After deploying cloud systems without cloud governance, many enterprises now understand why they should have implemented governance in the first place. Bad things happen, such as million-dollar cloud bills resulting from resources that are overprovisioned without limits or restrictions. Other items that need governance are service/API usage and databases, as well as a good interworking with a solid security approach and technology.
However, IT pros who have learned why cloud governance is a must typically believe it's merely an infrastructure play. Why? Because most governance systems work at the cloud infrastructure levels, so enterprises take their cues from that example and only deploy governance there.
The fact is, governance should exist at all levels, including on the physical infrastructure (typically run by the public cloud provider), the virtualized cloud services (such as storage, compute, and databases), and the application.
Wait -- applications? Yes, applications.
Governance at the app level is a new and scary concept for cloud developers and admins. Although storage, compute, and even databases have common and consistent patterns of use, applications all behave differently. However, if applications are not governed as well as -- or better than -- the cloud infrastructure that they run on, you take the risk that the apps will be used in incorrect and possibly harmful ways.
For example, apps that provide application services need to place policies on how outside consumers (whether people or systems) use those services. Moreover, the applications must be versioned. Their dependencies must also be tracked, including bindings to cloud infrastructure services, as well as other noncloud services that may be critical to the application. As these things change, the impact on the app must be quickly understood, and governance systems require the mechanisms to do the math.
Applications aren't easy to govern due to their lack of consistency. But you have no choice if you are to reduce the cost of risk. As applications migrate to the cloud, you have more governance work to do than you probably thought. Sorry, but it's true.