ISO
In 1904, Julius Wolf founded the Central European Economic Association (Mitteleuropäischer Wirtschaftsverein)1, an organisation designed to coordinate trade between European countries.
It wasn’t a customs union. It was an organisation which promoted shared standards, arbitration panels, and expert committees that operated outside elected parliaments.
The founding charter even cited Andrew Carnegie’s call for a ‘United States of Europe’.
Wolf provided the machinery. Carnegie — who in 1910 would put $10 million into founding the Carnegie Endowment for International Peace2 — provided the framing: peace needed architecture, and that architecture had to be designed before the crisis hit, so the terms would be ready when the moment came.
Twenty-two years later, Wolf’s initiative became a real institution3.
Executive Summary
The International Organization for Standardization — ISO — now operates more than 800 technical committees producing standards that cover finance, environment, governance, food, energy, health, education, AI, and identity. Those standards are formally voluntary. In practice, they become mandatory through market access requirements, regulatory incorporation, procurement contracts, and the World Trade Organisation’s expectation that national regulations conform to international standards unless governments can justify a deviation4.
The essay documents four committees in particular: TC 68, which writes the financial messaging standard now adopted by every major settlement platform; TC 207, which writes the environmental management framework used by over 300,000 organisations; TC 322, which writes the sustainable finance standard connecting climate risk to capital allocation; and TC 309, which writes the governance standard that determines how every organisation implementing the other three must be run. Together, these four committees define what the financial system can see, what it must measure, how it must report, and how the organisations doing all of this must be governed.
The essay then traces the division of labour between ISO, the OECD, the BIS, and FATF — showing how a standard written in Geneva becomes a measurable indicator, a capital requirement, and an enforceable condition of participation in the international banking system, without a single parliamentary vote at any stage. It documents how the frameworks that ISO committees codify arrive from upstream — from task forces, multilateral initiatives, and convenings whose conceptual architecture precedes the technical standard by years. And it shows how the shift to programmable money and digital identity closes the last remaining gap: the distance between the standard existing and the standard being checked at every transaction, for every individual, in real time.
The net result is a governance architecture that sits underneath democratic politics and does not change when governments do. Elections replace prime ministers. They do not replace ISO technical committees. A new government can rewrite tax policy, adjust spending, renegotiate treaties. It cannot rewrite the format of a financial message, the definition of a compliant organisation, or the data fields that determine what a programmable currency is permitted to check before it lets a transaction clear. The standard is the layer that does not change when everything above it does — and the people who wrote it were never elected, never named in a newspaper, and never asked for anyone’s permission.
The observation that elected governments operate within a permanent layer they cannot fully control has entered mainstream political discourse — most often framed as the ‘deep state’ or the ‘administrative state’. That framing locates the problem at the national level: unelected officials within domestic agencies persisting across administrations. The architecture documented here sits one level deeper. The national agencies that constitute the permanent bureaucracy are themselves operating within a compliance framework defined by international technical standards they did not author, adopted through regulatory incorporation and market access conditions they did not legislate, and enforced through capital requirements calibrated by committees in Basel and Geneva that no national electorate appointed.
The governance-within-governance layer is real. It is just not where most people are looking for it.
The First Iteration
The International Federation of the National Standardizing Associations5 — the ISA — was founded in 1926. Before World War I, only one general national standards body existed: the British Engineering Standards Association, set up in 19016. The war itself created the need for standardised parts, specifications, and measurements across allied industries. After the war, national standards bodies popped up fast — Germany’s DIN in 1917, the American and French equivalents both in 1918. By the early 1920s, a dozen countries had their own standards organisations — but none of them communicated with the other.
The ISA was created to tie them together. Switzerland hosted the informal meetings that led to its founding. Its focus was mechanical engineering — screw threads, paper sizes, where to put the audio track on a film reel — but the structure was designed so it could expand into anything.
The ISA appeared in the same decade as the institutions it would outlive7. The League of Nations was up and running. The International Labour Organisation had been created in 1919 alongside the League8. The Royal Institute of International Affairs and the Council on Foreign Relations had both grown out of the same 1919 Paris Peace Conference delegations9. The BIS would follow in 1930, putting into practice the clearing function Wolf had proposed at Brussels in 1892. All of these can be understood through the same lens: that permanent international secretariats, staffed by technical experts rather than elected officials, should gradually take over functions that had previously been handled directly between sovereign governments.
Leonard Woolf had spelled out the blueprint in 1916, in a Fabian Society report called International Government10. The report proposed a supernational authority made up of a Council of Great Powers, an International Conference of all states, and a permanent Secretariat — with specialist International Authorities handling specific technical areas like postal services, telegraph communications, and maritime navigation. The design was explicit: technical experts in permanent secretariats would absorb functions previously handled by sovereign governments, while the conference of states would sign off on whatever those experts produced. The League, the ILO11, the BIS, the IEC, and the ISA were all versions of that blueprint applied to different domains — political, labour, financial, electrical, industrial.
