Abstract

The United States government’s 2024-2025 guidance urging migration away from memory-unsafe languages represents an existential challenge to C++. This paper analyzes WG21’s response through the framework of Great Founder Theory, examining whether the committee’s governance structure—designed for stability and consensus—can execute the rapid, coherent adaptation required to address regulatory pressure. By comparing WG21’s federated model to governmental structures and examining the fate of Sean Baxter’s Safe C++ proposal, we identify fundamental tensions between deliberative consensus and decisive action. We conclude with predictions for C++ safety outcomes and governance reforms that might improve the committee’s capacity for institutional renewal.

1. Introduction: An Unprecedented Threat

In February 2024, the White House Office of the National Cyber Director issued guidance urging software manufacturers to transition away from memory-unsafe languages. By October 2024, CISA and the FBI formalized this position in their “Product Security Bad Practices” report, establishing January 2026 as the deadline for manufacturers to produce memory safety roadmaps. The claimed justification is stark: approximately 70% of CVEs at major technology companies trace to memory safety violations, and 75% of CVEs exploited in active attacks are memory safety flaws.

Bjarne Stroustrup, C++ creator, characterized this as “unprecedented, serious attacks on C++.” His language is instructive—not merely “challenges” or “criticism” but attacks, suggesting existential stakes. The C++ committee now faces a coordination problem that its governance structure was never designed to solve: responding coherently and rapidly to external pressure that demands fundamental language evolution.

This paper applies Samo Burja’s Great Founder Theory to analyze WG21’s institutional capacity for adaptation. The theory provides frameworks for understanding why institutions succeed or fail at critical junctures—frameworks particularly relevant when examining whether a standards body designed for deliberation can execute crisis response.

2. Great Founder Theory: Core Frameworks

Great Founder Theory posits that functional institutions are exceptions, not the rule. Most organizations are “poorly-run social clubs maintaining appearances,” with genuine functionality traceable to skilled founders who designed appropriate social technologies. Several concepts from this framework illuminate WG21’s situation.

2.1 Live Players vs. Dead Players

A live player is a person or coordinated group capable of doing things not done before—adapting to novel circumstances rather than following established scripts. A dead player operates from precedent, incapable of genuine novelty. Live players require both tight coordination and living traditions of knowledge.

The distinction matters because existential challenges demand live player responses. An institution following established procedures when those procedures are inadequate will fail regardless of how earnestly participants follow the rules.

2.2 The Succession Problem

Institutional continuity requires transferring both skill (competence) and power (control). Failure in either dimension causes institutions to become dead players “on autopilot.” The Roman emperors solved this through adult adoption—selecting successors based on demonstrated capability rather than hereditary accident.

For standards bodies, succession operates at multiple levels: individual leadership, institutional knowledge, and design vision. When founders age without transferring both their understanding and their authority, institutions lose capacity for adaptation.

2.3 Borrowed vs. Owned Power

Borrowed power derives from positions that can be revoked—committee chairs, voting membership, procedural authority. Owned power cannot easily be taken: expertise, relationships, implementations, user bases. The distinction matters because borrowed power holders following scripts differ fundamentally from owned power holders who can shape institutional direction.

2.4 Empire Dynamics

Burja models coordinated groups as empires with High (central authority), Mid (can challenge High), and Low (can challenge Mid) power classes. The critical dynamic is High-Mid tension: High must distribute resources to prevent Mid challenges while maintaining coordination. Without expansion—new compelling achievements that align interests—coordination degrades.

For WG21, this suggests that without delivering features the community finds compelling, the committee loses legitimacy. When the community perceives the committee as failing to address genuine needs, alternative power centers (compiler vendors, language competitors) gain relative authority.

3. WG21 Governance Structure

3.1 The ISO Model

WG21 operates within ISO’s international standardization framework. Formal authority resides with national body representatives from 25+ countries, who vote on changes to the working draft. The structure is explicitly federated—no single person or organization controls outcomes.

