Consensus, validators, and privacy are the photogenic parts of a permissioned chain. Governance is the part that decides whether the chain still exists in five years. Part 4 walks through how working consortia handle admission, expulsion, upgrades, and disputes, why permissioned rails are the dominant institutional answer in 2026, and the confusions that show up most often in client conversations.

2.4 Governance

Consortium governance is the part nobody likes to talk about because it is almost entirely off-chain and almost entirely legal. But it is where chains live or die.

A working consortium has, at minimum, an admission process for new validators, an expulsion process for misbehaving ones, an upgrade process for protocol changes, a dispute resolution mechanism for when participants disagree about what the ledger says happened, and a defined relationship to one or more regulators. Most of this lives in a consortium agreement signed by every member, which is enforceable in a defined jurisdiction.

Upgrades are the area where public-chain instincts mislead the most. On Ethereum, an upgrade is a hard fork, social-consensus driven, with the option to walk away if you disagree. On a permissioned chain, an upgrade is a contractual amendment to the consortium agreement, voted under the agreed quorum rule, and binding on every member by virtue of their membership. There is no opt-out short of leaving the consortium, and leaving has real consequences because your tokenised positions live there. That trade-off is the design feature that lets the chain operate inside a regulated perimeter without re-running a constitutional convention every time a parameter needs to change.

Disputes resolve through the consortium's chosen mechanism, usually arbitration in a commercial venue like the London Court of International Arbitration (LCIA) or the Singapore International Arbitration Centre (SIAC), sometimes through specialised tribunals being built for blockchain disputes. They resolve through a legal process, not through a re-org. The chain records what happened. The legal system decides what to do about it. This is also why consortium-agreement drafting is a specialist legal product in 2026, with the clauses on liability allocation, sanctions handling, and successor-operator rights doing the load-bearing work.

The other piece of governance that is easy to miss is the relationship to dependent infrastructure. A tokenisation consortium typically does not run its own KYC, sanctions screening, or fiat-rail integration. It contracts those out, and the contracts have to dovetail with the consortium agreement so liability does not fall into a gap when something fails.

Why it matters now

Tokenisation has crossed a threshold. The question in 2024 was "will banks actually use this". The question in 2026 is "which chain are you on and why". Every major asset manager, custodian, and large bank now has an active tokenisation programme, and the overwhelming majority of those programmes settle on a permissioned chain. The BIS AER 2024 chapter on tokenisation reads as a description of the direction of travel rather than a forecast.

Canton Network has emerged as the connective tissue for the tokenisation segment specifically, with major custodians, exchanges, and asset managers running validators and a growing set of cross-domain workflows for repo, tokenised collateral, and intraday liquidity (Canton Network). Hyperledger Fabric remains the workhorse for trade finance, supply chain, and a swath of bank-internal builds that never get press releases but quietly run real volume. Corda continues to hold strong ground in capital markets, where its notary model and identity-first architecture map cleanly onto how dealers and CSDs already think (R3 Corda). The Quorum lineage now sits inside JPMorgan's Kinexys stack as the rails for Kinexys Digital Payments (formerly Onyx Coin Systems) and Kinexys Digital Assets (Kinexys).

The ecosystem is not consolidating onto one chain. It is consolidating onto interoperability standards across several chains, with permissioned and public stacks bridging more and more. Project Agorá, Project Ensemble, and the various wholesale-CBDC pilots all assume this multi-chain end state rather than a single-chain endpoint (HKMA Project Ensemble, MAS Project Guardian).

Common confusions

Permissioned does not mean centralised. A consortium chain with thirty independent validators across multiple jurisdictions, each governed by a different regulator, is decentralised in every meaningful operational sense. What it is not is anonymous. Treat decentralisation and pseudonymity as separate axes. The Web3 instinct to collapse them is the source of half the confusion in regulator briefings.

Permissioned chains are real blockchains. They use the same cryptographic primitives, produce the same Merkle-anchored append-only logs, and provide the same auditability properties. The fact that the validator set is gated does not change the cryptography. If you would not call a Cosmos zone "not a real blockchain", you should not say it about Canton.

If it is permissioned, it is still tokenisation. The asset is tokenised when there is a digital bearer-style representation that can be transferred atomically with finality. The chain's permissioning model has nothing to do with whether the asset is tokenised. It has everything to do with who can see and settle the token. The BIS CPMI tokenisation taxonomy is explicit on this: the load-bearing test is whether the on-chain entry is the operative record, not whether the chain is open or gated.

The validator set is not the issuer set. Validators sequence and finalise transactions. Issuers create the tokens that represent claims. These are different roles with different legal exposures. A custodian validating blocks for a network is not on the hook for the credit quality of an issuer using that network. Conflating them creates phantom liability.

You can have anonymous transactions on permissioned chains, in the sense that two parties to a transaction can be opaque to other participants. What you cannot have is anonymous validators, because the entire trust model depends on knowing who they are. End-user pseudonymity is an entitlement question, not a chain-architecture question. Know-your-customer (KYC) and anti-money-laundering (AML) screening sit at the entitlement layer, not at the consensus layer.

Permissioned chains are not slower than public chains as a general rule. The throughput differences come from consensus choice and network topology, not from permissioning per se. Most institutional permissioned chains comfortably outperform Ethereum mainnet on transactions per second, simply because they are not solving for global open participation.

The next part is the production tour: where each of the major stacks actually appears in 2026, what they are running, and where to read next.