The Second Iteration
After the war, the ISA was contacted by the United Nations Standards Coordinating Committee — an Allied wartime body that had been set up to align military and industrial standards. In October 1946, delegates from 25 countries met in London and agreed to merge the two organisations12. The International Organization for Standardization13 — ISO — started operations on 23 February 1947, based in Geneva.
The way it was governed reflected who had won the war. For the first five years, the ISO Council reserved seats for China, France, the United Kingdom, the Soviet Union, and the United States — the exact same five countries that held permanent seats on the UN Security Council, which had been created two years earlier. The first president was Howard Coonley, an American industrialist who chaired the American Standards Association14. ISO was born in the same two-year window that produced the United Nations, the IMF, the World Bank, and the restructured BIS. Same moment, same neutral country, same governance template.
ISO describes itself as independent, non-governmental, and voluntary. Its 175 member countries are represented not by governments but by national standards bodies — in Western countries, these are private organisations like the American National Standards Institute and the British Standards Institution15.
And yet those standards routinely become law anyway — adopted by reference in national regulations, written into trade agreements, required in procurement contracts — without ever having gone through a legislative process. In practice, ISO operates as a consortium with deep ties to governments, producing outputs that carry the weight of law while keeping the appearance of voluntary guidance.
The Architecture
ISO runs more than 800 technical committees, each covering a specific area16. The committees write the standards. A central secretariat in Geneva coordinates everything and publishes the results. A general assembly of member bodies meets to approve the big-picture direction and elect leadership. Each country gets one vote.
The structure is the same governance model you see across the whole post-war institutional landscape — the United Nations, the Basel Committee17, FATF, the WHO, the UNFCCC. Technical committees write the substance. The secretariat transmits it. The general assembly signs off. By the time a standard reaches the assembly, the actual content has already been decided by the experts in the technical committee.
Those committees are staffed by the very industries they’re setting standards for. National standards bodies nominate experts from central banks, commercial banks, tech firms, and industry groups. Because the same people who write the standards are also the ones who implement them, the line between private coordination and public regulation stops meaning much. The process is officially based on consensus — standards need a two-thirds supermajority among participating members, and national bodies can and do push back. Adoption is often slow, and uneven. But the friction doesn’t weaken the system. It legitimises it. A standard that was hammered out by the very institutions that have to follow it carries a kind of authority that legislation can’t match — because it was written by the people who will enforce it.
Four committees matter most here.
Technical Committee 68 — Banking, Securities and Related Financial Services18 — develops the standards that govern how financial institutions talk to each other. ISO 2002219, the messaging standard now being adopted by SWIFT, mBridge, and Project Agorá alike, comes out of TC682021. The working groups inside TC68 are filled with representatives from central banks, commercial banks, and SWIFT itself22. In fact, ISO gave SWIFT the job of managing the securities message standards under ISO 1502223, which ISO 20022 evolved from — and SWIFT still serves as the registration authority for ISO 20022. That means it helps develop the standard, manages the registry of who’s implementing it, and is also its biggest user — all at the same time. In practice, maintaining the registry means shaping the grammar — defining what counts as a valid message, what categories exist, and what structure every institution must conform to.
Technical Committee 207 — Environmental Management24 — created ISO 1400125, the environmental management system standard now used by over 300,000 organisations worldwide. ISO 14001 defines what an environmental management system has to contain, how it has to be structured, and what it has to measure. Environmental management standards become financial constraints the moment lenders and regulators start folding them into risk assessments, disclosure requirements, and decisions about where capital goes.
Technical Committee 322 — Sustainable Finance26 — is the newest of the four. It was set up to develop standards for building sustainability into financial services. Its first major output, ISO 3221027, was published in 2022. It provides a framework for sustainable finance that feeds directly into the taxonomies, disclosure frameworks, and ESG metrics that increasingly determine how money flows.
TC322’s external liaison organisations include the Carbon Disclosure Project28 (the primary global platform for TCFD-aligned climate disclosure), the Climate Bonds Initiative29, the Institute of International Finance30, the SASB Foundation31 (now folded into the ISSB), WWF32, and the European Commission33. These are not informal consultees. They hold designated seats at the drafting table. The organisations that implement the upstream disclosure frameworks sit on the committee that writes the downstream technical standard. TC322’s own external initiatives page34 lists the TCFD, UNEP FI, the UN Sustainable Development Goals, and the Paris Agreement as the frameworks its standards draw from and support. The committee does not claim to have originated these frameworks. It codifies them.
