Auditability before enforceability

Scaffold post. This file exists to demonstrate the writing collection, the prose styling, and the type badge. Replace it with the real thing — or delete it and copy its frontmatter as a template.

A control you can’t observe is a control you can’t trust. Before you make a policy deny, make it audit — emit the signal, watch what it would have blocked, and only then turn the key. The order matters because enforceability without auditability fails silently: you ship a gate, something legitimate trips it, and the only evidence is a developer working around you.

The general shape

1. Observe. The control reports what it sees, changes nothing.
2. Reconcile. You read the signal against reality and tune the rule.
3. Enforce. Only now does the path of least resistance become the compliant one.

This generalizes well beyond Azure Policy — it’s the same argument for shadow mode on a CI gate, or Audit before Deny on an admission webhook.

Why people skip step one

Enforcement feels like progress. Auditing feels like waiting. But the cost of a wrong Deny compounds: every false block teaches the team that the control is the enemy, and once that lesson lands, no amount of correctness wins it back.