes legitimacy measurable in practice. A transition that many operators reject may reveal poor consultation, defective technical execution or conflicting legal claims. It does not necessarily give every operator a veto. It does require planners to treat operational acceptance as a distinct condition rather than assume recognition automatically propagates through the network.
The continuity problem is larger than a database copy
An RIR holds several categories of institutional memory. Registration databases record organisations, resources, histories and contacts. Reverse-DNS delegations connect number space to the naming system. Routing-security services depend on certificates, keys, repositories and relying-party expectations. Internal files may contain identity evidence, fraud inquiries, transfer records and confidential correspondence.
The institution also holds contracts. Members and holders agreed with a particular legal person under particular law. Vendors provide data centres, cloud systems, banking, insurance and security. Employees hold operational knowledge that no file export fully captures. Offices and hardware may be subject to leases, liens or local orders.
A successor needs authority as well as possession. A copied database is not authoritative merely because it is complete. Peer institutions, IANA, holders and operators must know which version controls and when. Competing updates during transition could fork the record.
Security material is especially sensitive. Moving private keys carelessly can compromise trust. Reissuing credentials too abruptly can invalidate relying systems. Preserving old keys too long can leave a failed institution capable of conflicting acts. A transition requires ceremonies, audit, revocation, overlap and recovery planning.
Confidentiality cannot be suspended because continuity is urgent. Personal and corporate records may be governed by contracts and data law. The successor needs a lawful basis, access controls and purpose limits. Public registry data and protected case files should not be treated as one undifferentiated asset.
Finally, the successor needs money. Emergency operation, staff retention, infrastructure and legal compliance have costs. If the incumbent is insolvent, member fees may be trapped or disputed. A continuity fund or insurance mechanism should be defined before failure rather than collected during it.
These elements turn derecognition from a political statement into an engineering and legal programme. Without them, withdrawal of recognition can increase the very instability it is meant to cure.
A decision rule needs a constituency and a denominator
Who should decide that an incumbent has failed? ICANN's Board, the other four RIRs, the NRO Executive Council, the Address Council, the incumbent's members, regional governments, network operators or an independent panel are all plausible entities. None is a self-evident global principal.
Each choice has strengths and conflicts. ICANN can connect recognition to wider coordination but may lack regional corporate authority. Peer RIRs possess expertise but may be competitors or interested in preserving the existing model. Members have local legitimacy but may be divided or captured. Governments can protect public interests but introduce geopolitical control. Courts have lawful coercive power but limited global reach.
A combined mechanism is more defensible. An independent factual assessment could determine whether defined criteria are met. Regional members and affected holders could be heard. Peer registries could assess technical continuity. ICANN could take the recognition decision under an adopted instrument. Courts would retain their lawful role over assets and corporate rights.
The voting denominator must be explicit. Unanimity among remaining RIRs, a supermajority of an ICANN body, a regional member vote and a cross-community approval produce different legitimacy. Abstentions, conflicts and institutional vacancies need rules. A crisis is the worst time to discover that the decisive body cannot form a quorum.
Participation data matter. Consultation totals should distinguish submissions, organisations, regions, members, resource holders and route operators. Support from a concentrated group should not be presented as universal assent. Equally, low participation should not permit a small dissenting group to block emergency continuity indefinitely.
The goal is not perfect democracy over every technical step. It is a decision rule known before the identities and interests of the crisis are clear.
The official ICP-2 review recognises the gap but does not yet close it
The official ASO ICP-2 Review page records an October 2023 request to update the 2001 criteria. The page, last modified on 28 August 2025 and reviewed for this analysis on 12 July 2026, identifies a second draft governance document addressing recognition, operation and derecognition, with consultation scheduled through 7 November 2025.
The existence of a derecognition draft is significant. It shows that the number community recognises that entry criteria alone are not enough. Continuing obligations and withdrawal procedures require express treatment.
The evidence must be bounded. The cited page labels the material a draft and still identifies the 2001 ICP-2 text as current. It does not, by itself, prove that a later final instrument was adopted, incorporated into all required agreements or tested through an operational exercise.
Consultation is one stage. Final approval, version publication, legal review, incorporation, implementation planning, funding and drills are others. A polished governance document can still fail if data rights, key custody or court interaction remain unresolved.
The review should be judged by whether it connects decision authority to execution. Who can declare noncompliance? Who decides derecognition? Which interim services continue? Who selects a successor? What duties bind the incumbent and peers? How are holders protected? Which appeals stay or delay action? How is the cutover tested?
