---
type: "term"
title: "Control Failure"
description: "A deviation from a control objective or lack of effectiveness."
resource: "tlctc:term:control-failure"
tags:
  - "glossary"
---
# Control Failure

A deviation from a control objective or lack of effectiveness. Control failure is control-risk and MUST NOT be treated as a threat category (Axiom V). Risk structure remains: Threat → Event/Incident → Consequences; controls influence likelihood and impact but do not define the threat cluster. Distinguished from the actual risk event itself (Axiom IV).

**Reference:** Axiom V (§2), §6.2 (Rule 3)

**Related reading:** [CVE-2020-17103 — patch closed an effect, not a cluster](https://www.tlctc.net/cve-2020-17103.html), [Logical impossibility of control-first regulation](https://www.tlctc.net/tlctc-control-first-regulation.html), [The Commit Is the CVE — silent fixes & the patch-gap collapse](https://www.tlctc.net/silent-fix-window.html), [The Control Fixation Reflex](https://www.tlctc.net/control-fixation-reflex.html), [The Audit Trap — compliance ≠ security](https://www.tlctc.net/tlctc-audit-trap.html)