What Happened
In May 2026, Kickstarter updated its mature content guidelines. The new rules prohibited implied sex acts, photo-realistic nudity, and sexually derogatory themes. Categories broad enough to threaten indie comics, tabletop RPGs, and art books that had funded successfully on the platform for years.
Within a week, Kickstarter's COO Sean Leow acknowledged the company had "botched it" and reverted to its previous rules. But the reversal included a revealing admission: the restrictions had been driven by Stripe, Kickstarter's payment processor. Campaigns that Kickstarter approved were being suspended weeks later when Stripe's compliance review flagged them. The platform was caught between its community and its payment infrastructure.
This was not an isolated incident. In 2025, Steam and Itch.io removed large numbers of adult-themed games following similar pressure from banking partners and payment processors. The pattern was consistent: platforms modifying content policies not because of internal decisions, but because upstream financial infrastructure demanded it.
The Real Issue: Dependency Governance
Dependency governance describes situations where infrastructure providers, including payment processors, cloud providers, app stores, or AI platforms, indirectly shape the policies and operational decisions of the platforms built on top of them.
This is different from government regulation and different from platform self-regulation. Dependency governance emerges from the operational and contractual relationships between platforms and the infrastructure they cannot easily replace.
It operates through terms of service, acceptable use policies, restricted business lists, and compliance requirements that flow downstream. A payment processor's restricted categories become a crowdfunding platform's content rules. A cloud provider's acceptable use policy becomes a SaaS company's operational boundary. An app store's commission structure becomes a subscription product's pricing constraint.
Where Dependency Governance Operates
Payment Infrastructure
Stripe's restricted business list governs what its merchants can sell. ConductAtlas tracks 5 Stripe governance documents and has recorded 7 policy events. Stripe's terms include provisions for reserve requirements, fund holds, and unilateral payment suspension, giving it effective authority over platform operations well beyond transaction processing.
The specific provisions are striking. Stripe's services agreement authorizes reserves of up to 100% of a merchant's transaction volume, held for as long as Stripe determines necessary. It can terminate accounts at any time for any reason. These are not edge cases in the fine print. They are the contractual foundation of the relationship between Stripe and every platform that depends on it for payments.
Visa and Mastercard's network rules add another layer above Stripe, creating a chain where card networks govern processors, processors govern platforms, and platforms govern creators. The Kickstarter situation made this chain visible. Most of the time it operates without public awareness.
Cloud and AI Infrastructure
AWS, Google Cloud, and Azure provide the compute layer most internet services run on. Their acceptable use policies and service agreements establish operational boundaries that downstream companies inherit. AWS Bedrock's terms include noncancellable reserved capacity commitments and input data retention provisions of up to 60 days. Any company building on Bedrock absorbs these constraints into its own compliance profile.
As companies build products on third-party AI models and APIs, this creates nested governance: a single product simultaneously governed by its own terms, its cloud provider's AUP, its AI provider's usage policies, its payment processor's restricted business list, and the card network rules above all of them.
App Distribution
Apple's App Store Review Guidelines and Google Play's Developer Program Policies function as governance systems for every mobile application. They determine what apps can do, how they can charge, what content they can display, and how they handle user data. Apps that violate these guidelines are removed from distribution. The infrastructure provider's governance is enforced through access to the platform itself.
Why Companies Enforce Upstream Governance
Infrastructure providers do not impose restrictions arbitrarily. Payment processors operate under legal obligations shaped by card networks, banking regulations, and anti-money-laundering requirements. Cloud providers face liability exposure from content hosted on their infrastructure. App stores are subject to regulatory scrutiny in multiple jurisdictions.
Governance flows downward through dependency chains. Each layer adds constraints, and each downstream platform must comply not only with its own policies and applicable law, but with the accumulated requirements of every infrastructure provider in its stack. This is not inherently harmful. The problem is not that dependency governance exists, but that it is largely invisible, poorly documented, and difficult for affected businesses to track.
What This Means for Businesses
Policy propagation. When an infrastructure provider updates its terms, every dependent platform must evaluate and potentially adjust its own policies. This happens continuously across payment, cloud, distribution, and AI layers, often without public notice.
Operational disruption. Kickstarter campaigns suspended mid-funding. Payment holds triggered without warning. API access revoked for acceptable use violations. These are documented events that affect real businesses and real revenue.
Compliance inheritance. Organizations effectively comply with the policies of every infrastructure provider in their stack, whether or not they have read those policies or been notified of changes.
Governance opacity. End users rarely see the upstream dependencies shaping their experience. A creator on Kickstarter sees Kickstarter's rules. They do not see Stripe's restricted business list, or the card network requirements above Stripe, unless a suspension makes those layers visible.
Timeline: Payment Processor Governance Events
| Date | Event | Impact |
|---|---|---|
| 2025 | Steam and Itch.io remove adult-themed games following payment processor and banking partner pressure | Thousands of games delisted across both platforms |
| May 11, 2026 | Kickstarter publishes new Mature Content Creator Guide with stricter content restrictions | Indie comics, TTRPG, and art book creators face campaign eligibility uncertainty |
| May 2026 | Kickstarter COO confirms Stripe was suspending approved campaigns mid-funding | Payment processor revealed as de facto content governance layer |
| May 19, 2026 | Kickstarter reverses content restrictions, reverts to previous guidelines | Platform acknowledges restrictions were "too far removed from what we actually believe" |
What You Can Do
Audit your infrastructure dependencies. Identify every payment processor, cloud provider, app store, and AI platform your business relies on. For each one, locate their terms of service, acceptable use policy, and restricted business list.
Read the restricted business lists. Stripe, PayPal, Square, and Adyen all maintain lists of restricted or prohibited business categories. If your business operates near the boundaries of any category, you have dependency governance exposure.
Monitor upstream policy changes. Infrastructure providers update terms regularly without prominent downstream notice. A change to your payment processor's acceptable use policy can affect your business before you know it happened.
Build contractual awareness. When evaluating infrastructure providers, review governance terms alongside pricing and features. Reserve authority, fund hold provisions, and unilateral termination clauses define the actual governance relationship.
Active Monitoring
ConductAtlas is actively tracking governance changes across the infrastructure providers discussed in this analysis:
- Stripe terms of service, restricted business list, and payment processing agreements
- AWS acceptable use policy, Bedrock service terms, and data processing agreements
- Apple App Store Review Guidelines and developer program policies
- Google Cloud terms of service and acceptable use policy
- Visa and Mastercard network rules and merchant compliance requirements
Browse all 343 tracked platforms and infrastructure providers
Primary Sources
Stripe governance documents (5 documents archived by ConductAtlas)
AWS governance documents (archived by ConductAtlas)
Apple governance documents (archived by ConductAtlas)
Google Cloud governance documents (archived by ConductAtlas)
Stripe Restricted Businesses List (external)
Most internet businesses do not operate independently. They operate inside layered systems of infrastructure governance that can change without notice. As dependency chains deepen across payments, cloud infrastructure, AI, and app distribution, governance increasingly flows through operational relationships rather than direct regulation alone. Understanding those layers, and tracking how they change, is no longer optional.