Governance
Feature Availability
The Governance feature is available to customers who have the Governance feature enabled on their account. If you do not see the Governance menu item in the sidebar, please contact your account manager or support to have the feature enabled.
Overview
The Governance feature in Cloud Ctrl provides Managed Service Providers (MSPs) and platform users with a centralised view of policy compliance across their customer portfolio. It brings together compliance data from cloud-native governance tools — such as Azure Policy and Azure Advisor — into a single, unified dashboard.
With Governance, you can:
- Monitor compliance across all customers from a single portfolio dashboard
- Identify risk using a weighted Governance Exposure Score that ranks customers by compliance priority
- Track trends to see whether a customer's compliance posture is improving, stable, or worsening
- Understand financial impact by viewing the monthly spend exposed by non-compliant resources
- Drill into details to see exactly which policies are failing, which resources are affected, and what has recently changed
Governance data is automatically collected daily from connected cloud accounts and classified into industry-standard pillars based on the Well-Architected Framework.
Prerequisites
To collect governance data, Cloud Ctrl requires read access to Azure Policy and Azure Advisor APIs. If you are using the built-in Reader role, no additional permissions are needed.
If you are using the custom least-privilege role (CloudCtrl Reader), ensure the following permission is included in the role definition:
"Microsoft.PolicyInsights/*/read"
This permission is required to read policy compliance states from the Azure Policy Insights API. The Microsoft.Advisor/*/read permission (already included in the custom role) is required for Azure Advisor data.
Tips
See the Azure App Registration guide for the full custom role definition and setup instructions.
Portfolio Dashboard
The Governance portfolio dashboard is the primary entry point and provides a high-level summary of compliance across all your managed customers. It is accessible from the Governance menu item in the sidebar navigation.
Summary Cards
At the top of the dashboard, a set of summary cards display key metrics at a glance:
- Managed Customers — The total number of customers being monitored for governance compliance
- Global Compliance — The overall compliance percentage across all customers, colour-coded for quick assessment (green for 90%+, orange for 70–90%, red for below 70%)
- Non-Compliant Resources — The total count of resources that are currently in a non-compliant state
- Exposed Spend — The total monthly spend associated with non-compliant resources, displayed in your configured currency
Portfolio Heatmap
The heatmap provides a visual matrix of Customers × Governance Pillars. Each cell is colour-coded by severity and displays the number of non-compliant resources for that customer and pillar combination. This makes it easy to quickly spot problem areas across your portfolio.
The governance pillars align with the Well-Architected Framework:
- Security — Identity, network, data protection, and access control policies
- Reliability — Availability, redundancy, and disaster recovery policies
- Cost Optimisation — Spending efficiency and resource right-sizing policies
- Operational Excellence — Monitoring, automation, and operational best practice policies
- Performance Efficiency — Scaling, compute, and performance-related policies
- General — Policies that do not fall into a specific pillar
Clicking on a cell in the heatmap will navigate to the detailed view for that customer.
Customer Ranking Table
Below the heatmap, the customer ranking table lists all monitored customers sorted by their Governance Exposure Score (highest risk first). For each customer, the table displays:
- Customer Name
- Exposure Score — A score from 0 to 100 indicating the overall governance risk (see Understanding the Exposure Score below)
- Non-Compliant Resources — The count of non-compliant resources
- Exposed Spend — The monthly cost of non-compliant resources
- Policy Families — The number of distinct policy types with compliance issues
- Compliance % — The percentage of evaluated resources that are compliant
You can filter the table to show only customers with a worsening trend to focus on those requiring immediate attention. Clicking on any customer row navigates to their detailed governance view.
Customer Detail View
The customer detail view provides an in-depth look at a single customer's governance posture. It is accessed by clicking on a customer from the portfolio dashboard.
Detail Header
The header displays key metrics for the selected customer:
- Governance Exposure Score — Colour-coded indicator of overall risk
- Non-Compliant Resources — Total count with a trend indicator showing the direction of change
- Exposed Spend — Monthly cost of non-compliant resources in the customer's currency
What Changed
The What Changed section highlights recent compliance state transitions, making it easy to understand what is happening right now. It is organised into three tabs:
- New Issues — Policies that have recently transitioned to a non-compliant state
- Resolved — Policies that have recently been remediated and are now compliant
- Chronic — Long-standing issues that have remained non-compliant over an extended period
Each entry shows the policy name, governance pillar, compliance state, and the timestamp of the change.
