Domain 4 · Manage the FinOps Practice
Policy in the tool, not in a PDF.
Cloud Policy and Governance is the framework's bridge between business intent and cloud spend. CloudMonitor stores policy as code, logs every evaluation, and enforces RBAC across cost groups — Run-phase target is self-enforcing policy, not a quarterly compliance review.
The problem
Policy nobody can find or enforce.
Policy in a PDF.
Tagging standard, naming convention, sizing rules — all in a Sharepoint deck. The engineers it applies to never read it.
No audit trail.
When a policy was applied, who changed it, what slipped through — nothing is logged in one place. Audit becomes a treasure hunt.
Bypassed by engineering.
The fast path to delivery skips the central controls. The team apologises afterwards if anyone notices.
How CloudMonitor answers
Policy that runs itself.
Policy as code.
Rules expressed as code, version-controlled, evaluated nightly. Change-managed like any other production artefact.
Full audit log.
Every policy evaluation, change, exception, and override logged. Audit becomes a query, not a project.
RBAC across cost groups.
Permissions scoped to the cost-group tree. BU champions own their slice; the centre keeps oversight without micromanaging.
Self-enforcing — Run phase.
Violations auto-route to the owner with a remediation suggestion. The Run-phase target — policy that closes itself out — becomes operational.
Outcomes
Governance that survives audit.
As-code
Version-controlled, change-managed
RBAC
Scoped to cost groups
Run
Self-enforcing policy as target
See policy-as-code with a live audit trail.
The demo tenant ships a policy set, a violation, and an auto-routed remediation.