The governance conversation happens in every organisation that runs Azure at scale. The question is not whether it happens. It is whether it happens as a strategic planning discussion — deliberate, scheduled, with time to act — or as a post-incident debrief — urgent, reactive, with everyone looking for someone to blame.
What the Post-Incident Governance Conversation Looks Like
A security incident, a compliance audit finding, or a significant cost overrun surfaces a governance gap. The conversation becomes urgent. The findings are almost always consistent: policies were in audit mode, not enforce, and the team responsible didn’t have the authority to act.
The Two-Month Overspend: I once saw an instance where a DevOps engineer accidentally ran the wrong pipeline, deploying a full performance-test environment at massive scale. Because there was no governance oversight on that specific pipeline, no one noticed for two months. The business paid production-level costs for a performance test that was never reviewed or optimised. This wasn’t a technical failure; it was a governance failure.
The missing guardrail: This could have been prevented with automated change control—blocking pipelines in Acceptance and Production environments unless they are linked to an approved ticket in your CR platform of choice (like ServiceNow or Jira).
The Proactive Version of the Same Conversation
When governance is designed proactively, the answers are driven by risk appetite and operational needs. The simplest version of the proactive conversation involves three questions, answered explicitly, in writing:
- Who is accountable for the Azure governance posture?
- What is the enforcement model — audit or enforce — and why?
- What is the response process when a policy is violated?
Three answers in writing. That is the minimum viable governance accountability framework. Most organisations do not have it.
How to Have It Before You Have To
A governance review does not need to be a large programme. A two-hour session with the right people — the platform team, a security representative, and someone with budget authority — produces the clarity that most frameworks lack.
Review it annually. The model that worked for a 20-subscription estate will not be right for an 80-subscription estate. Organisations that scale their Azure footprint without revisiting their governance model find themselves running a larger version of the same gap.
Every organisation has the governance conversation eventually. Having it as a strategic exercise is not more work than having it as a crisis response. It is the same work, done in a better environment, with better outcomes.
If you would rather have the governance conversation as a planning exercise than a debrief, get in touch — that is exactly the kind of conversation I help organisations structure.
