Back to calculator

Cloud Governance Framework

A practical guide to the five pillars of cloud governance, the controls that underpin each one, and what each pillar costs to operate at different maturity levels.

The five pillars of cloud governance

Identity and access governance

$15,000 - $60,000/yr

Controls who can do what in your cloud environment. Covers IAM policies, just-in-time access, privilege escalation controls, and cross-account role trusts.

  • IAM policy linting and enforcement
  • Privileged access workstations (PAWs)
  • Just-in-time (JIT) access provisioning
  • Service account lifecycle management
  • MFA enforcement across all human identities

CIEM tool + 0.3 to 0.5 FTE IAM engineer

Resource and tagging governance

$8,000 - $25,000/yr

Ensures every cloud resource has a defined owner, cost centre, and lifecycle. Prevents resource sprawl and enables accurate chargebacks.

  • Mandatory tagging policies via Service Control Policies or Azure Policy
  • Automated detection of untagged resources
  • Orphaned resource cleanup automation
  • Resource lifecycle policies (auto-shutdown, TTL)
  • Cost allocation tag enforcement

Mostly tooling; low staffing overhead once policies are coded

Security posture governance

$20,000 - $80,000/yr

Continuously validates that cloud configurations match your security baseline. Detects misconfigurations before they become incidents.

  • CSPM continuous configuration scanning
  • CIS benchmark enforcement (AWS, Azure, GCP)
  • Public exposure detection (open S3 buckets, exposed VMs)
  • Encryption at rest and in transit enforcement
  • Security group and firewall rule auditing

CSPM licence + 0.5 to 1 FTE cloud security engineer

Cost governance

$10,000 - $40,000/yr

Prevents cloud budget overruns and right-sizes resource usage. Closely linked to FinOps practices but focused on policy and control rather than just visibility.

  • Budget alerts and hard spending limits
  • Reserved Instance and Savings Plan governance
  • Right-sizing policies and auto-enforcement
  • Spend anomaly detection
  • Showback and chargeback to business units

Cost governance tooling; often shared with FinOps function

Compliance and audit governance

$15,000 - $60,000/yr

Maps technical controls to regulatory requirements and automates evidence collection for audits. Reduces audit prep from weeks to hours.

  • Automated control testing against compliance frameworks
  • Continuous evidence collection (CloudTrail, Config rules, logs)
  • Policy exception management and approval workflows
  • Audit trail immutability (WORM storage, log integrity)
  • Third-party auditor access management

Compliance automation platform + auditor liaison time

Governance maturity model

Your governance cost is largely determined by which maturity level you operate at. Most organizations should target Level 3 within 18 months.

Level 1: Ad hoc

$0 - $5k/yr

No formal governance. Policies exist in documents but are not enforced technically.

Risk:Very high
  • Manual tag reviews
  • Security reviews by ticket
  • No automated controls
  • Compliance by spreadsheet

Level 2: Defined

$20k - $60k/yr

Policies are documented and partially automated. CSPM in place but remediation is manual.

Risk:High
  • Basic CSPM scanning
  • Some SCPs or Azure Policy
  • Quarterly access reviews
  • Manual evidence collection

Level 3: Managed

$80k - $180k/yr

Guardrails enforced automatically. Dedicated governance engineer. Continuous compliance monitoring.

Risk:Moderate
  • Policy-as-code (OPA/Sentinel)
  • Automated remediation for common findings
  • CIEM in place
  • Semi-automated audit evidence

Level 4: Optimized

$180k - $400k+/yr

Self-healing governance. Drift auto-remediated. Governance integrated into developer workflows.

Risk:Low
  • GitOps-driven policy changes
  • Developer self-service with guardrails
  • Real-time compliance dashboard
  • Automated audit package generation

Preventative guardrails vs. detective controls

Preventative guardrails

Block non-compliant actions before they happen. Higher upfront cost to implement correctly but lower ongoing operational cost because issues never reach production.

  • AWS Service Control Policies (SCPs)
  • Azure Policy deny effects
  • OPA/Gatekeeper in Kubernetes
  • Terraform Sentinel policies
  • IAM permission boundaries

Typical implementation cost: $20,000 to $60,000 one-time

Detective controls

Identify issues after they occur and trigger alerts or automated remediation. Easier to implement initially but require an ongoing remediation workflow.

  • AWS Config rules and conformance packs
  • Azure Defender for Cloud alerts
  • CSPM continuous scanning
  • CloudTrail + GuardDuty threat detection
  • Tag compliance reports

Typical annual cost: $15,000 to $50,000 tooling + remediation time

Estimate your governance cost

Use the calculator on the home page to get a customized cost estimate based on your account count, team size, and compliance requirements.

Open the calculator