The Vice Chair of TC322’s Chair’s Advisory Group — the body that guides the committee’s strategic direction — is Ma Jun35, who simultaneously chairs the Supervision Workstream of the Network for Greening the Financial System36, the BIS-hosted network that converts climate risk frameworks into banking capital requirements through Basel. The same individual who calibrates the banking parameters also guides the committee writing the sustainable finance standard. The institutional layer and the standards layer are not separate systems connected by indirect influence. They share personnel.
Ma Jun’s dual appointment is not unusual or suspicious — it’s professionally logical. A climate finance specialist whose career spans central banking and sustainable finance regulation would naturally be sought by both the NGFS and TC322. The framework travels through people whose professional identity is built on the framework. They don’t transmit it because they were instructed to. They transmit it because it is what they know, what they believe in, and what their career is organised around. The pipeline is a career structure. The network that authored the framework upstream does not need to control personnel appointments downstream. It needs only to have produced a framework compelling enough that the professionals who build their careers on it naturally migrate into every institution where it needs to be codified.
Technical Committee 309 — Governance of Organizations37 — produced ISO 3700038 in 2021, which ISO describes as ‘the first ever international benchmark for good governance’. It defines how organisations should be directed, overseen, and held accountable — covering principles like purpose, stakeholder engagement, ethical culture, sustainability, and oversight. It applies to all organisations regardless of type, size, or location. Its secretariat is held by the British Standards Institution — the world’s first national standards body, founded in 1901, and one of the original members of the ISA.
ISO 37000 standardises a specific model: multi-stakeholder governance39, where governing bodies have to engage public, private, and civil society interests, create value for ‘all relevant stakeholders’, and align what the organisation does with ‘the interests of society’.
This is the partnership model — and its roots go back over 125 years. Eduard Bernstein’s 1899 book Evolutionary Socialism40 first argued that public and private sectors should cooperate for the ‘common good’ rather than fight each other. Woolf’s 1916 Fabian Society blueprint scaled the same idea internationally through layered secretariats that distributed authority across public, private, and civil society sectors.
The Third Way politics of Blair and Clinton carried it into British and American government in the late 1990s. Blair had first laid out the framework in Marxism Today in October 199141, restating Bernstein’s argument almost word for word: politics ‘ceases to be dominated by a battle between state and market’ and becomes instead ‘how we make both state and market subject to the public interest’ — with the public interest defined by institutions sitting between the two.
Wolfgang Reinicke’s trisectoral networks42 formalised it as United Nations operational policy in 2000. ISO 37000, published in 2021, completes the arc: it turns the partnership model into a technical standard that applies to every organisation on earth.
SDG 17 — ‘Partnerships for the Goals’ — makes it a global target43. The OECD, as one of several bodies responsible for tracking SDG indicators (alongside UNDESA and the World Bank), measures every country's progress towards implementing it44. Once the partnership model is embedded in governance frameworks, disagreeing with it stops being treated as a political position. It gets treated as non-compliance with a recognised standard.
TC30945 also produced ISO 3700146 (anti-bribery management), ISO 3700247 (whistleblowing management), and ISO 3730148 (compliance management systems). Together, these make up a complete governance stack, all written by a single committee family.
The first three committees define what has to be measured, reported, and financed. The fourth defines how the organisations doing all of that have to be governed. It’s the standard that governs the governors — the layer that makes sure the institutions implementing the other standards are themselves structured according to principles set in Geneva, by a committee whose secretariat traces back to the body that started the whole enterprise in 1901.
The pattern repeats one level up. ISO doesn’t certify compliance itself — that function sits with national accreditation bodies, which are themselves accredited by a global body (GLOBAC49, formed from the merger of the IAF and ILAC). The body that certifies the certifiers holds the same structural position as SWIFT within TC68: not the one writing the rules, but the one maintaining the registry that determines who counts as authorised to apply them.
Four committees. One writes the format of every financial message on every platform. One writes the environmental compliance framework. One writes the sustainable finance standard that connects the two. And one writes the governance standard that determines how every organisation implementing the other three has to be run.
Taken together, these four committees form a closed system: one defines what the system can see, one defines what it must measure, one links those measurements to capital allocation, and one governs the institutions executing the process.
Nothing in this loop requires legislation once the standards are in place. All operating through the same institution, using the same process, staffed by the same rotating cast of industry experts and central bank representatives who will then implement the standards they’ve written.
These four are examples, not the full list. ISO’s technical committees now produce standards covering AI management (ISO 4200150), smart cities (ISO 3712251), sustainable communities (ISO 3710152), climate investment assessment (ISO 1409753), education (ISO 2100154), food safety (ISO 2200055), water services (ISO 2451056), and social responsibility (ISO 2600057).
