There is a test I run when I want to understand whether an organisation’s Azure governance is real or performative. I find an engineer who works in the environment — not the person who owns the governance framework, not the security lead, not the platform architect — and I ask them one question: has a deployment you tried to make ever been blocked by a governance policy?
In an environment with genuine governance, the answer is yes. Usually quickly. Engineers in governed environments bump into enforcement. They know which policies exist because the policies have affected their work. In a governance theatre environment, the answer is different. They say “we have policies” and then pause. They might name the compliance dashboard. They cannot name a policy that has ever stopped them doing something.
That pause tells you everything.
Governance that does not change behaviour is not governance. It is documentation. Audit mode policies are a reporting tool — they surface what you are doing wrong, they log it, they feed a compliance score. They do not stop anything from happening. An environment built entirely on audit mode policies is a compliance reporting framework wearing governance branding, and the distinction matters enormously when something goes wrong.
The accountability version of this test is equally revealing. Ask the organisation who is accountable for the compliance posture. If the answer is a team name, a framework document, or a process, the answer is effectively nobody. Accountability requires a person’s name. A team cannot be held accountable in the way that produces behaviour change — only individuals can. The moment accountability is diffused across a team or embedded in a document, it has been effectively eliminated.
[DAN: Add a specific moment when you’ve encountered governance theatre — the tell that made it clear the governance was performative rather than real. The specific observation is more valuable than the general argument.]
What makes this sustainable as a fiction is that auditors often collude with it, not deliberately, but structurally. An external audit asks: do you have a governance framework? Yes. Are policies defined? Yes. Is a compliance dashboard in place? Yes. The audit passes. The audit has not asked whether any of those policies are in enforce mode, whether anyone is accountable for remediation, or whether a single engineer has ever had a deployment blocked. It has checked for the presence of documents and dashboards, which are easy to produce and mean almost nothing on their own.
The comfortable fiction holds until something forces the question. A breach, a regulatory investigation, a significant misconfiguration that causes an outage or a data exposure event. Then the question changes. It is no longer “do you have policies?” It is “did you enforce them?” And at that point, a compliance dashboard full of audit mode findings is not a defence. It is a record of how long the organisation knew about its own gaps and did nothing about them.
Having a governance framework and having governance are not the same thing. One is a set of documents. The other is a set of behaviours that the environment enforces, with a named human accountable for the outcome.
