I think of this governance stuff as guidance for devs and other humans that direct them toward the correct and expected practices that you can then “enforce” or “verify” in code. Where it gets tricky is when you’ve got stuff that needs “governance” that can’t be enforced in code, or codified into a CI/CD pipeline for some reason. For me, the canonical example of this is the focus of my job — accessibility. There are accessibility auditing tools that can run automatic scans as part of a build and deploy pipeline, but they’re not really all that good. There are a bunch of accessibility rules that are codified into literal laws. So, governance says “do the things the law tells you to” so now you’ve got a 3rd category, somewhere between • governance • programmatic gate keeping There is now also “guidance.” Guidance, in my meaning here, is the worst kind of (read perhaps as “most difficult to verify?”) governance because it relates to code practices that are critical but potentially reliant on individual implementations and are difficult to verify…

Also, this is, from my understanding what lead to the invention of SAFe Agile…so, um…beware, for here be seriously asinine management practices ⚠️ ⚠️ ⚠️

Your insight about the drive to centralize I think is correct. The oldest platform governance structures I’ve seen or had to interface with, the ones that I’d say were “successful” in their goals were all centralized, and had a clear group or person, acting as the authority…a governance group that had a governance process to gate keep what was in and out. This leads to consistency at the coast cost of speed. It also centralizes failure to a single authorities group in some cases.

But if I told you that the people I'm talking with in the "data governance" seemed like they had a clear idea of what their job was, I would be lying. So it may be a "literally no one knows" sorry of situation.

I think I'm slowly starting to hone in on what's important for me, here... The thing that the tool I am working on offers is an easier and more verifiable symmetry between written rules and their encoded equivalent. That tends to be most useful when following the rules is very important, but the requirements and text of the rule are not under your control, and the rules are complicated, and demonstrating adherence to them in automated systems is important. In data governance, with the exception of things like GDPR, you usually have control over the rules. If they are hard to implement, you can rewrite them. So I'm curious whether there is a pain point in data governance around automating and demonstrating compliance with written rules, in the terms of those written rules. For instance, if it was possible to run something in CI/CD that would take test inputs and outputs, detect data policy violations, and flag them with a link to the written policy they violate... is that anything? Does that make anyone's life better? Or is that like a hat on a hat?

This reminded me of: https://homepages.inf.ed.ac.uk/wadler/realworld/lexifi.html

not sure if thats relevant

My entry in the space is Blawx, which is currently still more prototype than product. I am currently hosted inside a department of the Canadian federal government that is trying to find an in-house demonstration use-case, and data governance is the most promising current proposal (of about 4 options). Just trying to understand whether there is a problem/tool fit, or not.

I have a meeting with the CDO later this week, trying to understand more before I get there.

Appreciate all the help!

If you are right, and the purchaser is the innovator, then I need to talk to people who are building software or dealing specifically with software compliance testing in heavily regulated enterprise environments. Or something? :)