Scaling

Security, compliance, and operational policies expressed as code and enforced automatically at deployment time, not by a manual review that runs once a quarter.

Manual policy enforcement doesn't survive at scale. As teams multiply, the compliance gap grows faster than any team can review it. One public storage bucket, one container running as root, one missing cost tag, and you find out in an audit, not a pipeline.

List your top 10 policy requirements (no public buckets, non-root containers, required cost tags are a good start). Implement them as OPA or Kyverno policies in your Kubernetes admission chain or as Terraform validation rules. Roll out in warn mode first, enforce mode once teams have had time to fix violations.

Every team can see the cloud costs their services generate and is accountable for managing them.

Invisible costs are unmanaged costs. When engineering teams can't see what they're spending, they have no reason to optimise. Finance absorbs the bill, engineers don't change their behaviour, and costs compound. FinOps moves cloud spend from a centralised mystery to a shared engineering responsibility.

Start with tagging: every resource tagged by team, service, and environment. Surface per-team cost dashboards in your IDP. Set budget alerts. Run monthly FinOps reviews. Make cloud cost part of service ownership, not an ops team problem.

Running the platform team with a genuine product mindset: a public roadmap, regular conversations with developer teams, and a backlog prioritised by impact, not by whoever shouts loudest.

Platform teams that don't treat developers as customers build the wrong things. They optimise for what's technically interesting, not what removes actual friction. A product mindset forces the discipline of listening, prioritising, and shipping things that matter.

Set up quarterly planning. Publish a roadmap, even internally. Run monthly developer satisfaction surveys (the SPACE framework is a practical starting point). Hold regular office hours. Create a platform user group where developers can give feedback. Measure platform NPS and track it over time.

Quantitative and qualitative measures of how developers actually experience the platform, used to prioritise improvements and prove that the work is making a difference.

Without measurement, the platform team is guessing. They think they're improving things; developers think nothing has changed. DX metrics give both sides shared facts to work from and give the platform team the evidence they need to justify their roadmap.

Implement DORA metrics: deployment frequency, lead time for changes, change failure rate, and MTTR. Add a developer satisfaction survey (quarterly, eNPS format). Instrument your IDP for feature usage. Review all metrics in your monthly platform retrospective, not just the engineering ones.

Visibility and control over the software components, container images, and third-party dependencies flowing through your build and deployment pipelines.

At scale, your attack surface is no longer just your own code. SolarWinds and Log4Shell weren't bugs in first-party software. They were in dependencies that thousands of organisations trusted without scrutiny. Systematic supply chain security is now a baseline expectation, not an advanced practice.

Generate SBOMs for all production services. Implement container image signing and verification. Add dependency vulnerability scanning to all pipelines. Define a policy for acceptable vulnerability severity and enforce it as a deployment gate, not a weekly report nobody reads.