The committee’s internal organization comprises:

• Convener (currently Guy Davidson): Chairs plenary, determines consensus, but cannot unilaterally impose decisions

• Study Groups: Domain-specific working groups (SG1 Concurrency, SG23 Safety, etc.)

• Evolution Working Groups: EWG (language) and LEWG (library) filter proposals

• Core Working Groups: CWG and LWG handle specification wording

• Plenary: Final approval by national body vote

Proposals navigate this pipeline through iterative refinement. Papers commonly undergo 15+ revisions over multiple years before reaching plenary. The process is designed to produce thoroughly vetted specifications that achieve broad consensus.

3.2 Comparison to Governmental Structures

The WG21 model resembles a legislature far more than an executive. Where executive branches concentrate authority for rapid action—the President can issue executive orders, deploy military forces, respond to crises within hours—legislatures deliberate. Congress passes legislation through committee hearings, floor debate, conference committees, and bicameral reconciliation. The process is slow by design, preventing hasty action while enabling broad input.

WG21 is even more deliberative than most legislatures. It lacks:

• Executive authority: No one can mandate emergency action

• Majority rule: Consensus, not 51%, is required

• Unified hierarchy: National bodies are sovereign equals

• Term limits or elections: Key positions persist without regular renewal

The absence of executive function means WG21 has no mechanism for rapid response. When the White House issues guidance in February 2024 establishing January 2026 deadlines, WG21 cannot convene emergency sessions with binding authority. It can only continue its established three-meetings-per-year cadence, working through existing proposal pipelines.

This is not inherently dysfunctional. Legislatures serve different purposes than executives. The U.S. Constitution deliberately separates these powers, recognizing that lawmaking benefits from deliberation while crisis response demands unity of command. Problems arise when an institution designed for one purpose faces challenges requiring the other.

3.3 Strengths of the Deliberative Model

WG21’s structure provides genuine advantages:

International legitimacy: ISO standardization carries weight that no single company’s language specification could match. Governments, procurement processes, and safety-critical industries defer to ISO standards.

Vendor neutrality: No single company—not Microsoft, not Google, not Apple—can control C++ evolution. The federated structure prevents capture by any commercial interest.

Thorough technical review: Multi-year proposal refinement catches design flaws before they become permanent language features. The concepts saga, while painful, ultimately produced a more coherent feature than the C++0x attempt.

Stability: Backward compatibility receives systematic attention. Code written to previous standards continues working. This stability is genuinely valuable for systems expected to operate for decades.

Transparency: Meeting minutes, paper proceedings, and discussion records are publicly accessible. Anyone can trace how decisions were made and why.

These strengths explain why WG21 has produced a language used in operating systems, databases, browsers, games, embedded systems, and scientific computing. The model works for normal evolution of a mature language.

4. The Safety Crisis: Governance Under Stress

4.1 The Nature of the Threat

The government memory safety initiative represents a different category of challenge than WG21 has historically faced. Previous debates—concepts, modules, coroutines—concerned how to add features, not whether C++ would remain viable. The safety mandate questions C++’s fundamental fitness for continued use in critical infrastructure.

The timeline is particularly acute. CISA guidance establishes January 2026 for roadmap publication and January 2030 for implementation milestones. WG21’s standard release schedule is:

• C++26: Feature-complete June 2025, publication ~2026

• C++29: Feature-complete ~2028, publication ~2029

This means the committee had essentially one release cycle (C++26) to respond substantively before the 2026 roadmap deadline. C++26 is now feature-complete. It includes reflection. It does not include comprehensive memory safety features. Profiles did not make C++26. Contracts, after years of contentious development, were added to the working draft in February 2025 but remain controversial.

