Governance & Compliance

Overview

The Governance and Compliance features in Cloud Ctrl provide a centralised view of policy compliance across your cloud estate. They bring together compliance data from cloud-native governance tools — such as Azure Policy and Azure Advisor — into unified dashboards with actionable remediation guidance.

Cloud Ctrl offers two complementary views:

• Compliance — A single-tenant view of your own compliance posture, accessed from the Compliance menu item in the sidebar
• Governance — A multi-tenant portfolio view for MSPs and platform teams managing multiple customers, accessed from the Governance menu item

With these features, you can:

• Monitor compliance across your own tenant or all managed customers from a single dashboard
• Identify risk using a weighted Governance Exposure Score that ranks customers by compliance priority
• Track trends to see whether compliance posture is improving, stable, or worsening
• Understand financial impact by viewing the monthly spend exposed by non-compliant resources and the estimated savings from remediation
• Get remediation guidance with AI-generated remediation steps and links to vendor documentation
• Drill into details to see exactly which policies are failing, which resources are affected, and what has recently changed
• Slice data by dimension to understand compliance risk by environment, subscription, cloud provider, resource type, or custom business categories

Governance data is automatically collected daily from connected cloud accounts and classified into industry-standard pillars based on the Well-Architected Framework.

Prerequisites

To collect governance data, Cloud Ctrl requires read access to Azure Policy and Azure Advisor APIs. If you are using the built-in Reader role, no additional permissions are needed.

If you are using the custom least-privilege role (CloudCtrl Reader), ensure the following permission is included in the role definition:

"Microsoft.PolicyInsights/*/read"

This permission is required to read policy compliance states from the Azure Policy Insights API. The Microsoft.Advisor/*/read permission (already included in the custom role) is required for Azure Advisor data.

Compliance Page

The Compliance page shows your own tenant's governance health at a glance. It is accessible from the Compliance menu item in the sidebar navigation.

Summary Cards

At the top of the page, a set of summary cards display key metrics:

• Compliance % — The percentage of evaluated resources that are compliant, colour-coded for quick assessment (green for 90%+, orange for 70–90%, red for below 70%)
• Non-Compliant Resources — The total count of resources that are currently non-compliant, with a trend arrow showing whether the count is increasing or decreasing
• Exposed Spend — The monthly cost of all non-compliant resources in your display currency
• Recoverable Savings — Estimated monthly savings achievable by remediating cost-optimisation recommendations from Azure Advisor

What Changed

The What Changed section highlights recent compliance state transitions, making it easy to understand what is happening right now. Items are grouped by Well-Architected Framework pillar and are organised into three categories:

• New Issues — Resources or policies that have recently transitioned to a non-compliant state
• Resolved — Issues that have recently been remediated and are now compliant
• Chronic — Long-standing issues that have remained non-compliant over an extended period

Each entry shows the policy name, governance pillar, compliance state, and the timestamp of the change.

Top Priority Remediations

This section ranks the most impactful governance issues to help you decide what to fix first. Issues are scored using a weighted formula that considers:

• Severity — Critical and High issues are weighted more heavily
• Affected resource count — Issues affecting many resources rank higher
• Spend exposure — Issues on costly resources are prioritised
• Savings potential — Issues with recoverable savings rank higher

Click any row to navigate to the Issue Detail Page for full remediation guidance and affected resources.

Compliance by Dimension

This section aggregates governance issues by a selected dimension, helping you understand where risk is concentrated. See Dimensions below for details on available dimensions and how to configure custom ones.

Each row in the dimension breakdown displays:

Click Drilldown to filter the issues list to only show resources within that dimension value.

All Issues & Resources

The main detail section organises all governance issues by pillar in an expandable accordion layout. Each pillar section shows:

• Total issues within that pillar
• Exposed spend for non-compliant resources in the pillar
• Trend direction (improving, stable, or worsening)

Expanding a pillar reveals a table of individual policies, including severity, compliance state, affected resource count, exposed spend, estimated savings, and last detected date. Where available, a brief remediation hint and a Learn More link to vendor documentation are shown inline.

Click any policy to navigate to the Issue Detail Page.

Portfolio Dashboard (Governance)

The Governance portfolio dashboard provides a cross-tenant view for MSPs and platform teams managing multiple customers. It is accessible from the Governance menu item in the sidebar navigation.

