The governance conversation happens in every organisation that runs Azure at scale. The question is not whether it happens. It is whether it happens as a strategic planning discussion — deliberate, scheduled, with time to act — or as a post-incident debrief — urgent, reactive, with everyone looking for someone to blame. The content of both conversations is almost identical. The cost of the second one is substantially higher.
What the Post-Incident Governance Conversation Looks Like
A security incident, a compliance audit finding, or a significant cost overrun surfaces a governance gap. The conversation becomes urgent. Everyone who was not in the room when the governance decisions were made is now in the room asking why those decisions were made.
The typical findings are consistent across organisations: policies existed but were in audit mode, not enforce. Compliance reports were being generated but not acted on. The team responsible for governance did not have the authority to enforce it. RBAC assignments had drifted beyond what anyone could explain, and nobody had a clean picture of who could do what, where.
The outcome of these conversations is almost always a governance remediation programme — which is the strategic planning conversation, conducted under pressure, with a compliance deadline driving the scope instead of good architecture judgement. The work is the same. The environment in which it is done is considerably worse.
[DAN: Add a specific type of trigger event you’ve seen initiate a reactive governance conversation — without naming clients, describe the situation that surfaced the gap and what the conversation looked like. The specificity makes this credible to leaders who have been in similar situations.]
The Proactive Version of the Same Conversation
The proactive governance conversation has the same components: who owns the posture, what the enforcement model is, how violations are responded to. The difference is the context in which those questions are answered.
When governance is designed proactively, the answers are driven by risk appetite, regulatory requirements, and operational needs — the right drivers. When it is designed reactively, the answers are driven by what went wrong, which is a subset of the right drivers and usually not the most important subset. A remediation programme shaped by a single incident will close the gap that the incident exposed. It will not necessarily address the gaps that no incident has yet revealed.
The simplest version of the proactive conversation involves three questions, answered explicitly, in writing:
- Who is accountable for the Azure governance posture?
- What is the enforcement model — audit or enforce — and why?
- What is the response process when a policy is violated?
Three answers in writing. That is the minimum viable governance accountability framework. Most organisations do not have it.
How to Have It Before You Have To
A governance review does not need to be a large programme. A two-hour session with the right people — the platform team, a security representative, and someone with budget authority — produces the accountability clarity that most governance frameworks lack.
The output of that session is not a policy set. It is a governance accountability document: who owns what, what the enforcement model is, what the response process looks like. The policy set comes after, informed by those answers rather than substituting for them.
Review it annually. The governance accountability model that was right for a 20-subscription estate may not be right for an 80-subscription estate. Organisations that scale their Azure footprint without revisiting their governance model find themselves running a larger version of the same gap — which produces a larger version of the same incident.
Every organisation has the governance conversation eventually. Having it as a strategic exercise is not more work than having it as a crisis response. It is the same work, done in a better environment, with better outcomes.
If you would rather have the governance conversation as a planning exercise than a debrief, get in touch — that is exactly the kind of conversation I help organisations structure.