The pattern of upstream ethical framing preceding downstream codification is already visible in the AI domain. ISO 42001, published in 2023, provides the management system standard for artificial intelligence. The ethical framework that will define what ‘responsible AI’ means in auditable terms is being authored concurrently — through the Rome Call for AI Ethics58, signed at the Vatican in February 2020 by Microsoft, IBM, the FAO, and the Italian government, and subsequently expanded to include Abrahamic religious leaders in 2023 and eleven world religions at Hiroshima in 2024 under the title ‘AI Ethics for Peace’.
The Rome Call’s scientific director has been appointed to the UN Secretary-General’s AI Advisory Body59. Its vocabulary — ‘algorethics’ — was introduced at the 78th UN General Assembly by the Italian Prime Minister60. The ethical standard is being authored at the Vatican. The technical standard is already published in Geneva.
ISO 42001 is a management system standard — a governance container. It defines how organisations should manage AI, not what ethical content the management must serve. That content is being authored upstream, through the same convening-to-codification pipeline that produced the climate standards. The container was published in 2023. The content is arriving now. When the two connect, the ethical vocabulary authored at the Vatican becomes the auditable standard enforced through the certification chain.
Taken together, the ISO standards define the measurement framework for virtually every area of economic and social life — the data layer underneath the programmable infrastructure being built to enforce it.
The timing of publication matters as much as the content. ISO 2230161 — Business Continuity Management Systems — was revised and republished in 2019. ISO 2232062 — Emergency Management: Guidelines for Incident Management — was published in 2018. ISO/TS 2233063 and ISO/TS 2233164 — covering people management during disruptions and business continuity strategy — were both published in 2018.
When COVID-19 arrived in early 2020, the standards for how organisations, governments, and health systems should respond to a disruptive incident were already written, already published, and already embedded in compliance frameworks worldwide.
The infrastructure didn’t need to be built during the crisis. It needed to be activated. The crisis was the ribbon-cutting for standards that were already in the building.
The Propagation Mechanism
An ISO standard isn’t a law. No country is technically forced to adopt one. But the way voluntary standards become effectively mandatory is well established, and it doesn’t require any legislation.
It works through four channels:
First, market access: if a product or service doesn’t meet the relevant ISO standard, it faces barriers to international trade, because importers, insurers, and regulators in the destination country require compliance as a condition of doing business.
Second, regulatory incorporation: national governments take ISO standards and reference them in their own regulations, which turns a voluntary international standard into a binding domestic rule — without anyone having to write new law. The decision to reference the standard is itself a legislative or regulatory act — but the content of the standard being referenced was written elsewhere, through a process the legislature did not control.
Third, procurement: governments and large corporations put ISO compliance in their purchasing contracts, and that requirement cascades down through every supplier in the chain.
Fourth, under the World Trade Organisation’s Technical Barriers to Trade agreement65, member countries are expected to base their national regulations on international standards, and any deviation has to be justified — which makes ISO standards the default that countries have to explain their way out of.
There’s a fifth channel, less visible than the other four but more powerful in the long run: convergence through compatibility. When two standards are designed so that a single product, organisation, or platform can satisfy both simultaneously, the thing that bridges them becomes the new baseline. ISO 20022 didn’t replace SWIFT’s legacy MT format by decree. It was designed to coexist with it — compatible enough that institutions could adopt the new standard without breaking existing connections. Once enough traffic flowed through the bridge, the old format became redundant. The same logic operates across standard families.
Build an organisation that’s compliant with ISO 14001 (environmental management), ISO 32210 (sustainable finance), and ISO 37000 (governance) simultaneously, and you’ve merged environment, finance, and governance into a single compliance surface — not because anyone legislated the merger, but because the organisation needed all three to operate. Standards that are designed to be mutually compatible don’t need to be formally merged. They merge through whatever is built to satisfy both. And whoever designed the standards to be compatible with each other designed the convergence before it happened.
The convergence is not theoretical. On 23 February 2024, ISO published an identical climate action amendment to thirty-one management system standards simultaneously66. The same two sentences were inserted into ISO 9001 (quality management), ISO 14001 (environmental management), ISO 22000 (food safety), ISO 22301 (business continuity), ISO 27001 (information security), ISO 45001 (occupational health and safety), ISO 50001 (energy management), ISO 37001 (anti-bribery), ISO 37301 (compliance management), ISO 21001 (education), ISO 37101 (sustainable communities), and twenty more. Every organisation certified under any of those standards must now determine whether climate change is a relevant issue and acknowledge that interested parties may have climate-related requirements.
Two sentences — thirty-one standards. Every domain — quality, security, food, energy, health, education, governance, compliance — brought onto a single compliance surface in a single administrative act. The standards were not merged. They didn’t need to be. The same clause was inserted into all of them, and every organisation certified under any one of them now shares a common obligation with every organisation certified under any other. The amendment was justified by the ISO London Declaration of 2021 — ISO’s commitment to combat climate change67.