4.2 WG21’s Response: Profiles vs. Safe C++

The committee considered two primary approaches to memory safety:

Profiles (P2687, P2816, P3465): Stroustrup and Dos Reis proposed static analysis rules enforced by compiler annotations. The approach aims for incremental adoption within existing C++ semantics—a “subset of superset” that restricts unsafe patterns without new language features.

Safe C++ (P3390): Sean Baxter proposed Rust-style borrow checking with lifetime parameters, safe/unsafe function coloring, and a new safe reference type system. The approach requires fundamental language additions but provides compile-time safety guarantees.

At the November 2024 Wrocław meeting, SG23 voted 19:11:6:9 (Profiles : Both : Neutral : Safe C++). Profiles became the preferred direction. By September 2025, Safe C++ work within ISO was formally discontinued.

4.3 The Governance Dynamics

The Profiles vs. Safe C++ outcome illustrates several Great Founder Theory patterns:

Founder influence: Stroustrup advocated strongly for Profiles. At ~75 years old, he remains the language’s most influential voice. His criticism that Safe C++ would eliminate “almost all good/safe C++ code” carried weight that no newcomer’s endorsement could counterbalance.

Borrowed vs. owned power: Baxter possessed extraordinary technical capability—Circle represents ~316,000 lines of clean-room C++ compiler implementation, a feat few individuals have accomplished. But he lacked committee position, established relationships, or national body representation. His owned power (implementation expertise) could not overcome his lack of borrowed power (procedural standing).

Process momentum: EWG design principles (P3446R0) stated that “safe or pure function annotation that has the semantics that a safe or pure function can only call other safe or pure functions” should be avoided. This principle directly conflicts with Rust’s function coloring model—the core mechanism Safe C++ adopted. The principle existed before Safe C++ was proposed, demonstrating how established process can preempt novel approaches.

Consensus dynamics: Safe C++ required fundamental language changes. Profiles promised incremental adoption. In a consensus-driven body, incremental approaches have structural advantages—they require less agreement on less change.

5. Community Response and the Legitimacy Problem

5.1 Reception of the Committee’s Decision

The decision to prefer Profiles generated significant community skepticism. Representative positions include:

Technical criticism: Baxter’s “Why Safety Profiles Failed” document argues that Profiles cannot work without language changes that Profiles specifically avoids. Without lifetime information in function signatures, the compiler cannot verify aliasing constraints. Without safe/unsafe distinction, safety cannot be transitively enforced. The criticism is that Profiles addresses symptoms while Safe C++ addresses causes.

Cultural diagnosis: Hacker News commentary repeatedly emphasized that “the big thing Rust has that C++ does not is safety culture.” Multiple observers argued that technical proposals matter less than committee willingness to prioritize safety—and that the Profiles preference demonstrates unwillingness.

Timeline concerns: By September 2025, Profiles had no specification or implementation, yet Safe C++ had a working compiler demonstrating its approach. The preference for a paper proposal over a functioning implementation struck some observers as irrational.

Process frustration: Erich Keane’s statement that Baxter “is completely welcome to continue the effort” was received skeptically given that the committee had just voted against Safe C++’s direction. The invitation to continue appeared hollow when fundamental design principles (function coloring) conflicted with Safe C++’s architecture.

5.2 The Legitimacy Gap

Great Founder Theory emphasizes that institutional prestige outlives institutional health. WG21 retains formal authority over C++ standardization, but its legitimacy—the community’s acceptance of that authority—depends on perceived effectiveness.

The safety debate exposed a legitimacy gap. Community perception increasingly diverges from committee action:

• Many practitioners view Rust’s safety model as proven and Safe C++’s adaptation as sensible

• The committee preference for an unimplemented proposal over a functioning alternative appeared to prioritize internal dynamics over external reality

• Stroustrup’s continued influence, while technically justified, raises succession concerns—what happens to C++ direction when he is no longer active?

This gap matters because, unlike governments, WG21 cannot compel compliance. Compiler vendors can implement extensions. Projects can migrate to Rust. Developers can vote with their feet. WG21’s power is ultimately consensual, derived from community acceptance rather than legal mandate.

