This control plane turns Azure landing-zone snapshots into one platform-governance surface: missing policy assignments, owner-role drift, public ingress, Defender coverage, diagnostic gaps, stale baselines, and the remediation packets needed before audit or rollout windows drift.
| Lane | Owner | Focus | Status | Findings | Next action |
|---|---|---|---|---|---|
| Policy guardrail lane Management-group inheritance drift is weakening the Azure baseline. |
Cloud Governance | Deny assignments and landing-zone inheritance | red | 1 | Restore required deny assignments and re-run baseline capture. |
| Identity lane Direct user owner drift is live in the production zone. |
Azure IAM | Owner role assignments and PIM hygiene | red | 1 | Revoke direct owner grant and force role path back through PIM groups. |
| Network perimeter lane Public ingress and hub-spoke bypass both need cleanup. |
Network Security | NSGs, UDRs, and firewall path integrity | red | 3 | Close open ingress and restore firewall transit routes. |
| Observability lane Key telemetry coverage and snapshot cadence have drifted. |
Platform Reliability | Diagnostics, logs, and stale baseline freshness | yellow | 5 | Restore diagnostics and refresh stale zone baselines. |