The vendor enrollment stage is the cheapest moment in a company’s life to apply Ring 6 discipline, because the company still has leverage and no sunk cost. Once a vendor is embedded - integrations written, data flowing, employees trained - every subsequent governance request is more expensive.
The enrollment contract checklist
- ▸Sub-account creation prohibited without written authorization from two named governance signatories.
- ▸Shadow billing prohibited: no secondary invoice may be issued against the master account.
- ▸Scope expansion rate-limited: expansion beyond the SOW requires a fresh SOW, not an amendment.
- ▸Auto-renewal must be an opt-in not an opt-out; absence of renewal notice equals termination.
- ▸Data residency contractually named at the provider, region, and product level.
- ▸Security incident notification obligation expressed in hours, not days.
- ▸Sub-processor list maintained and notification required for any addition.
- ▸Right-to-audit at an annual cadence and upon reasonable suspicion.
- ▸Exit clause permitting full data return in portable formats within 30 days of request.
A contract that includes all nine clauses cannot structurally produce a shadow relationship. An employee who attempts to open a second sub-account is executing a breach, not a mistake.
Sidebar
Practical pattern - the enrollment day
Schedule one hour on the day a new vendor is selected. In that hour a Platform Engineer, a Finance lead, and a Security Reviewer jointly sign a one-page enrollment memo that maps the vendor to the checklist above. If any clause cannot be honored, the enrollment memo flags an exception with an expiry date. This makes Ring 6 compliance an observable artifact of every vendor relationship.