6. Great Founder Theory Analysis

6.1 Is WG21 a Live Player?

The critical question is whether WG21 can do things not done before—can it adapt to novel circumstances rather than following established scripts?

Evidence for live player status:

• C++11 represented dramatic modernization after a decade of stagnation

• C++20 shipped four major features (concepts, ranges, coroutines, modules) simultaneously

• The committee continues meeting, producing standards, incorporating major features

Evidence for dead player status:

• Multi-year delays are routine (concepts: 2011-2020, contracts: ongoing since 2015)

• Last-minute reversals indicate internal coordination failure (contracts C++20)

• Response to safety pressure has been reactive rather than proactive

• Established procedures continue regardless of external urgency

The mixed evidence suggests WG21 exists in an intermediate state—still functioning, but with diminished capacity for novel action. The committee follows its procedures earnestly, but following procedures when procedures are inadequate is a dead player characteristic.

6.2 The Succession Problem

Stroustrup (born 1950) and Sutter (born ~1967) have led C++ evolution for decades. Both remain active, but both will eventually step back. No clear successors have emerged with comparable authority.

This matters because living knowledge—understanding not just what to do but why—transfers through apprenticeship relationships. If Stroustrup’s generation departs without transferring both their knowledge (how to design languages) and their power (authority to set direction), WG21 loses capacity for coherent evolution.

The Baxter episode illustrates the succession challenge. Here was someone with demonstrated capability—building a complete C++ compiler with novel features—offering a path forward on the committee’s most pressing challenge. The committee’s response was to prefer an established figure’s proposal (Profiles) over the newcomer’s working implementation. Whatever the technical merits, this pattern does not suggest effective succession.

6.3 Empire Without Expansion

Burja argues that empires need expansion to align High-Mid interests. Without new achievements that benefit all levels, coordination degrades into internal competition.

For WG21, “expansion” means delivering features the community finds compelling. C++11 was expansionary—it renewed community enthusiasm and attracted new developers. C++23, by contrast, was incremental. C++26, despite reflection, arrives without the safety features that external pressure makes urgent.

When the committee cannot deliver on community priorities, alternative power centers gain relative standing. Rust’s growing adoption represents expansion by a competitor while C++ stagnates on safety. Compiler vendors (owned power through implementation) gain relative authority against the committee (borrowed power through procedure). The empire’s failure to expand undermines its internal coordination.

6.4 Bureaucratic Autopilot

Burja describes bureaucracies as “automated systems of people” that function when owned by someone who can shape them, but become ineffective when abandoned. Effective bureaucracy requires someone with authority to break rules when rules fail.

WG21’s procedural structure operates with high automation—papers navigate established pipelines regardless of author, urgency, or external context. But no one appears to own the bureaucracy in the sense of having authority to override procedures when circumstances demand. The convener determines consensus but cannot mandate direction. National bodies are sovereign equals without hierarchy. Study groups recommend but cannot compel.

This creates a coordination structure without a coordinator. Everyone follows rules; no one can change rules when rules fail. The contracts saga—years of work reversed at the last minute, then restarted from scratch—exemplifies procedural inertia without purposeful direction.

7. Predictions: How Safety Will Be Resolved

Based on the governance analysis, several outcomes appear probable:

7.1 Profiles Will Not Provide Comprehensive Safety

Baxter’s technical critique—that Profiles require language changes Profiles specifically avoids—appears sound. Without lifetime annotations in function signatures, compilers cannot verify borrowing constraints. Without safe/unsafe distinction, safety cannot be transitively enforced. Profiles may catch some error patterns through local analysis, but they cannot provide the guarantees that Rust provides.

This prediction is testable. If Profiles ships in C++29 or C++32, its real-world effectiveness can be measured against Rust or Safe C++. The bet here is that Profiles will reduce some CVE categories but not achieve the dramatic reductions that justified government mandates.

