4 Governance, Compliance, and Trust
This chapter covers
- Changing how we create Governance, Compliance, and Trust
- Separating compliance work from compliance verification
- Using architecture to make trust easier to maintain
- Making the platform user identity flexible
One of the assumptions we often see organizations make is that they can be successful at platform engineering without changing how they think about governance, compliance, and other forms of internal trust. They assume that underlying all the talk about platforms, there is just a new tool to buy and a one-time project to fund, all of which can be implemented through the existing organizational structures and leaders.
The reality is quite different. It is those very structures and leaders that brought about the existing situation. Unless the company is a startup, the engineering culture with its priorities and decision-making incentives is established to a degree that has likely survived multiple leadership and directional changes at many levels. Change will not come easily, and it won’t happen by default. Governance and compliance cover a wide range of topics. Collectively, these are in a tie, if not the lead, amongst all the causes of the engineering friction that an engineering platform seeks to change.
Delivering software requires adherence to the domains of compliance, audit, security, and data. Teams like Infosec, Security, Legal, and Governance are not going to disappear.
Each of them has different requirements.