The amendment was technically possible because every management system standard ISO publishes is built on a single structural template — Annex SL68 — which prescribes identical clause numbers, core text, and common definitions across all domains. The standards were not merged in 2024. They were pre-merged in 2012, when Annex SL became mandatory for all new and revised management system standards69. The climate amendment did not create the single compliance surface. It revealed that the surface had existed for over a decade. It also made the entire catalogue machine-readable.
An AI system trained on the Annex SL template does not need to learn thirty-one different frameworks. It needs to learn one structure with domain-specific parameters — which means automated compliance monitoring across every domain ISO covers is not a future capability requiring new architecture. It is a current capability waiting for deployment.
BSI — the British Standards Institution, the world’s first national standards body, founded in 1901 — originated the London Declaration70. BSI’s own communications state this directly. BSI also holds the secretariat for TC32271 (Sustainable Finance) and TC30972 (Governance of Organizations). One institution administers the sustainable finance standard, the governance standard, and the procedural mechanism that inserted climate into every management system standard ISO publishes.
The secretariat function is administrative — it controls the committee’s work programme, agenda, and timeline. Holding the secretariat does not determine the content of the standard. It determines the conditions under which the content is produced.
The logical endpoint is a single compliance surface covering every domain — financial, environmental, governance, social — where meeting the standard in one domain automatically requires meeting it in all the others, because the standards were built to interlock. At that point, the system doesn’t have separate standards. It has one standard expressed in multiple vocabularies.
And that standard sits beneath the level where party political debate operates. Elections change governments. They don’t change ISO technical committees. A new prime minister can rewrite tax policy, but he cannot rewrite ISO 20022. The standard is the layer that doesn't change when the government changes — which means it's the layer that determines what every government above it is capable of enforcing.
Yet it governs every domain that matters — finance, energy, food, water, health, education, identity, governance itself. What remains is the enforcement gap: the distance between the standard existing and the standard being checked at every transaction, in every domain, in real time. Programmable money closes that gap for finance. Artificial intelligence closes it for everything else. Once both are operational, the standard doesn’t just govern — it evaluates and settles. And the distance between what an elected government can change and what it cannot begins to widen beyond what most voters would recognise.
The standard spreads downward through every jurisdiction because no country wants to be locked out of interoperability. It shows up not as a policy choice but as a technical requirement — and the difference between those two things disappears the moment the standard gets written into a contract, a regulation, or a capital requirement.
Compliance gets checked through a global network of certification bodies and auditors — the big accounting firms and specialist agencies that turn the standard into operational requirements at the company level. ISO writes the standard but doesn’t certify compliance itself. The enforcement side is privatised, creating a multi-billion-pound industry whose revenue depends on the standards it verifies continuing to expand.
ISO standards also aren’t free. They’re copyrighted and sold by ISO and its member bodies at prices that can run over 200 Swiss francs per document. Access to the standard itself becomes a gatekeeping tool, concentrating participation in the drafting and implementation process among institutions that can afford it. The countries least able to afford a seat at the drafting table are also the least able to afford the finished product — and the least able to challenge a standard that arrives as a condition of market access.
The Division of Labour
ISO doesn’t work alone. It occupies a specific spot in a division of labour that stretches across the whole institutional architecture.
ISO writes the standard73 — what has to be measured, how it has to be measured, what format the data has to take.
The OECD produces the indicators74 — what the measurements show, how countries compare, who’s falling behind, how far each country is from the target. The OECD started life as the Organisation for European Economic Co-operation, created in 1948 to manage Marshall Plan aid75. From the very beginning, it was a monitoring body: European countries submitted annual recovery plans and received aid based on how they performed against targets set by the institution handing out the money. Statistics became policy levers, and dashboards locked countries onto a shared path. When the Marshall Plan ended, the coordination didn’t.
In 1961, the OEEC became the OECD, expanding beyond Europe and beyond economic recovery into science, education, environmental policy, and development aid76.
The methodology that gave the OECD’s indicators their teeth came through a different route. In 1961, Robert McNamara introduced the Planning-Programming-Budgeting System at the Pentagon77 — a framework that broke every programme down into measurable inputs, trackable outputs, and feedback loops. When McNamara moved to the World Bank in 196878, he took the same approach global through conditional lending79: structural adjustment programmes that made development finance dependent on performance indicators defined by the lender.
The OECD became the central hub for this metrics-based style of governance, developing the standardised indicators used to measure both domestic policy and international coordination.
Today it’s officially designated as a ‘Custodian’ organisation for the Sustainable Development Goal indicators, producing the scorecards that track every country’s distance from the seventeen targets.
The OECD also functions as the de facto enforcement layer for governance standards. Its Principles of Corporate Governance80 are used by the World Bank and the Financial Stability Board to assess countries, and national corporate governance codes — from the UK’s to South Africa’s King IV81 — are written to align with them.