Until an adopted public instrument answers those questions and the necessary dependencies accept it, the review is evidence of institutional learning rather than proof that succession is solved.
A minimum viable succession constitution
The first component is a trigger. Financial collapse, sustained service failure, loss of neutrality, unlawful conduct, governance paralysis and refusal to perform should not be collapsed into one vague standard. Each ground needs evidence, severity and cure criteria.
The second is an investigator independent enough to assess the incumbent and technically capable enough to understand registry operations. The institution should receive notice, access to evidence and a chance to respond. Emergency measures should be narrow and reviewable.
The third is a decision body and threshold. Conflicted entities should recuse. The rule should survive vacancies and litigation. Reasons should be public except where confidentiality is necessary.
The fourth is an interim operator. Temporary continuity may be safer than immediate permanent replacement. The interim body needs limited authority, funding, security controls and a termination date.
The fifth is custody. Databases, histories, reverse DNS, routing-security systems, keys, archives, contracts and protected records require separate transfer rules. Replication and escrow can reduce dependence on reluctant handover.
The sixth is holder protection. Registrations should not disappear because the institution failed. Fees, pending requests, disputes and transfer cases need continuity. Holders should know which terms continue and when any new agreement is offered.
The seventh is successor selection. ICP-2-style competence, regional support, neutrality, funding and record-keeping tests remain relevant. Competition and conflicts should be managed. The successor should not be selected solely because it already controls emergency access.
The eighth is technical cutover. Key ceremonies, parallel service, validation, rollback, monitoring and operator communication should be rehearsed. A legal decision without a safe cutover is incomplete.
The ninth is review. The incumbent, members and materially affected holders need routes to challenge factual and procedural error. Review should not let tactical delay destroy continuity, but emergency action should not become immune from correction.
The tenth is post-transition accountability. Independent audit should report what moved, what failed, what remains contested and when the interim powers end.
The strongest case against one global principal
The missing-principal diagnosis can sound like a call for a global regulator. That conclusion does not follow. A single superior could be captured, politicised or pressured to remove a registry for reasons unrelated to technical performance. Central power could make regional autonomy nominal and create a more dangerous chokepoint.
Polycentric governance spreads risk. Members control corporations. Courts apply local law. ICANN coordinates recognition. RIRs share technical expertise. IANA performs bounded services. Networks retain routing choice. No single institution can easily seize the whole system.
Decades of continuity show that this arrangement can work. Most problems are resolved through regional governance, contracts, negotiation and technical cooperation. A permanent global superior might intervene too readily where local repair would be better.
The system also spans jurisdictions with different legal traditions and political interests. A treaty-level principal could be unattainable or produce state bargaining that weakens the technical community. Private coordination has preserved a degree of global interoperability despite geopolitical division.
These are strong reasons to retain distributed authority. The weakness is not the absence of one ruler. It is the absence of a sufficiently explicit composition rule for a rare but foreseeable failure. Polycentric systems need protocols for how bounded powers combine.
A succession constitution can preserve decentralisation. It can require several independent findings and approvals, keep corporate and judicial rights intact, limit interim powers and protect operator choice. The result would be an emergency federation rather than a global sovereign.
The best answer to the missing principal may therefore be no single principal at all, but an adopted sequence that tells every actor when its part begins and ends.
The danger of continuity becoming self-authorisation
Incumbency creates reliance. Other registries recognise the incumbent. IANA serves it. Members pay it. Courts know its legal identity. Operators consult its data. Staff hold institutional knowledge. These dependencies make replacement costly.
Cost can become a legitimacy argument: the institution must possess authority because the system cannot operate without it. That reasoning confuses necessity of the function with permanence of the operator. It rewards poor portability and weak succession planning.
The IANA numbering agreement points to a better principle. A critical operator can be deeply relied upon while remaining replaceable under defined conditions. Continuity duties protect the function during change.
Regional registries need the same separation. Their expertise and history justify respect. Their records need protection. Their members have lawful rights. None of those facts should make the regional role impossible to transfer if the institution persistently cannot perform.
Replaceability is not hostility. It can strengthen an incumbent's legitimacy by proving that continued recognition depends on performance rather than institutional lock-in. Tested continuity plans also protect the incumbent from coercive threats, because stakeholders can distinguish a real governance failure from an opportunistic attempt to seize assets.
The challenge is to avoid casual replacement. High thresholds, evidence, cure periods and independent review can protect stability. Escrow, replication and rehearsals can protect continuity without making removal easy. The system should be both hard to disrupt and possible to repair.
Institutional immortality and abrupt political intervention are not the only choices. Designed succession is the middle path.
