Stats
Actions
Tags
From grimoire
Controls or influences standards bodies, regulatory definitions, platform APIs, or analyst categories to make your competitive choices the required implementation.
How this skill is triggered — by the user, by Claude, or both
Slash command
/grimoire:apply-legitimacy-controlThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Control or heavily influence the existing source of legitimacy in your market — the standards body, regulatory definition, platform API, or analyst category — so that your competitive choices become the required implementation and competitors must conform to your terms while appearing to follow a neutral authority.
Control or heavily influence the existing source of legitimacy in your market — the standards body, regulatory definition, platform API, or analyst category — so that your competitive choices become the required implementation and competitors must conform to your terms while appearing to follow a neutral authority.
Origin: In 195 AD, Emperor Xian of Han — the last emperor of the Han Dynasty — was a puppet, his court in chaos after years of warlord conflict. In 196 AD, Cao Cao brought the Emperor to Xu, established him under Cao Cao's protection, and reorganised the Han court under his own administrative control. Nominally, Cao Cao was the Emperor's chancellor — subordinate, loyal, serving. In practice, Cao Cao used imperial authority to issue edicts under the Emperor's seal: appointments, legitimisations, condemnations, campaigns. Warlords who resisted Cao Cao's orders were resisting the Emperor's commands — a position impossible to sustain with the Han court's remaining legitimacy. Cao Cao fought and won many battles, but the strategic mechanism underlying his two-decade dominance was not military — it was that he controlled the institution whose authority all other parties were forced to acknowledge. "Hold the Emperor, command the vassals" (奉天子以令诸侯) became the canonical description of the strategy: the vassal position maintained, the commanding authority exercised.
Adopted by: Legitimacy control is the mechanism behind the most durable market authority in technology and business. Microsoft's control of the ECMA/ISO standardisation of Office Open XML (2007) converted Microsoft's file format preferences into an international standard that government procurement officers worldwide were required to accept — competitors were not competing against Microsoft, they were competing against a standard. The GSMA's definition of what constitutes a "4G" network was drafted substantially by operators who then deployed the most compliant networks first — the standard encoded the incumbents' infrastructure choices as the required baseline. ANSI, IEEE, and W3C working groups are routinely structured so that the company that chairs the working group and contributes the most substantive drafts — contributions framed as neutral service to the industry — produces standards that encode that company's technical choices as the required implementation.
Impact: Direct authority is contestable — competitors can build better products, acquire resources, and challenge you directly. Legitimacy authority is structurally more durable because the cost of challenging it is not competing with you; it is competing with the institution that confers legitimacy. Challenging an ISO standard requires ISO process; challenging a regulatory definition requires regulatory advocacy; challenging a platform API requires building an alternative ecosystem. These are expensive, slow, and uncertain. The competitor who does not control the legitimacy source spends resources on compliance rather than differentiation.
Why best: The Cao Cao mechanism works because it is not perceived as self-serving. The Emperor was genuinely the Emperor; Cao Cao was genuinely the chancellor. The standard genuinely serves the market; the company genuinely contributes. The source of legitimacy must be real — a captured institution that is visibly a tool of one party loses its legitimacy and therefore its value. The discipline is to control genuine legitimacy genuinely, and exercise that control with enough restraint and service that the legitimacy is preserved rather than consumed.
Sources: Chen Shou, Records of the Three Kingdoms 三国志 — "Wu Di Ji" 武帝紀 (280–290 AD); Luo Guanzhong, Romance of the Three Kingdoms 三国演义 (~1400 AD); Porter, Competitive Advantage (1985); Shapiro & Varian, Information Rules (1999)
Every market has institutions whose outputs are treated as authoritative — not because of the institution's competitive merit, but because of its structural position. Identify all of them:
| Legitimacy source type | Examples | What it controls |
|---|---|---|
| Standards bodies | ISO, IEEE, IETF, W3C, ANSI | Technical implementation requirements |
| Regulatory definitions | FDA drug classifications, FCC spectrum allocation, SEC accounting rules | Legal compliance requirements |
| Analyst categories | Gartner Magic Quadrant, Forrester Wave | Enterprise buyer procurement framing |
| Platform APIs | Apple App Store guidelines, Google Play policies, AWS API standards | What third-party developers can build |
| Certification programs | SOC 2, PCI DSS, Common Criteria | What vendors must demonstrate to sell |
| Industry associations | Banking associations, medical device associations | Procurement standards and best practice definitions |
| Reference implementations | The dominant deployment that others measure against | What "correct" looks like technically |
Map all legitimacy sources in your specific market, including those that currently appear inactive or under-resourced — inactive legitimacy sources can be the most valuable because they are easier to shape before they become actively contested.
