This paper develops a general theory of recursive governance to explain how emerging technologies erode institutional authority not through their capabilities but through the dependencies they create. As the paper states, “organisations progressively become dependent upon capabilities, measurements, models, and assertions that they can no longer independently reproduce, validate, or meaningfully challenge”. The work introduces a structural progression: capability, dependency, trust, governance, concentration and derives five constructs from it: Recursive Trust, Recursive Assurance, Measurement Sovereignty, Governance Sovereignty, and Recursive Risk. The central argument is that governance failure arises not from technology itself but from sovereignty reducing dependency: conditions of opacity, non reproducibility, non substitutability, and unchallengeability that transfer authority over evidence, validation, and assurance outside the institution. As noted in the paper, “the significance of a capability should be measured not only by what it can achieve, but by the dependencies it creates and the concentration pressures that emerge as adoption increases”. The Quantum Cyber Risk Framework (QCRF) is presented as the operationalisation of this theory, using quantum technologies as the proving ground because they expose sovereignty loss earlier and more sharply than prior domains. The framework includes a recursive governance architecture, capability model, and assessment scaffold, and advances two theses: the Recursive Governance Thesis and the Sovereignty Thesis. The paper positions its contribution within the cybernetics and systems governance tradition, arguing that classical governance theory assumes stable institutional authority over its own recursive mechanisms, an assumption no longer valid under modern technological dependency.