What an end-to-end readiness audit should test
A serious audit should begin with authority. It should identify the adopted text for investigation, interim measures, derecognition, successor selection and recognition. Drafts and statements of intention should be listed separately from binding decisions.
It should then test corporate compatibility. Each RIR's constitution, member terms, holder agreements, vendor contracts, employment duties and host law should be examined for continuity and transfer provisions. A global rule that conflicts with every local instrument will fail at execution.
The data audit should inventory databases, backups, histories, logs, confidential files and data-location constraints. Replicas should be tested for completeness and freshness. Access should be controlled so resilience does not create an unauthorised surveillance pool.
The security audit should cover key custody, certificate hierarchies, repositories, hardware security, revocation and relying-party transition. Exercises should include an uncooperative incumbent and compromised credentials.
The service audit should test allocations, transfers, reverse DNS, registry queries, routing-security issuance, abuse contacts, billing and member communications. It should define which services can pause and which require near-continuous operation.
The financial audit should identify emergency funding, staff retention, insurance, vendor payment and successor costs. It should model insolvency and asset restraint.
The legal audit should test court orders, creditor claims, privacy rules, contract assignment, employment law and successor liability. It should include more than the jurisdiction in which the central coordination body is located.
The participation audit should disclose who was consulted and which groups remain outside the process. It should test language access and conflicts.
Finally, the system should run a public exercise with synthetic records. A plan that has never survived a timed cutover is not ready merely because its governance prose is complete.
What remains unknown
The available public record supports a clear architectural finding. RFC 1366 proposed regional distribution as a scaling strategy. ICP-2 established recognition criteria in 2001. RFC 7020 described the evolved hierarchy and moved away from a final IANA appeal. The 2016 service agreement gave the five RIRs a route to replace the IANA numbering operator. The 2019 ASO memorandum preserved separate institutional capacity. The official review later turned toward derecognition.
The cited record does not establish a finally adopted, fully incorporated and tested regional succession regime. It does not identify the complete voting denominator, interim operator, funding source, record-transfer right, key-transition plan, holder protection or cutover test.
No live crisis file is assessed here. Corporate law may give members, courts, liquidators or regulators powerful remedies in a particular region. Contracts may contain continuity clauses not evaluated in this cross-system analysis. Those powers could solve parts of a real case.
The consultation denominator is also missing. Public submissions do not necessarily show how many holders and operators understood, supported or rejected each proposal. Silence can reflect consent, indifference, lack of capacity or lack of awareness.
Nor does the evidence prove that a single principal is desirable. A distributed sequence may offer better protection. The claim is that the current cited adopted instruments do not yet reveal that complete sequence.
These limits counsel preparation rather than alarm. The system has operated for decades through cooperation. The gap becomes decisive only when an incumbent cannot or will not perform and ordinary corporate correction fails. That low-frequency condition is precisely why rules must be fixed before the identities, assets and political stakes of a crisis are known.
Authority under stress must be designed before it is needed
The number registry chain is not lawless. It contains many valid centres of authority. Members govern corporations. Boards manage institutions. Courts enforce host law. ICANN acts within recognition structures. IANA maintains top-level services. The RIRs collectively oversee their numbering-services provider. Networks choose routes.
The unresolved issue is composition. If one RIR fails, no single one of those powers can, by itself, investigate the failure, withdraw the system role, control regional assets, preserve every service, protect holders, appoint a successor and secure global operational acceptance.
That fact should not be concealed by the shape of the hierarchy. IANA's top-level position is not ownership. ICANN recognition is not corporate control. Member control is not peer recognition. A court order is not global technical acceptance. Routing choice is not registry continuity.
The system needs an adopted sequence joining those powers while preserving their limits. Such a sequence can be polycentric: independent assessment, regional hearing, peer technical review, ICANN recognition action, lawful asset custody, interim service, successor selection and tested cutover. It need not create one permanent superior.
Success would be measured not by the elegance of a governance paper but by whether records remain authoritative, keys remain secure, holders retain service, courts can recognise lawful arrangements, operators can verify the transition and emergency powers expire.
The deeper legitimacy principle is replaceability without recklessness. An institution performing critical work should not be removable by casual vote or political pressure. It should also not become permanent merely because no one prepared the exit.
The missing principal is therefore not an empty chair waiting for one global ruler. It is a missing, adopted composition of authority. Until that composition is complete and tested, continuity rests too heavily on mutual recognition, negotiation and the hope that every bounded actor will improvise the same answer when the chain is under its greatest strain.