Not all legitimacy sources are equally valuable. The target legitimacy source is the one that, if controlled, produces the following outcome: competitors must conform to your choices to access the market, while appearing to conform to a neutral authority.
Evaluate each source by:
| Criterion | Question | Why it matters |
|---|---|---|
| Conformance requirement | Do market participants have to align with this source's outputs to operate? | Voluntary standards have less leverage than mandatory ones |
| Your contribution potential | Can you plausibly contribute substantively enough to shape the outputs? | Control requires contribution, not just membership |
| Current control status | Is the source currently dominated by a competitor? | Dominated sources require displacement; unoccupied sources can be entered |
| Legitimacy durability | Would control of this source be recognised as legitimate by the market? | Visible capture destroys the value of the source |
Prioritise sources that are conformance-mandatory, currently unoccupied or under-resourced, and where your genuine technical or domain contribution can plausibly be seen as service rather than capture.
Control of a legitimacy source is established through contribution, not declaration. The mechanisms:
Chair the working group or committee. The chair controls the agenda, the draft process, and the interpretation of consensus. Standards bodies operate by consensus, but the chair determines what the draft says and what objections require resolution. Achieve the chair through a combination of recognised contribution and political engagement with other members — the chair must be seen as legitimate by the working group, not imposed.
Write the first draft. In standards processes, the first draft sets the baseline. Subsequent edits are modifications to your framing, not substitutions of it. Draft contributors who write the first substantive document for a working group have disproportionate influence on the final standard because all other contributions are responses to their framing. Invest the engineering resources to write the first complete draft — it is the highest-leverage document in the process.
Fund the research that defines the category. Analyst firms, regulatory bodies, and academic institutions require funding to produce the research that defines market categories. Funding research does not purchase conclusions — but it does fund the production of conclusions that the funder's products are well-positioned to exemplify. Engage early with the researchers, provide access to implementation data, and participate in the framing of the research questions.
Host the certification program. A company that creates and administers the certification that proves compliance with a standard controls two things: what the certification requires (encoding the certifier's choices as requirements) and who is certified (determining who can claim compliance). Certifications that are adopted by procurement officers as shorthand for "safe to buy" are legitimacy sources of the highest value.
Once positioned in the legitimacy source, use the position to encode your technical choices, business model, and competitive positions as the required implementation:
The encoding must be plausible as neutral market service. "The standard requires X because X is technically superior" must be a defensible argument — not just a corporate preference. Standards that encode choices that have no technical justification are overturned. The discipline is to make genuinely good technical choices that happen to reflect your competitive position, then ensure those choices are encoded in the standard.
The legitimacy source retains its authority only if it is seen as genuinely serving the market rather than as captured by one party. Cao Cao maintained the Han court's institutional forms precisely because the court's legitimacy depended on those forms being intact.
The balance:
| What preserves legitimacy | What destroys it |
|---|---|
| Allowing competitors to participate in the process | Excluding competitors from the working group |
| Resolving genuine technical objections on their merits | Overriding objections by procedural manipulation |
| Publishing the standard as openly accessible | Restricting access to the standard's implementation |
| Administering certification transparently | Using certification to exclude competitors on pretextual grounds |
| Contributing more than you extract | Extracting benefits while contributing minimally |
The test: if the working group published a detailed account of how the standard was developed, would the market conclude the process was fair? If not, the legitimacy is at risk. Visible capture — when competitors can credibly claim the standard is controlled by one party for that party's benefit — destroys the legitimacy that makes the control valuable.
Monitor for capture risk. Competitors who build the case that the standard is captured are attempting to delegitimise the source itself — the response to the Cao Cao strategy is to attack the legitimacy of the Emperor, not to comply with Cao Cao's commands. When competitors begin arguing that the standard is unfair, respond by demonstrating genuine service, opening more of the process, and publishing the technical justifications for the choices the standard encodes.
