Skip to main content

Governance Rules

Layer: enterprise architecture standards

These rules prevent observability sprawl: dashboards nobody trusts, alerts nobody owns, and telemetry nobody can use in audit.

The rules

#RuleEnforcement
1Every service emits structured logs (JSON or equivalent)CI schema check, onboarding checklist
2Every request carries a correlation IDGateway policy, integration tests
3Every business KPI maps to system signalsJourney map review
4Every alert has an owner and runbookAlert registry, paging policy
5Every dashboard answers a decision questionArchitecture review
6No telemetry without purposeRetention and cost review

Structured logging standard

FieldRequiredNotes
timestampYesUTC
levelYeserror, warn, info
service.nameYesCatalog name
correlation_idYesTrace join
messageYesHuman-readable
error.typeOn errorsStable taxonomy

Do not log secrets, full PAN, or raw prompts in operational tiers.

Alert registry

ColumnPurpose
Alert nameUnique ID
Owner teamPager destination
Runbook URLFirst action
Business KPIWhat customer outcome this protects
SeverityP1–P4 with customer impact definition

Dashboard review questions

Before publishing a new dashboard:

  1. Who makes decisions from this view?
  2. What action follows a red panel?
  3. Which SLO or KPI does it support?
  4. Can it be replaced by an existing canonical view?

Regulated-enterprise additions

RuleRationale
Redaction at collectorPII and prompts never land in wrong tier
Immutable audit tierVerdict and outcome chains for examiners
Retention documented per signalLegal hold and erasure policies
Access controls per consumerOps vs audit vs product analytics

Release gate

  • Logging standard published and linted in CI where possible
  • Alert registry covers all production pages
  • No orphan dashboards on official landing pages
  • KPI → signal mapping reviewed quarterly