When we wrote about Azure cloud governance in April 2024, the fundamentals were already in place. Multi-vendor environment, division of responsibilities, cost management, and security. Two years later, the same topics remain central, but the game has changed. NIS2 has entered into force in Finland and affects a surprisingly broad range of organizations. Cloud bills are now reviewed at the CFO’s desk as well, and “cloud is flexible” is no longer a sufficient answer.In this updated article, Above IT consigliere Juha Kari examines what a sensible Azure governance model looks like in 2026.
Multi-Vendor Environment Remains Azure's Reality
For the majority of organizations, Azure is a multi-vendor environment. IT management handles the core components, one partner provides Data Warehouse services, another runs the integration platform, a third is responsible for identities and manages Modern Workplace services. The mix includes application vendors whose solutions were migrated to Azure at some point, and no one quite remembers why.
This is a typical starting point, and it is not a problem in itself. It becomes a problem when no one has documented how all these actors operate together in the environment. A governance model is a shared playbook that can be referenced when a new partner joins. Without it, the environment easily drifts into a state where, after a few years, no one dares to touch anything.
Responsibility Still Rests with the Owner
Azure subscriptions are in your IT management’s name, the bill comes to you, and security responsibility is yours. Even if a partner creates a resource, ultimate responsibility for its existence and cost rests with you. My five-star tip for all organizations utilizing Azure cloud: To prevent budget overruns, one fundamental practice is setting budgets for Azure subscriptions.
A good partner asks for guidelines and follows them, but they need guidelines to follow. If there is no governance model, the partner operates according to their best judgment. This is usually sensible, but when the same situation repeats with three different partners, the environment ends up with three different ways of doing the same thing. IT management’s role is to provide the framework, and the governance model provides a common vocabulary for that.
What the Governance Model Includes in 2026
The technical framework has not changed much in a couple of years. The governance model typically describes the management group structure and subscription organization, network architecture, RBAC roles and their assignment principles, Azure Policies that guide resource creation and configurations, naming and tagging conventions, backups and continuity, the technical foundation of security, and the division of responsibilities between IT management, partners, and internal teams. Microsoft’s own Cloud Adoption Framework provides a good reference framework for this, but a pure template is not sufficient for anyone’s use as-is.
The year 2026 has brought more of a shift in emphasis. The importance of security has increased with NIS2, and cost management has become a more concrete requirement. I will examine these two topics in more detail next.
FinOps in Azure: Cost Management
Cloud was once sold as flexible and affordable. Flexibility is true, but affordability only materializes if someone actually manages costs. If not managed, the bill grows quietly until at some point someone asks questions for which there are no good answers.
The FinOps section of the governance model answers three questions. Where the money goes is a tagging question: if resources are not tagged at least with owner, cost center, and environment identifier, cost reporting will not work credibly for the business. Whether the money is spent sensibly is a review question: all Azure environments have test machines left running, oversized SKUs, outdated snapshots, and disks whose virtual machines have been deleted. Cleaning these up is often an annual saving of tens of thousands of euros in a medium-sized environment. And cost forecasting is a question of Reservations and Savings Plans, which can significantly reduce the price of stable workloads when usage can be predicted.
A useful detail: FinOps is not just an IT matter. In a good governance model, costs are allocated to the business so that each unit sees its share of the cloud bill. When the cloud bill is on your own budget line, behavior takes on a completely different discipline.
NIS2 and Azure Governance Model: Division of Responsibilities in Order
The NIS2 Directive entered Finnish national legislation as the Cybersecurity Act in April 2025. It affects a significantly broader range of organizations than many yet understand. The obligations are proportionate to the organization’s size and criticality, but something is required of all entities within the directive’s scope.
From the Azure governance model perspective, NIS2 brings three practical requirements. Supply chain management means you must know who handles your data and with what permissions. If five different partners have Owner roles that were granted a couple of years ago, the starting point is not good. Incident management and reporting means that logging, alerts, and response processes must be in order, because significant incidents must be reported to authorities within specified timeframes. And management responsibility means that the governance model should not be merely a technical document but should also include an executive-level summary of how cloud environment risks are managed.
For auditors, it is rarely sufficient to say that the matter is handled. You must be able to show them documentation.
Where to Start with Azure Governance Model
As two years ago, the answer remains the same. Do not try to create a 50-page perfect document all at once. It takes months, no one has the patience to read it, and a year later it is already outdated.
A good starting point is 10 pages, not 50. It describes the subscription structure, RBAC principles, tagging policy, cost monitoring rhythm, minimum security level, and responsibility matrix for the most important areas. This is expanded as needs become clearer. Equally important is that someone is responsible for maintaining the model and that management is committed to it. A governance model without top-level approval is just a recommendation, which is difficult to enforce with a partner.
Managed Cloud as a Service
Over the years, we have built our own ready-made governance model framework, which we use as a foundation with all our managed cloud customers. It is customized to each organization’s needs, but the core remains the same. During implementation, we define responsibilities together, deploy technical policies to the environment, and then support your IT management and partners in daily operations.
If you would like to discuss how your governance model should be built or updated, book a 15-minute conversation in my calendar, and we can get started!
As your IT management’s trusted advisor, our role is to ensure that your Azure environment operates for your and your partners’ needs at reasonable costs and with sustainable security. By working together, we can achieve this.