ISO 37000 defines the governance model. The OECD measures countries against it. The certifiable parts of the governance stack — ISO 3700182 (anti-bribery), ISO 3730183 (compliance management) — fall under GLOBAC’s accreditation chain. The overarching governance philosophy propagates through OECD peer review instead: the same metrics-based dashboard, applied to how countries are run.
The same pattern applies to environmental standards:
ISO defines the measurement format through TC207’s ISO 1400184.
UNEP produces the indicators85.
The UNFCCC and its Conference of the Parties set the targets.
The Network for Greening the Financial System (NGFS), hosted at the BIS, converts those targets into climate scenarios86.
And the Basel Committee embeds those scenarios into capital requirements and risk weights — determining how much it costs a bank to hold a given asset on its books87.
When the capital requirement rises high enough, the asset becomes uneconomic to hold. It is ‘stranded’ — not by legislation, not by a court order, but by a recalibration of the risk weight assigned to it by a committee that no electorate appointed. It simply becomes too expensive to finance, which in turn makes it worthless. Certification of compliance with ISO 1400188 flows through the same GLOBAC accreditation chain as the governance standards.
The BIS sets the financial parameters. Its Committee on Payments and Market Infrastructures89 works with IOSCO to lay down the principles governing financial market infrastructure.
Basel capital requirements, NGFS climate scenarios, and risk-weight calculations are defined by the Basel Committee, not by ISO — but the data used to report and transmit those parameters flows through ISO-formatted channels.
FATF enforces compliance90. Its forty recommendations91 — written without a treaty, without parliamentary approval — determine which countries get to participate in international banking.
FATF doesn’t enforce ISO standards directly. But banks that need to prove they’re meeting FATF’s anti-money-laundering requirements use ISO-formatted data to do it, and FATF’s greylisting mechanism makes the whole pipeline coercive.
The system isn’t a single chain of command. It’s a division of labour where each institution does a distinct job, and each one’s output becomes the next one’s input. ISO defines the format. The OECD produces the data. The BIS turns the data into financial parameters. FATF enforces compliance with those parameters. The result is that policy gets expressed as measurable indicators, compliance can be enforced through financing and access to capital, and none of it requires a vote.
Standard → Indicator → Capital Constraint → Enforcement. Four institutions, one pipeline, no vote, and all downstream from the initial ‘ethic’. At no point in this sequence is a political mandate required.
ISO committees do not generate the frameworks they codify. The conceptual architecture arrives from upstream — from task forces, multilateral initiatives, and convenings that operate outside the standards process. ISO 14097, covering climate-related investment assessment, explicitly states that it provides guidance ‘in line with the recommendations of the TCFD’. The standard declares its own upstream dependency. TC322’s sustainable finance framework draws on the TCFD, NGFS, and Paris Agreement — frameworks produced by the Financial Stability Board, the BIS, and the UNFCCC respectively.
The standards layer sits downstream of an institutional layer that defines the concepts, and the institutional layer sits downstream of a framework layer that authored the concepts. ISO’s role is to convert those concepts into auditable, enforceable technical specifications. The standard is the last link in the chain.
The first link is a framework, and the framework originated in a process ISO did not control.
The Standard and the Ledger
The shift currently underway — from SWIFT messaging to programmable settlement through platforms like mBridge and Agorá — doesn’t bypass ISO. It makes the dependency deeper.
Both mBridge and Agorá use ISO 20022. The more detailed data that ISO 20022 carries — purpose codes, beneficiary details, information about who sent the payment — is exactly what makes it possible to check compliance conditions at the level of individual transactions.
ISO doesn’t set those conditions. Regulators, central banks, and platform operators write the rules. But the standard defines what data fields exist, and the data fields determine what the system can see. The conditions are decided elsewhere. The visibility that makes them enforceable is defined by the standard. And what can be made visible can be made conditional.
The programmable money that Project Rosalind92 enables — the three-party lock, where a transaction only clears if the buyer, the seller, and the condition-setter all agree — depends on the standard defining what the condition-setter can see. ISO 20022 defines exactly that. The richer the standard, the finer the filter.
The BIS’s own Project Rosalind report93 defines the three-party lock as one of three programmable locking mechanisms built into the CBDC API prototype: ‘the project added a three-party lock, which introduced a trusted third party that determines when the payment should be triggered’.
Decision to unlock and release the lock is given to a third-party PIP with an appropriate permission, such as an organisation checking whether you have a sufficient amount of carbon credits in your digital wallet.
The three-party lock requires all three parties to be identified. A compliance condition checked at the transaction level only works if the system knows who is transacting. Digital identity is the precondition without which programmable money cannot function as a clearing mechanism at the individual level.
