Every Azure environment I have seen that started well-governed has drifted without active maintenance. Not catastrophically — drift is subtle. A policy exemption that was meant to be temporary and was never reviewed. A resource group created outside the landing zone for “just this one project.” Individually, none of these are a crisis. Cumulatively, they are the difference between a governed environment and a compliant-looking one.
Related governance foundations: Drift prevention assumes you have a solid governance foundation to maintain. See Azure Landing Zones: What They Are and Why Getting Them Wrong Is Expensive to Fix and Why Azure Governance Fails Before Anyone Writes a Policy to understand the structural prerequisites for preventing decay.
What Governance Drift Looks Like
Four visible signals indicate that an environment is drifting:
Compliance score degrading over time — new policies are being violated faster than they are being remediated.
Exemption list growing continuously — more resources opted out of governance over time.
RBAC assignment count increasing without bound — access being granted without a corresponding review and removal process.
Resources appearing outside managed resource groups — ad hoc deployments that bypass the IaC process.
The Main Vector of Decay: In my experience, the #1 cause of drift isn’t a lack of knowledge—it’s the Emergency Portal Fix. A production issue occurs, an engineer fixes it manually in the portal to get the service back online, and then they simply forget to backport that change into the Bicep code or the CI/CD pipeline. The environment is now “different” from its source code. The next time the pipeline runs, it either overwrites the fix (causing a new outage) or fails entirely. This “temporary” manual intervention is how the decay starts.
The Common Drift Vectors
Exemption accumulation is structurally damaging. The root cause is exemption creation without expiry dates. An exemption without an expiry date is a permanent carve-out from governance that nobody reviews.
IaC bypass accumulates when the IaC path has too much friction. If the Bicep/CI/CD process takes three days but the portal takes three minutes, engineers will choose the portal during a crisis every single time.
Policy version lag is the least visible vector. The policy set that was correct eighteen months ago reflects the requirements of eighteen months ago. The dashboard continues to show a high compliance score because the policies being evaluated are the old ones.
The Governance Review Cycle
Drift prevention requires a regular review cycle. Quarterly is the right cadence for most organisations.
The Practical Review: When I run a governance review, I rely heavily on the Azure Policy Dashboard. It is the most effective “source of truth” we have. The review shouldn’t be a massive ceremony; it should be a focused session where we look at that dashboard and ask the hard questions: Why has this violation been here for three months? Why is this exemption still active? If you aren’t looking at that dashboard at least once a quarter with the intention of cleaning it up, you aren’t governing—you’re just watching the drift happen.
A quarterly governance review should cover:
- Policy compliance trends (from the dashboard).
- Exemption audits (setting expiry dates on anything that lacks one).
- RBAC audits (removing stale assignments for leavers).
- IaC drift detection (checking for resources that exist only in the portal).
Automated Drift Detection
Manual review catches drift that has already accumulated. Automated detection catches it sooner.
Azure Policy compliance alerts are the first automated signal. Configure an Azure Monitor alert rule that fires when the overall compliance score for a policy initiative drops below a certain threshold.
Azure Advisor recommendations overlap with governance in areas like security and cost. Integrating Advisor recommendations into the quarterly review ensures they are acted on rather than just ignored in the portal.
Governance Debt Repayment
An organisation that has been drifting has governance debt. Prioritise by risk:
- Security and access policy gaps first (stale RBAC).
- Cost governance gaps second (untagged resources).
- Operational consistency third (resources outside Bicep management).
Governance drift is inevitable without active prevention. The organisations that maintain a strong posture are those that built a review cycle alongside the framework and treated it as non-optional. The maintenance process is just as important as the initial policy set.