Dimension Risk Breakdown
This section aggregates governance issues by dimensions such as Environment (Production, Development, Staging) or Region. It helps answer questions like:
- "Are most of our compliance issues in production or non-production environments?"
- "Which regions have the most governance risk?"
Each row displays the issue count, exposed spend, and trend direction for that dimension.
Governance Issues & Resources
The main detail section organises all governance issues by pillar in an expandable accordion layout. Each pillar section shows:
- Total issues within that pillar
- Exposed spend for non-compliant resources in the pillar
- Trend direction (improving, stable, or worsening)
Expanding a pillar reveals a table of individual policies, including:
- Policy Name
- Severity — Critical, High, Medium, Low, or Unknown
- Source — The governance data source (e.g., Azure Policy, Azure Advisor)
- Compliance State
Clicking on a policy opens a Resource List showing every affected resource, with details including:
- Resource ID and Name
- Resource Type and Resource Group
- Subscription
- Compliance State
- Monthly Cost
- Whether the resource is exempt
- When the issue was last detected
Understanding the Exposure Score
The Governance Exposure Score is a composite metric from 0 to 100 that quantifies a customer's overall governance risk relative to their peers. A higher score indicates greater risk and a higher priority for remediation.
The score is calculated from five weighted components:
| Component | Weight | Description |
|---|---|---|
| Non-Compliant Volume | 35% | The number of non-compliant resources, normalised against the customer with the most issues |
| Exposed Spend | 25% | The monthly cost of non-compliant resources, normalised against the highest spend |
| Production Exposure | 20% | The percentage of issues found in production environments |
| Severity Weight | 15% | The average severity of issues (Critical = highest, Low = lowest) |
| Trend | 5% | Whether compliance is worsening, stable, or improving |
This scoring approach ensures that customers with many high-severity issues in production environments, affecting significant spend, and trending in the wrong direction, are surfaced at the top of the portfolio dashboard.
Severity Levels
Governance issues are classified into the following severity levels:
| Severity | Description |
|---|---|
| Critical | Issues that pose an immediate and significant risk and should be addressed urgently |
| High | Important issues that should be prioritised for remediation |
| Medium | Issues that should be reviewed and addressed in a timely manner |
| Low | Minor issues or best-practice recommendations with limited immediate impact |
Data Sources
Governance compliance data is collected automatically from connected cloud accounts on a daily basis. Currently supported data sources include:
- Azure Policy — Compliance states from Azure Policy evaluations across subscriptions
- Azure Advisor — Recommendations from Azure Advisor, mapped to governance pillars and severity levels
As Cloud Ctrl evolves, additional data sources from other cloud providers will be integrated into the Governance feature.
How Policy Classification Works
Cloud Ctrl uses AI-assisted classification to automatically map each policy rule to the appropriate Well-Architected Framework pillar (such as Security, Reliability, or Cost Optimisation) and severity level (Critical, High, Medium, or Low). The classification considers the policy name, category, and description to determine the best fit.
Azure Advisor recommendations are mapped directly using their built-in category and impact level, which already align closely with the Well-Architected Framework.
If a policy cannot be classified, it is assigned to the General pillar with an Unknown severity and can still be reviewed in the dashboard. Classifications are cached and reused, so policies are only evaluated once.
Frequently Asked Questions
Why don't I see the Governance menu item?
The Governance feature must be enabled on your account. If you do not see it in the sidebar, contact your account manager or support to request access.
How often is governance data updated?
Governance compliance data is collected and refreshed daily from your connected cloud accounts.
Can I export governance data?
Yes, the customer detail view includes an Export Service Review option that allows you to export the governance summary for a customer.
What cloud providers are supported?
Governance currently supports Microsoft Azure through Azure Policy and Azure Advisor. Support for additional cloud providers will be added over time.