The infrastructure is being built under the moral authority of ‘financial inclusion’: SDG Target 16.9 mandates legal identity for all by 203094, and the World Bank’s Identification for Development initiative95 — funded by the Gates Foundation, the UK, French, and Australian governments — is deploying digital identity systems across the developing world under the banner of leaving no one behind.
The 50-in-5 initiative96 targets fifty countries implementing digital public infrastructure97 — defined as digital payments, digital identity, and data exchange — by 2028. ISO TC 30798, which covers blockchain and distributed ledger technologies, maintains identity management as a core study group and holds a formal liaison with TC 322.
The same system that gives a person access to the financial system makes that person legible to every compliance condition the financial system checks.
The ethical claim is ‘financial inclusion’99. The operational consequence is that the identity layer completes the architecture — connecting the standard that defines what the system can see to the individual whose transaction the system evaluates.
ISO was founded to standardise screw threads and paper sizes. It now standardises the format of every financial message on every settlement platform in the world, the environmental management framework of every major corporation, and the sustainable finance taxonomy through which capital allocation is increasingly governed.
The Root
The institutional family tree is straightforward.
In 1892, Julius Wolf proposed an international clearing mechanism at the Brussels International Monetary Conference. The BIS, founded in 1930, was an intellectual descendant.
In 1904, Wolf founded the Central European Economic Association to coordinate trade through shared standards, citing Carnegie. By 1913, the Association was running parallel national chapters in Germany, Austria, and Hungary, producing joint publications across borders — the same federated model of national bodies coordinated through a shared framework that the ISA adopted in 1926 and ISO inherited in 1947.
In 1915, Wolf proposed a formal customs union between those same three countries — layering trade integration on top of the standards coordination his organisation had already built. The ISA, founded in 1926, tied together the national standards bodies that had sprung up during and after the war. ISO, reconstituted in 1947, absorbed the ISA and the UN’s wartime standards body, inheriting the function and extending it across every area of technical and economic life.
Wolf argued for the settlement mechanism, the common standards, and the trade that employs them both. He also specialised in social policy — which, in the architecture that followed, would supply the upstream ethic that the standards were ultimately developed to serve.
Carnegie funded the peace infrastructure that framed the whole architecture as benign. Leonard Woolf wrote the governance blueprint that every institution in the formation adopted. The CFR and RIIA — both founded from the same 1919 Paris Peace Conference — prepared the post-war order in advance100101.
Van Zeeland’s 1938 report to the British and French governments combined monetary clearing and trade liberalisation into a single blueprint — the Bretton Woods architecture before Bretton Woods.
The CFR’s War and Peace Studies project102, launched in 1939, produced detailed blueprints for the UN, the IMF, and the World Bank before the war had even ended.
ISO writes the technical standards those institutions depend on. The OECD measures compliance against them. The BIS calibrates the financial parameters. FATF enforces.
The standard is the deepest layer of the architecture — underneath the messaging, underneath the clearing, underneath the compliance. It defines what can be seen, what has to be reported, and what the system checks before it lets a transaction go through.
Whoever writes the standard determines what the rest of the architecture is capable of enforcing.
Input constraint103, in effect.
No parliament voted on ISO 20022. No electorate was consulted on TC322 or TC309. No treaty gave ISO authority over the format of global financial communication or the definition of good governance. The standards showed up as technical requirements, got adopted through market pressure and regulatory incorporation, and now sit at the foundation of every competing settlement platform and every major compliance framework on earth.
The architecture does not need to hide. It needs to be complicated and boring enough enough that nobody looks. The frameworks originate in convenings and task forces that operate below the threshold of public attention. The institutions that adopt them are multilateral bodies whose governance is opaque to most citizens. The standards that codify them are produced by technical committees whose membership lists are public but whose proceedings are read by almost no one.
The enforcement runs through certification chains, capital requirements, and market access conditions that present themselves as technical necessities rather than political choices. At every layer, the information is available, but at no layer does anyone assemble it. The obscurity is not secrecy — it is pure tedium and distributed complexity, and together they generate a more durable form of concealment than any secret could be.
The Form
In general systems theory, a system is a network of nodes connected by defined interfaces. ISO standards are those interfaces. They define the ports through which every organisation and every nation connects to the global system — what data it must produce, in what format, to what specification.
Any institution that adopts the standard becomes a compatible node: legible, auditable, and monitorable in real time. Any institution that refuses the standard becomes incompatible — unable to transact, unable to trade, unable to participate. The ports are technically voluntary, but in practise not if you seek connectivity.
ISO 20022, implemented through the programmable settlement platforms now replacing SWIFT, doesn’t just make nodes legible. Through the three-party lock, it makes them switchable.
The standard doesn’t just define what the system can see. It defines what the system can switch off. Any condition that can be expressed as a data field in ISO 20022 can be checked before a transaction clears — a carbon credit threshold, a health compliance status, a governance score derived from the Sustainable Development Goals. The architecture does not distinguish between conditions. It only checks whether they are met.
