DEV Community

Cover image for You Can’t Govern What You Can’t Explain on a Napkin
David
David

Posted on

You Can’t Govern What You Can’t Explain on a Napkin

#azure #cloud #finops #architecture

Originally published on Azure-Noob:

https://azure-noob.com/blog/azure-governance-napkin-test/

Every platform team eventually gets asked the same question:

“Why does cloud cost this much?”

If your answer starts with “let me pull a dashboard”, you’ve already lost.

The CFO walks into your office with a printout.

“Why did Azure cost $2.3M this quarter?”

You have:

  • Azure Policy enforcing compliance
  • A Landing Zone with perfect architecture
  • Tags on every resource
  • Workbooks showing metrics
  • Dashboards with pretty graphs

But you can’t answer the question.

Not in 30 seconds.

Not on a whiteboard.

Not on a napkin.

This is the governance failure no one talks about.

The Problem: Tools Enforce Rules, Not Understanding

Every enterprise Azure environment has the same stack:

Layer 1: Azure Policy

  • SKU restrictions
  • Required tags
  • Security baselines
  • Audit findings

Layer 2: Landing Zones

  • Management groups
  • Subscription design
  • Network topology
  • Identity hierarchy

Layer 3: Tagging Standards

  • CostCenter
  • Owner
  • Environment
  • Application

Layer 4: Reporting Tools

  • Azure Monitor Workbooks
  • Power BI dashboards
  • Cost Management exports
  • Custom queries

This stack gives you:

  • ✅ Compliance
  • ✅ Security controls
  • ✅ Resource inventory
  • ✅ Cost visibility

But it doesn’t give you:

  • Defensibility

And there’s a critical difference.

Compliance ≠ Defensibility

Compliance means:

“Our resources follow the rules we wrote.”

Defensibility means:

“I can explain why this costs what it costs — and justify it to someone who doesn’t trust me.”

Compliant Azure bill:

“All resources are tagged correctly. Policy enforced. Landing Zone followed. Here’s the report.”

Defensible Azure bill:

“Application X costs $180K/month because it serves 2,400 users across 12 regions with 99.95% SLA requirements. Storage is $40K due to 7-year retention for SOX compliance. Network is $25K for dual ExpressRoute. Compute scales between $95K–$140K based on usage.”

The first answer is compliant.

The second answer is defensible.

And most Azure environments can only produce the first one.

The Napkin Test

Can you explain your Azure costs on a napkin?

Not “here’s a dashboard.”

Not “let me pull a report.”

Right now. On a napkin. In 60 seconds.

Try this:

  1. Draw three boxes: Production, Staging, Development
  2. Write the monthly cost in each box
  3. Break Production into: Apps, Data, Network, Security
  4. For the largest app: What does it do? How many users? What’s the SLA?

If you can’t do this without looking anything up:

Your governance isn’t working.

It doesn’t matter how good your policies are.

It doesn’t matter how clean your Landing Zone is.

It doesn’t matter how consistent your tags are.

If the person responsible can’t explain it simply, it’s not governed — it’s just compliant.

Why Tools Fail the Napkin Test

Tags Report Facts, Not Meaning

Tags tell you:

  • CostCenter: 4200
  • Environment: Production
  • Owner: John Smith
  • Application: CustomerPortal

They don’t tell you:

  • Why does it cost $340K/month?
  • Is that reasonable?
  • What breaks if we cut 30%?
  • Which business capability disappears?

Tags group resources.

They don’t create understanding.

Landing Zones Organize, They Don’t Explain

Landing Zones give you beautiful structure.

They don’t explain:

  • Why one subscription costs 3× another
  • Which decisions drove last month’s increase
  • What trade-offs were made
  • What the ROI actually is

Structure without narrative isn’t governance.

It’s just organized chaos.

Policy Audits the Past, Not the Future

Azure Policy tells you what’s non-compliant.

It doesn’t tell you:

  • Whether the resource should exist
  • What business problem it solves
  • What happens if you remove it
  • Whether the rule still makes sense

Policy enforces rules you already wrote.

It doesn’t tell you if they were good rules.

Dashboards Show Data, Not Decisions

Dashboards show what happened.

Leadership asks:

“Why did costs go up?”

You click through visuals.

They ask:

“What decision caused this?”

Your dashboard has no answer.

Because dashboards don’t explain why

or whether it should have happened at all.

What Defensibility Actually Requires

Defensible cloud costs have:

  • Business context per dollar
  • Decision history
  • Trade-off awareness
  • Clear owner accountability

Not:

  • More dashboards
  • More tags
  • More policies

But clear narratives that survive CFO scrutiny.

The Hard Truth

You can’t govern what you can’t explain.

And if you can’t explain it on a napkin —

in 60 seconds,

in business terms,

to someone who doesn’t trust you —

you don’t understand it well enough to govern it.

Until then, governance isn’t governance.

It’s just expensive infrastructure with extra steps.

Top comments (0)