Summary Cards

At the top of the dashboard, summary cards display aggregated metrics:

• Managed Customers — The total number of customers being monitored for governance compliance
• Global Compliance — The overall compliance percentage across all customers
• Total Non-Compliant Resources — The aggregate count of non-compliant resources across all tenants
• Exposed Spend — The total monthly spend associated with non-compliant resources
• Recoverable Savings — Total estimated savings from cost-optimisation recommendations across all tenants

Portfolio Heatmap

The heatmap provides a visual matrix of Customers × Governance Pillars. Each cell is colour-coded by severity and displays the number of non-compliant resources for that customer and pillar combination. This makes it easy to quickly spot problem areas across your portfolio.

The governance pillars align with the Well-Architected Framework:

• Security — Identity, network, data protection, and access control policies
• Reliability — Availability, redundancy, and disaster recovery policies
• Cost Optimisation — Spending efficiency and resource right-sizing policies
• Operational Excellence — Monitoring, automation, and operational best practice policies
• Performance Efficiency — Scaling, compute, and performance-related policies
• General — Policies that do not fall into a specific pillar

Clicking on a cell in the heatmap will navigate to the detailed view for that customer.

Customer Ranking Table

Below the heatmap, the customer ranking table lists all monitored customers sorted by their Governance Exposure Score (highest risk first). For each customer, the table displays:

• Customer Name
• Exposure Score — A score from 0 to 100 indicating the overall governance risk (see Understanding the Exposure Score below)
• Non-Compliant Resources — The count of non-compliant resources
• Exposed Spend — The monthly cost of non-compliant resources
• Recoverable Savings — Estimated savings from cost-optimisation recommendations
• Policy Families — The number of distinct policy types with compliance issues
• Compliance % — The percentage of evaluated resources that are compliant

You can filter the table to show only customers with a worsening trend to focus on those requiring immediate attention. Clicking on any customer row navigates to their detailed governance view.

Customer Detail View

The customer detail view provides an in-depth look at a single customer's governance posture. It is accessed by clicking on a customer from the portfolio dashboard. It includes the same sections as the Compliance page — summary KPIs, What Changed, Compliance by Dimension, and All Issues & Resources — but scoped to the selected customer.

Issue Detail Page

Clicking on any governance issue from the Compliance or Governance pages navigates to a full-page detail view with breadcrumb navigation back to the source page.

Issue Header

The header displays comprehensive information about the selected policy issue:

• Policy name and description
• Severity — colour-coded chip (Critical, High, Medium, Low)
• Category — the vendor's own grouping (e.g. "Storage", "Security Center")
• Rule Source — the governance data source (Policy or Advisor)
• Cost Optimisation badge — shown when the issue is flagged as cost-oriented
• Affected Resources — total count of non-compliant resources
• Exposed Spend — monthly cost of affected resources
• Est. Savings — estimated savings if the issue is remediated

Remediation Guidance

When available, a Remediation Guidance card is displayed below the header containing:

• Remediation steps — a plain-language explanation of how to fix the issue, generated by an AI classifier when the rule was first imported
• Learn More button — a validated link to the relevant vendor documentation (e.g. Microsoft Learn)

Affected Resources Table

A detailed table lists every resource affected by this issue:

The table supports searching, column toggling, sorting, and CSV export.

Dimensions

Dimensions allow you to slice governance data by business-meaningful categories. Use the dimension dropdown in the Compliance by Dimension section to switch between different groupings.

Built-in Dimensions

The following dimensions are always available and require no configuration:

Custom Dimensions

You can create up to 30 custom dimensions per tenant by mapping them to resource tag keys. This allows you to slice governance data by any business category that is encoded in your resource tags.

Examples of custom dimensions:

• Cost Centre → mapped to the CostCenter tag
• Application → mapped to the Application tag
• Team → mapped to the Team tag
• Business Unit → mapped to the BusinessUnit tag

Custom dimensions can be configured under Manage → Dimensions. Pinned dimensions appear first in the dropdown, marked with a ★ prefix. Resources that do not have the mapped tag are shown as "Untagged" in the breakdown.

Understanding the Exposure Score

The Governance Exposure Score is a composite metric from 0 to 100 that quantifies a customer's overall governance risk relative to their peers. A higher score indicates greater risk and a higher priority for remediation.

The score is calculated from five weighted components:

This scoring approach ensures that customers with many high-severity issues in production environments, affecting significant spend, and trending in the wrong direction, are surfaced at the top of the portfolio dashboard.