Microsoft Office Open XML standardisation (2007–2008): Microsoft's Office file formats (DOCX, XLSX, PPTX) were proprietary — government procurement officers in multiple countries were adopting policies that required open standards, which threatened Microsoft's government contracts. Microsoft submitted OOXML to ECMA International, then sought ISO ratification. The process was controversial — critics argued Microsoft had packed national standards body committees with partners to secure the necessary votes. The standard was ultimately ratified (ISO/IEC 29500:2008). The outcome: Microsoft's file format choices became an international standard, enabling government procurement officers to tick the "open standard" checkbox while continuing to buy Microsoft products. Competitors who wanted to meet the government procurement requirement had to implement Microsoft's format — competing with Microsoft became conforming to Microsoft's choices.
GSMA 4G standard definition: The GSMA's definition of what qualifies as "4G" was developed through a process in which the largest mobile operators — whose infrastructure investment decisions had already been made — were the most substantive contributors. The standard encoded deployment parameters that the major operators' existing networks already met or were close to meeting. Smaller operators and new entrants faced a compliance threshold calibrated to the incumbents' already-deployed infrastructure. The "4G" label — which customers came to use as a shorthand for quality — was controlled by the incumbents through the standards process that defined it.
Platform API as legitimacy source: Apple's App Store Review Guidelines define what applications can do on iOS devices. These guidelines are framed as neutral safety and user protection requirements — and many of them genuinely serve user safety. They also encode Apple's business model choices as requirements: apps that compete with Apple's own services face guidelines that constrain their feature set in ways that Apple's own apps are not constrained. Developers who want to reach iOS users must conform to the guidelines — and conforming to the guidelines means operating within Apple's competitive choices. The legitimacy source is Apple's control of the platform; the "command" is the App Store Review Guidelines; the vassals are the 1.8 million developers who build within them.
SOC 2 as certification legitimacy control: SOC 2 (Service Organization Control 2) is an auditing standard developed by the American Institute of CPAs defining how cloud service providers must handle customer data. Enterprise buyers use SOC 2 compliance as a proxy for security and reliability — procurement officers who cannot evaluate a vendor's security architecture directly use SOC 2 as the shorthand for "safe to buy." The companies that shaped the original SOC 2 criteria through the AICPA process were the large cloud providers who had already implemented the required controls. New entrants must achieve SOC 2 compliance to enter the enterprise market — at a cost (audit fees, implementation) that the incumbents have already absorbed. The legitimacy source (the AICPA) is genuine; the control is exercised through contribution to the criteria that encode the incumbents' existing practices as the required baseline.
Attempting legitimacy control with a source the market does not recognise: Creating a new standards body, founding a new certification program, or commissioning a new analyst framework does not automatically create legitimacy — legitimacy is conferred by the market's recognition, not by institutional formation. New legitimacy sources require years of market adoption before they have authority. The Cao Cao strategy requires controlling an existing Emperor, not creating a new one.
Visible capture: When the process by which the legitimacy source reaches its outputs becomes publicly associated with one party's preferences, competitors have the argument they need to delegitimise the source. The market authority of the standard depends on the perception of neutrality — losing that perception eliminates the competitive advantage and replaces it with a reputational liability.
Encoding choices without technical merit: Requirements that cannot be justified on neutral grounds will be challenged by competitors with both the standards body and the market. Standards that encode technical choices without defensible merit are eventually revised or circumvented. The choices encoded must be genuinely better choices that happen to reflect your competitive position.
Ignoring the maintenance requirement: Legitimacy sources require ongoing contribution and genuine service to maintain their authority. A company that achieves a standards body chair and then reduces its contribution will lose the chair to a more active contributor. The control requires ongoing investment — not just the initial positioning.
Using the legitimacy source for extraction without service: The source can be used to advantage yourself at competitors' expense; it cannot be used to disadvantage the market without consuming the legitimacy that makes the control valuable. A certification program that becomes a gatekeeping mechanism without genuine market benefit will be replaced by a competitor certification or simply rejected by buyers.
npx claudepluginhub jeffreytse/grimoire --plugin grimoireEnlists third parties with aligned interests to attack targets you cannot directly engage due to political, legal, or resource constraints.
Analiza el nicho de mercado del proyecto para inyectar conocimientos, regulaciones y estándares únicos del sector. Activar tras definir el nicho.
Guides strategic positioning to make yourself or your product hard to compete with, using Sun Tzu and Porter's competitive theory. Useful for competitive strategy, moat-building, and market positioning.