Skip to content

Custody and Control

Operational Controls for Digital Asset Custody

Beyond key management, defensible custody rests on operational controls — segregation, approvals, monitoring, audit, and continuity — that bound what can go wrong.

2 min readBlockHedge Capital Research

Most discussion of digital asset custody concentrates on key management — single-key, multisig, or multi-party computation. Key management matters, but it is only part of the picture. Defensible custody rests on a layer of operational controls that bound what can go wrong even when the cryptography is sound. This note sets out the controls that distinguish a custody arrangement that can be relied upon from one that merely looks secure.

Segregation

The first control is segregation: a clear, enforced boundary between assets that belong to different parties and between operational and reserve holdings. Segregation determines what is at risk if any single account, key, or system is compromised, and it is the foundation on which every other control rests. Commingled assets turn a contained incident into a systemic one.

Approvals and policy

Custody operations should be governed by policy that is encoded, not merely documented. Transfer approvals, value thresholds, allow-lists, and time delays convert intent into enforceable constraints. The objective is that no single person, key, or system can move assets outside the bounds the organization has set — and that the bounds themselves cannot be changed quietly.

Monitoring and reconciliation

Controls are only as good as the organization's ability to see them working. Continuous monitoring of balances, transfers, and policy exceptions — reconciled against an independent record — is what turns a control from an assumption into a fact. Reconciliation between on-chain state and internal books is the routine that surfaces breaks early, while they are still small.

Audit and attestation

A custody arrangement should be able to demonstrate its own integrity to an outside party. Auditable logs, independent attestation of holdings, and clear records of who did what and when are the difference between asserting that controls exist and being able to prove it. Auditability is also what makes incidents survivable, because it makes them legible.

Continuity

Finally, custody must survive disruption. Key loss, personnel changes, vendor failure, and infrastructure outages are not edge cases; they are scenarios to plan for. Continuity controls — recovery procedures, redundancy, and tested incident response — determine whether an organization can recover access and operations without compromising the controls above in the process.

Key management answers how assets are held. Operational controls answer what happens when something goes wrong — and in custody, that second question is the one that decides whether an arrangement is genuinely defensible.

Back to researchStart a Conversation

Related

More research

Custody and Control20 min read

Omnibus or Segregated: How Account Structure Decides What Happens in Insolvency

Why the choice between omnibus and segregated holding, and between operational and legal segregation, is the primary insolvency protection control in digital asset custody rather than an accounting detail.

Custody and Control20 min read

MPC or Multisig: A Threat-Model Decision Framework for Institutional Signing

Where multi party computation and on ledger multisignature genuinely differ in trust and failure topology, and how to choose between them against your actual adversary rather than on vendor preference.

Custody and Control21 min read

The Custody Control Plane: A Reference Architecture for Institutional Key Management

Why institutional custody holds or fails at the control plane that decides who can authorize what, under which policy, with which keys, and how to design key generation, signing, recovery, and the key ceremony as a governed, auditable system rather than a purchased product.