Governance
Policy-driven operations. Governance is not a document. It is code.
“Enterprise governance reference architectures are the 21st-century equivalent of waterfall: beautiful documents and broken implementations.”
Enterprise attempts to achieve perfect architecture upfront will fail. For any interesting governance problem, it is not possible to deductively design a reference architecture. You must build, deploy, learn, and let the architecture emerge. Governance policies are expressed as code and enforced automatically.
Four Domains of Cloud Governance
Tagging Standards
Mandatory tagging policies enforced at provisioning time. Resources without required tags are blocked or flagged for remediation.
- ▶ Owner tag required on all resources
- ▶ Environment classification (prod/staging/dev)
- ▶ Project and cost center attribution
- ▶ Expiration date for non-production resources
Budget Controls
Automated budget thresholds with escalation paths. Spending that exceeds approved budgets triggers alerts, approval workflows, or automated throttling.
- ▶ Per-team monthly budget caps
- ▶ Alert at 80%, 90%, 100% thresholds
- ▶ Automatic approval workflows at threshold
- ▶ Quarterly budget reforecasting triggers
Approval Workflows
Automated routing of spending decisions to appropriate approvers based on amount, category, and risk profile.
- ▶ Tiered approval by spend magnitude
- ▶ Category-specific routing rules
- ▶ SLA on approval turnaround time
- ▶ Auto-approval for pre-authorized patterns
Compliance Enforcement
Automated enforcement of regulatory, security, and organizational compliance requirements in cloud resource provisioning.
- ▶ Region restriction for data sovereignty
- ▶ Encryption-at-rest requirements
- ▶ Network isolation enforcement
- ▶ Audit trail for all governance actions
Three Models of Governance
Centralized
All governance decisions made by a central team. Provides consistency but creates bottlenecks. Suitable for early-stage FinOps.
- + Consistent policy enforcement
- + Clear authority
- + Simplified audit
- - Bottleneck at scale
- - Slow response time
- - Disconnected from workload context
Federated
RECOMMENDEDCentral team sets policies, business units enforce within guardrails. Balances consistency with autonomy. The reformed model.
- + Speed with guardrails
- + Business context preserved
- + Scalable
- - Requires mature tooling
- - Policy drift risk
- - Coordination overhead
Decentralized
Each team manages its own governance. Maximum autonomy but risk of inconsistency and waste. Requires strong culture.
- + Maximum autonomy
- + Fastest response time
- + Team ownership
- - Inconsistent practices
- - Duplicate tooling
- - Governance gaps