Key Concepts

Governance Pillars

Cloud Ctrl classifies every governance finding into one of the Well-Architected Framework pillars:

Severity Levels

Governance issues are classified into the following severity levels:

Compliance States

Trend Indicators

Throughout the Governance and Compliance pages, trend indicators show how compliance is changing over time:

Exposed Spend

The monthly cost of non-compliant resources. This is not a fine or penalty — it represents how much of your cloud spend is associated with resources that violate governance policies. Higher exposed spend means more financial risk from non-compliant infrastructure. All spend values are displayed in your tenant's configured display currency.

Recoverable Savings

The estimated monthly savings if you remediate cost-optimisation recommendations. This includes suggestions from Azure Advisor such as shutting down idle virtual machines, right-sizing under-utilised resources, purchasing reserved instances, and removing orphaned resources. Only shown where a credible savings estimate is available from the cloud provider.

Data Sources

Governance compliance data is collected automatically from connected cloud accounts on a daily basis. Currently supported data sources include:

Azure Policy

Compliance states from Azure Policy evaluations across subscriptions. Each policy evaluation result is imported as a governance finding and classified by the AI classifier into the appropriate pillar and severity.

Azure Advisor

Recommendations from all five Azure Advisor categories are imported as governance findings. Advisor categories map directly to Well-Architected Framework pillars:

As Cloud Ctrl evolves, additional data sources from other cloud providers will be integrated into the Governance feature.

How Policy Classification Works

Cloud Ctrl uses AI-assisted classification to automatically map each policy rule to the appropriate Well-Architected Framework pillar (such as Security, Reliability, or Cost Optimisation) and severity level (Critical, High, Medium, or Low). The classification considers the policy name, category, and description to determine the best fit.

In addition to pillar and severity, the AI classifier also generates:

• Remediation steps — a plain-language explanation of how to address the issue
• Learn More link — a link to the relevant vendor documentation page

Documentation links are automatically validated to ensure they point to real, accessible pages. Invalid or broken links are discarded.

Azure Advisor recommendations are mapped directly using their built-in category and impact level, which already align closely with the Well-Architected Framework.

If a policy cannot be classified, it is assigned to the General pillar with an Unknown severity and can still be reviewed in the dashboard. Classifications are cached and reused, so policies are only evaluated once.

Frequently Asked Questions

Why don't I see the Governance or Compliance menu items?

The Governance feature must be enabled on your account. If you do not see it in the sidebar, contact your account manager or support to request access.

How often is governance data updated?

Governance compliance data is collected and refreshed daily from your connected cloud accounts. You can also trigger an ad-hoc collection from the Manage → Cloud Accounts page.

Can I export governance data?

Yes, the issue detail tables and dimension breakdowns support CSV export. The customer detail view also includes an Export Service Review option for generating a governance summary report.

What cloud providers are supported?

Governance currently supports Microsoft Azure through Azure Policy and Azure Advisor. Support for additional cloud providers will be added over time. Multi-cloud data can already be viewed using the Cloud Provider built-in dimension.

Why is my compliance percentage low?

A low compliance percentage usually means you have many Azure Policy assignments in scope that resources aren't meeting. Common causes include recently assigned initiatives (e.g. Azure Security Benchmark), resources created without required tags or configurations, and Advisor recommendations that haven't been acted on.

Why do I see "Unknown" in the Environment dimension?

Resources are classified into environments (Production, Staging, Development) based on naming patterns in their resource ID. Resources that don't match any known pattern (e.g. no -prod-, -stg-, -dev- in their name) are classified as "Unknown".

Why is Exposed Spend showing $0?

Exposed spend requires cost data to be available for your resources. If cost data hasn't been imported yet, or if non-compliant resources have no associated cost, the exposed spend will show as $0.

Why don't I see Remediation Guidance for an issue?

Remediation guidance is AI-generated when rules are first imported. It may not be available if the rule was imported before the AI enrichment feature was deployed, the classifier couldn't generate meaningful guidance for that specific rule, or the generated documentation link was invalid and was discarded. Administrators can manually add or update remediation guidance via the admin panel.

Can I exclude resources from compliance tracking?

Yes — use Azure Policy exemptions to exclude specific resources from policy evaluation. Exempted resources appear with an "Exempt" status and contribute to the Exception Coverage metric rather than non-compliance counts.

How is the Exposure Score calculated?

The Exposure Score is a composite metric that combines non-compliant volume (35%), exposed spend (25%), production exposure (20%), severity weighting (15%), and trend direction (5%). See Understanding the Exposure Score for full details.