top of page

AI Governance Is a Landing Zone Problem, Not a Model Problem

  • peterrivera813
  • 5 days ago
  • 6 min read

When most organizations start talking about AI governance, the conversation gravitates almost immediately toward the model. Which foundation model are we allowed to use? What prompt filters are in place? How do we stop the thing from hallucinating or leaking training data? These are real questions, and they matter. But they are also the wrong place to start, because they treat governance as something you configure at the point of inference rather than something you architect into the platform underneath it.

If you have spent any time building Azure Landing Zones, this framing should feel familiar. We learned the same lesson years ago with general cloud governance: you do not secure a thousand workloads by inspecting each one after it ships. You establish a platform baseline management group policy, network topology, identity boundaries, encryption defaults — and you let workloads inherit safety by construction. AI is no different. The governance that actually holds up at enterprise scale is the governance you bake into the landing zone, not the guardrails you bolt onto individual models after the fact.



Why the model-first instinct fails


The model-first approach feels intuitive because the model is the visible, novel part of the system. It is where the risk feels concentrated. But governing at the model layer alone has a structural problem: it does not scale, and it does not compose.


Consider what happens in a real enterprise as AI adoption spreads:

  • Every team makes its own decisions. One business unit stands up an Azure AI Foundry account with public network access enabled. Another wires a Copilot into a line-of-business app using an SDK that talks directly to an endpoint. A third experiments in a sandbox that quietly becomes production. Each of these is a separate model-layer decision, and none of them inherits anything from the others.

  • Governance drifts the moment it is manual. If encryption, private networking, and logging are set per-workload by whoever happens to be deploying that day, you will have inconsistency across your estate within a quarter. Not because anyone is careless, but because manual decisions always diverge.

  • The controls you care about most live below the model. Data residency, encryption with customer-managed keys, private connectivity, identity scoping, and audit logging are not model behaviors. They are platform properties. You cannot configure your way to them from inside a prompt.


The result is a familiar anti-pattern: an organization with a sophisticated content-filtering policy on one endpoint and a completely ungoverned model deployment two subscriptions over. The model-layer control was real, but it governed a fraction of the actual surface area.


What "landing zone problem" actually means


Reframing AI governance as a landing zone problem means moving the enforcement point from the model to the platform. It means treating an AI workload the same way you treat any other regulated workload in your Azure estate — subject to the same inherited controls, deployed through the same vending process, observable through the same telemetry pipeline.


This shifts governance onto familiar territory, the same platform mechanics Azure architects already use to govern the rest of the estate:

  • Management group hierarchy. Where AI accounts sit in your management group tree determines what policy they inherit. A deny-public-network-access policy assigned at the right tier governs every Foundry account beneath it, forever, without anyone remembering to check a box.

  • Subscription vending. If your platform vends AI subscriptions the way it vends any other landing zone, then private DNS links, customer-managed-key wiring, diagnostic settings, and allowed-model policy are stamped in on day zero — not retrofitted after an audit finding.

  • Network topology. Private endpoints, private DNS zones, and hub-and-spoke integration decide whether public inference is even possible. This is a network architecture decision, not a model setting.

  • Identity and RBAC. Managed identities, scoped role assignments, and the blast radius of an agent acting on a user's behalf are identity-plane concerns. They belong in your platform baseline, not in application code.

  • Encryption and key management. Customer-managed keys for Foundry and Cognitive Services must be set at resource creation. This is precisely the kind of irreversible, day-zero decision that landing zones exist to enforce, because you cannot cleanly retrofit it later.

None of these are novel AI capabilities. They are the same primitives you already use to govern the rest of your estate. That is the point. AI governance is not a new discipline bolted onto your platform. It is your existing platform discipline extended to a new class of workload.


Drawing the line: what the landing zone can and cannot govern


It is worth being honest about the boundary, because overselling the landing zone is its own failure mode. The platform governs the perimeter of an AI workload extremely well. It does not govern the behavior of the model at all.

The landing zone can enforce:

  • Which models are allowed to be deployed, and in which regions

  • Whether a workload can reach the public internet or is confined to private networking

  • Who and what can authenticate to the model, and with what permissions

  • Whether inference traffic, access events, and metrics are logged and routed to your SIEM

  • Whether data at rest is encrypted with keys you control

The landing zone cannot enforce:

  • What a model actually outputs in response to a given prompt

  • Whether a response is accurate, biased, or harmful

  • Whether a user pastes sensitive data into a prompt

  • The quality or safety of the model's reasoning


That second category is real, and it needs its own controls such as Azure AI Content Safety, evaluation pipelines, application-layer input handling, and human review where the stakes justify it. But notice the clean division of labor. Behavioral risk is an application and model-layer problem. Everything else, the part that determines your regulatory exposure, your data protection posture, and your audit story is a landing zone problem. Confusing the two is how organizations end up trying to solve encryption gaps with prompt engineering.


Why this matters now




None of this is theoretical, and the timing is not incidental. A few forces are converging that make platform-level AI governance urgent rather than aspirational:

  • AI adoption is decentralizing fast. The interesting AI work is no longer confined to a central data science team you can govern by conversation. It is spreading into every business unit, every app team, every sandbox. Decentralized adoption without a platform baseline is exactly the condition under which governance drift becomes ungovernable.

  • The regulatory surface is hardening. Whether it is the EU AI Act, sector-specific requirements in financial services and healthcare, or internal risk frameworks, auditors are beginning to ask for evidence — inference logs, model provenance, data residency proof, access reviews. That evidence comes from platform telemetry, not from a model's configuration screen. If your AI workloads were not vended with diagnostics wired in, you cannot produce it.

  • Agents raise the stakes. As workloads move from single-shot inference to autonomous agents that call tools, invoke other agents, and take actions, the blast radius of a governance gap expands dramatically. An ungoverned agent is not just a data leak risk; it is an actor in your environment. Scoping its identity, its network egress, and its permissions is again, a landing zone concern.

  • Retrofitting is expensive and sometimes impossible. Some of the most important controls, customer-managed keys chief among them, cannot be added after the fact without redeployment. Every AI account you stand up today without a platform baseline is technical and compliance debt you will pay down later at a premium.

The common thread is that the AI-specific risks everyone worries about; leakage, misuse, non-compliance, runaway agents are contained far more effectively by platform architecture than by model configuration. The model is where the intelligence lives. The landing zone is where the governance lives.


The takeaway


If you are the person responsible for how AI lands in your Azure estate, the most useful thing you can do is resist the pull toward model-first thinking and instead ask the platform questions first:

  • Where do AI accounts sit in my management group hierarchy, and what do they inherit?

  • Does my subscription vending process stamp in private networking, CMK, and diagnostics on day zero?

  • Can an AI workload reach the public internet, and did I decide that deliberately?

  • Is every inference event landing in a log I can hand to an auditor?

  • Which of my governance concerns are platform problems, and which genuinely need model-layer controls?

Answer those, and the model-layer questions become far easier because now they are being asked inside a governed perimeter rather than in a vacuum. Get the landing zone right, and governance becomes a property your AI workloads inherit rather than a battle you fight one model at a time. That is the shift: from governing models to governing the platform they live on. The organizations that internalize this early will spend the next few years extending a discipline they already have. The ones that don't will spend those years bolting guardrails onto a sprawl they can no longer see.

 
 
 

Comments


bottom of page