7.2 C++ Will Bifurcate

The language will likely split into:

• Critical infrastructure C++: Increasingly restricted subsets, possibly vendor-specific, with additional tooling and process requirements—MISRA-like constraints expanded for memory safety

• Legacy C++: Existing codebases that cannot migrate, maintained with declining resources as new development shifts elsewhere

• Greenfield development: Increasingly uses Rust, Go, or other memory-safe alternatives for new projects

This bifurcation already exists informally. The government mandates formalize it, requiring organizations to document which category their code occupies and their plans for evolution.

7.3 Compiler Vendors Will Lead

The parties with owned power—GCC, Clang, MSVC implementers—will likely drive practical safety evolution. They can ship extensions without committee approval. They can implement Profiles (if Profiles works), Safe C++ (if interest revives), or novel approaches the committee hasn’t considered.

Microsoft already rewrites firmware in Rust. Google reports declining Android vulnerabilities as Rust adoption increases. These organizations have both capability and incentive to solve safety problems regardless of committee direction. If WG21 cannot lead, vendors will.

7.4 Stroustrup’s Departure Will Create Crisis

At some point, Stroustrup will no longer participate actively. His departure will create a succession vacuum—not merely losing one voice, but losing the voice whose authority could set direction when others disagreed.

The committee has not prepared for this transition. No process exists for selecting a successor with comparable authority. The most likely outcome is fragmentation, with multiple figures claiming influence but none able to coordinate coherent evolution.

7.5 Timeline Estimates

• 2026-2028: Profiles ships in some form, receives mixed reception, fails to satisfy government requirements comprehensively

• 2028-2032: Growing pressure forces reconsideration; possibly Safe C++ revival or alternative approach

• 2030-2035: Either C++ achieves genuine safety story (through whatever mechanism) or cedes critical infrastructure to alternatives

The ten-year window matters because government mandates, while non-binding, shape procurement and liability. Organizations that cannot demonstrate memory safety face increasing regulatory and insurance pressure. C++ either addresses this or loses market categories.

8. Governance Reform Proposals

The analysis suggests WG21’s structure is mismatched to its current challenge. Reforms that might improve institutional capacity for adaptation include:

8.1 Executive Function: Create a Technical Director Role

Currently, no one has authority to set priorities when consensus fails. A Technical Director, appointed by national bodies with a defined term, could:

• Declare topics requiring expedited attention

• Break ties when working groups deadlock

• Commission experimental implementations before standardization

• Represent the committee to external stakeholders

This introduces hierarchy into a federated structure—a significant change. But the alternative is continued inability to respond to urgent challenges within meaningful timeframes.

The role would need constraints: perhaps national bodies could override director decisions by supermajority, or the director could only prioritize (not approve) proposals. The goal is executive capacity without executive capture.

8.2 Implementation Requirements Before Standardization

The contracts saga—standardizing a feature, then removing it, then restarting—demonstrates the cost of paper standardization. Requiring working implementations (in at least two compilers) before plenary vote would:

• Validate that proposals actually work

• Reveal implementation concerns earlier

• Prevent momentum from pushing unready features

Safe C++ had a working implementation; Profiles did not. Under this rule, Safe C++ would have had procedural advantage rather than disadvantage.

8.3 Expedited Track for Existential Threats

External pressure (government mandates, security vulnerabilities, competitor erosion) should trigger faster processes than normal feature evolution. An expedited track might:

• Reduce required revisions for proposals addressing declared emergencies

• Enable provisional standardization (Technical Specifications) that can be revised more easily

• Allow working group chairs to advance proposals without full SG consensus

This trades thoroughness for speed—a reasonable tradeoff when the alternative is irrelevance.

