The Governance Mirage
When Cloud Governance looks good on paper but disappears in practice.
Edition #3: The Governance Mirage
A cloud team recently walked me through their Cloud Governance framework.
They had a 60-page policy document, monitoring tools in place, and a SharePoint list of standards.
However, no one was following the standards. No controls were catching drift. Nothing was improving.
This is the Governance Mirage. It looks like governance from a distance, but disappears when teams actually start building.
The Mirage happens when governance lives in documents instead of becoming a working process.
Most organizations have policies. Some even have automation. But if teams don't understand the standards, if enforcement is missing, and nothing happens when things drift, it's still a mirage.
Real Cloud Governance shows up in how people work. It gives teams:
→ Clear, co-created standards they understand and can apply
→ Automation that enforces those standards without friction
→ Rollouts that land with support, not just mandates
→ Feedback loops that drive continuous improvement
That's the difference between governance that looks good on paper and governance that actually works.
- Keep on Herding, Bob
PARTNER SPOTLIGHT
Turbot: Complete Cloud Governance
Transform visibility into action with automated policy enforcement and remediation at enterprise scale.
What's Happening in Cloud Governance 📡
Cloud Governance at Scale: Architecting for Innovation and Resilience: Dr. Gopal Singhal outlines a practical cloud-native blueprint for scaling Cloud Governance across large AWS environments by structuring your AWS Organization, layering guardrails with SCPs, shifting compliance left with policy-as-code, and building a secure identity and access model using ABAC and Just-in-Time access.
One Tag to Rule Them All: How iFood Mastered Cloud Resource Governance: Ulisses Oliveira details how iFood transitioned from manual, inconsistent tagging to an automated, metadata-driven governance model. Their system applies consistent metadata to cloud resources, making it easier to track ownership across infrastructure, monitoring, and billing.
CIS Alibaba Cloud Benchmark v2.0.0 Update: Key updates include changes to audit/remediation steps, improved mapping to CIS Critical Controls, revised password policy alignment, and added CLI-based audit method examples.
CIS Google Workspace Benchmark v1.3.0 Update: While GCP CIS benchmarks usually get the spotlight, this update reinforces Google Workspace as a critical area for identity, collaboration, and data protection. Includes clearer guidance on superuser access and minor clarifications to existing controls.
Get Involved 👋
Join the conversation on LinkedIn about this newsletter edition.