And every node integrated with the system through the same standards will enable this control.
The machinery does not wait for the framework — it anticipates it. ISO already maintains technical committees for domains where the upstream ethical framing has not yet been finalised — ISO 42001 for AI management, ISO 37122 for smart cities, ISO 37101 for sustainable communities. When the next convening produces the next conceptual bridge — between AI and health, between digital infrastructure and governance, between climate and security — the committee that will codify it already exists, waiting for the content to be poured in.
This is anticipatory governance — the committee built before the crisis, the standard written before the framework, the container waiting for the content. By the time the crisis arrives, the infrastructure is already in place.
Fabian Society governance documents often read strangely because they describe governance as a technical specification rather than a political contest.
Leonard Woolf’s 1916 International Government and his 1944 The International Post-War Settlement104 are filled with committee structures, voting thresholds, secretariat functions, and reporting requirements — but the content of the standards is left blank. That blank was filled by ISO technical committees, decades later, using the exact structure the Fabians designed: specialist authorities staffed by technical experts, coordinated through a central secretariat, producing outputs that member states sign off on after the content has already been decided below.
The documents feel strange because they are not political arguments. They are user manuals for a machine that was quietly developed.
And the manuals, written in 1916 and updated in 1944, describe its operation with exact precision — because they were its blueprints.
The institutional architecture has a design layer and an operating layer. Woolf’s 1916 blueprint and its 1944 update designed the containers — the specialist authorities, the permanent secretariats, the technical committees that produce outputs for member states to ratify. Mitrany’s functionalism, formalised in 1943105, explained why those containers would be staffed by technical experts rather than politicians, and why the content would emerge from functional needs rather than political programmes.
James Burnham’s The Managerial Revolution106, published in 1941, supplies the missing piece — not the content, but the mechanism. Burnham identified a new governing class whose power derived not from ownership but from operational control: the ability to define the specification, measure performance against it, and adjust inputs until performance conforms.
That feedback loop — define, measure, correct — is the operating logic of the entire architecture the essay has described. ISO defines the standard. The OECD measures countries against it. The BIS calibrates the financial parameters. FATF enforces. McNamara’s Planning-Programming-Budgeting System, transplanted from the Pentagon to the World Bank in 1968, made it the template for international development.
The correction arrives as a recalibration of the measurement — a revised risk weight, an updated indicator, a climate clause inserted into thirty-one standards simultaneously — that makes non-compliance expensive before anyone has to be told to comply. The architecture Woolf designed, staffed by the experts Mitrany anticipated, governed by the class Burnham described, using the method Burnham identified. The blueprints were published, as was the operating manual — but by different people, in different decades, and with no one assembling them into a single document.
The architecture has a demand side and a supply side.
The Rockefeller network funded the supply: the schools of public health that trained the experts, the social science departments that developed the measurement methodologies, the League of Nations Health Organisation’s technical standardisation programme, and — through the CFR’s War and Peace Studies — the operational blueprints for the post-war institutions themselves.
The Conservation Foundation, funded by the Rockefeller Brothers Fund, built the environmental vocabulary (Osborn’s Our Plundered Planet, 1948), authored the U.S. National Environmental Policy Act, created the Environmental Impact Statement process, created the Council on Environmental Quality, placed its own presidents in the agencies that would enforce it (Train to the CEQ and the EPA, Reilly to the EPA and the U.S. delegation at Rio), and designed the offsetting mechanism that would become the financial enforcement layer.
By 1990, all of that was permanently embedded — in U.S. federal law, in the EPA’s structure, in the UNFCCC framework signed at Rio, and in the compliance architecture that ISO TC207 and TC322 would later codify. The foundation’s job was done. It merged into WWF — which now holds a formal seat on TC322107, sitting at the drafting table where the frameworks the Conservation Foundation authored get converted into auditable technical specifications.
Carnegie funded the peace framing that made the whole enterprise appear benign. Between them, they built the technical capacity — the management science, the trained personnel, the standardisation processes — that fills the committees and runs the feedback loop. They produced the managerial class and its method.
But a supply of technical expertise does not become a governance architecture on its own. It needs institutional demand — a financial system structured so that it requires harmonised standards, a central banking network that generates the need for interoperability, a clearing mechanism that cannot function without common specifications.
That demand side — the architecture of international finance, sovereign debt, and central bank coordination that made technical standardisation not just useful but unavoidable — has a different history and a different set of architects.
Who writes the standards?
You can keep imagining a single global machine.
But the machine is already buckling under its own weight.
Multipolarity isn’t coming — it’s happening while you scroll.
The dream is convergence.
The data is divergence.
Sovereignty is what leaks through the cracks.