8.4 Term Limits for Key Positions

Long-serving leadership enables institutional memory but impedes renewal. Term limits for:

• Convener (perhaps 6-year maximum)

• Working group chairs (perhaps 4-year maximum)

• Study group chairs (perhaps 4-year maximum)

...would force succession planning and open positions to new participants. The PyTHon Steering Council’s regular elections provide a model: not BDFL permanence, not constant churn, but regular renewal.

8.5 Rising Elite Integration

Great Founder Theory emphasizes that reform requires rising elites who understand power dynamics and can navigate existing structures. WG21 should actively cultivate next-generation leaders through:

• Mentorship programs pairing established figures with promising newcomers

• Reserved positions (perhaps non-voting) for implementers under 35

• Explicit succession planning for current leadership

Baxter possessed exceptional capability but lacked institutional integration. A healthier institution would have recruited him years ago, giving him standing to advocate from within rather than proposing from outside.

8.6 Formal Sunset and Revision Mechanisms

Once features ship, correction is “nearly impossible” (requiring navigation through SG → EWG → LEWG → LWG → plenary). Establishing formal mechanisms for:

• Defect correction (faster than current process)

• Deprecation with removal timelines (not just eternal deprecated state)

• Post-standardization revision based on implementation experience

...would reduce the cost of shipping imperfect features and increase willingness to try novel approaches.

9. Conclusion: The Institutional Choice

WG21 faces a choice that Great Founder Theory frames starkly: adapt or decline. The committee’s governance structure—designed for stability, consensus, and thorough review—now confronts challenges requiring speed, decisiveness, and coherent vision. The structure that produced C++11’s renaissance may be inadequate for C++26’s survival.

The Safe C++ episode illustrates the problem. A technically capable outsider offered a working solution to the committee’s most pressing challenge. The committee preferred an insider’s paper proposal. Whatever the technical merits of that choice, the governance dynamics—borrowed power over owned power, procedure over implementation, established relationships over demonstrated capability—suggest an institution following scripts rather than adapting to circumstances.

This is not a moral failing. The individuals involved are earnest, capable, and working hard. But institutions can fail despite individual virtue when their structures misalign with their challenges. A legislature cannot fight wars. A committee cannot respond to crises. WG21 is a committee facing a crisis.

The predictions here are pessimistic: Profiles probably will not work comprehensively, C++ will probably bifurcate, compiler vendors will probably lead where the committee cannot, and Stroustrup’s eventual departure will probably create succession crisis. These outcomes are not inevitable, but they are probable given current governance dynamics.

Reform is possible. Executive function, implementation requirements, expedited tracks, term limits, rising elite integration, and revision mechanisms could improve institutional capacity. Whether WG21 will adopt such reforms—whether it can reform itself—remains uncertain. Institutions rarely reform absent crisis, and by the time crisis is undeniable, reform may be too late.

Great Founder Theory suggests that functional institutions are rare and that most organizations persist through inertia and prestige after their core functionality degrades. WG21 retains enormous prestige—ISO standardization, decades of successful releases, massive installed base. Whether it retains functionality adequate to its current challenge is the question this paper has tried to illuminate.

The answer will become clear over the next decade. Either C++ achieves a genuine safety story—through Profiles, Safe C++ revival, vendor extensions, or approaches not yet imagined—or it cedes critical infrastructure to alternatives. The committee’s governance choices over the next few years will substantially determine which outcome obtains.

References

• Burja, Samo. Great Founder Theory. 2020.

• Baxter, Sean. “Why Safety Profiles Failed.” circle-lang.org/draft-profiles.html.

• P3390R0. “Safe C++.” safecpp.org/P3390R0.html.

• P2687R0. “Design Alternatives for Type-and-Resource Safe C++.” Stroustrup, Dos Reis.

• P3651R0. Stroustrup. (Call to defend C++.)

• White House ONCD. “Back to the Building Blocks.” February 2024.

• CISA/FBI. “Product Security Bad Practices.” October 2024.

• Sutter, Herb. “Trip Report: WG21 November 2024 (Wrocław).”