The foundation of a trust architecture is recognizing the need to trust people. People establish relationships with external entities, which, in turn rely on people to maintain the trust placed in them. People purchase and set up mechanisms. They write policies; they generate content. Absent trust in people, a trust architecture cannot succeed.

Define roles and responsibilities.

Consider in terms of individuals and groups.

Categorize by types, such as staff, contractors, and external advisors (e.g.,  the board of directors).

Take capabilities and intents into consideration in assessing potential acts that might be performed and the likelihood of them undertaking those acts.

The time frames for reviews of different activities and individuals varies based on the utilities they bring and the consequences over time of those utilities being lost or ill-used.

Rarely do organizations operate in isolation. Suppliers, sub-contractors, customers, and other entities are the associates, and the relationships with them are the things we can control. We evaluate them based on things like their size, makeup, location, and other similar properties we identify as appropriate to decision-making, and then we use things like non-disclosure agreements, legal processes, monitoring, service levels, acceptance testing, payment time frames, credit worthiness, and so forth to make initial and ongoing decisions about changing or maintaining the relationships.

This is the information produced and applied by people, entities, and mechanisms that result in acts of the entity. It often involves intellectual property developed and owned by the organization, internal communications, and information feeds that are external to the company, and all of the information used in making decisions or producing things of value. The provenance and trustworthiness of content is essential in determining the level of trust it can be assigned.

The technical infrastructure (IT, OT, etc.) is part of this, as are the policies, process definitions, and organizational standards. External and internal mechanisms are commonly involved with different levels and means of control over different mechanisms. For example, power is typically used to move physical things, and that power may be supplied by any number of different processes. We have different abilities to control different aspects of this depending on our decisions about where we get that power from.