Most Azure governance conversations begin with the wrong question. “What policies should we write?” is a technical question. It assumes the hard part is knowing which guardrails to put in place. The hard part is not the guardrails. It is deciding who owns them, who enforces them, and what happens when they are violated.
The Three Decisions That Happen Before Any Policy
1. Who owns governance? Not the team that writes the policies — the team that is accountable for the environment being governed. Partial ownership is indistinguishable from no ownership when a violation is discovered.
2. What is the enforcement model? Audit policies surface violations. Enforce policies prevent them. Organisations that choose audit mode indefinitely have made a decision — they just haven’t said it out loud.
3. What is the response process? If the answer is “it shows up in the compliance dashboard,” governance is not enforced — it is reported.
The “Ghost Framework” Reality: I’ve walked into organisations with Defender for Cloud fully enabled, Secure Score in the high 90s, and dashboards glowing green everywhere. Yet, when I asked a simple question like “Which of these 140 subscriptions are business-critical?”, nobody could answer. They had the tools, but they had no intent. They were treating governance as a checkbox exercise instead of a decision-making framework. When a major cost spike happened because a dev team span up a massive GPU cluster, the “governance” was useless because there was no defined escalation path to stop it.
The Accountability Gap
The most common governance failure is diffuse accountability. Security wants the policies. The platform team writes them. Engineering teams are subject to them. Nobody is accountable for the compliance outcome.
The Secure Score Trap: I’ve found that a high Secure Score is often the ultimate smoke screen for leadership. It gives a false sense of security while operational governance—like tagging, cost control, and lifecycle management—is actually falling apart. You can have a “secure” resource that is completely unmanaged, untagged, and hemorrhaging money. Don’t mistake a security score for an architectural governance model.
The fix is structural: a named owner for the governance posture, with authority to enforce policies and accountability for the compliance score. This is not a committee. It is a person.
What Governance That Works Looks Like
A governance framework that is functioning produces recognisable signals:
- Fewer conversations about whether a policy should exist, more conversations about whether an exemption is justified.
- Engineering teams know what the guardrails are before they build, not after they deploy.
- Compliance score trends are stable or upward — never drifting downward.
Governance frameworks that work are not distinguished by the quality of their policies. They are distinguished by the clarity of their accountability model and the credibility of their enforcement.
If your Azure governance framework looks complete on paper but isn’t producing the compliance posture you expect, get in touch — the gap is almost always structural, not technical.
