Most governance frameworks fail because they’re aspirational documents written by people who don’t have to run the platform. The useful question isn’t “what does mature governance look like.” It’s “where are we today, and what is the next investment that actually changes our reliability.” The model below is descriptive: each tier is defined by what you can observe in production, not by what’s promised in a slide. The investments listed are the smallest credible step from one tier to the next.

Tier 1 — Ad-hoc

Signals. No canonical source for any business metric. Revenue is in three dashboards with three values. Schema changes ship on Friday and break a board on Monday. Access is granted by adding people to a Slack channel. PII lives wherever it landed. The data team’s incident channel is the company’s first line of detection — finance Slacks them when a number “looks weird.”

What it costs. Every executive decision carries an implicit footnote: if the number is right. Audit responses are heroic. Onboarding a new analyst takes a quarter because tribal knowledge is the only documentation.

Investment to move up. A single owned metric layer (semantic layer or warehouse-native equivalent) for the top 10 financial and operating metrics. One source. One definition. Wired into the BI tool as the only sanctioned path. This is not a governance program; it is a forcing function. You cannot govern what you cannot identify.

Tier 2 — Reactive

Signals. A metrics layer exists but is bypassed. There is a data catalog, populated mostly by automation and trusted by no one. Lineage is partial — you can trace dbt models but not the Fivetran sources or the reverse-ETL destinations. Incidents are detected, but by downstream consumers. Quality checks exist on a handful of critical tables. PII is tagged in the warehouse but not in the BI layer or extracts. Access reviews happen annually, manually, in a spreadsheet.

What it costs. You catch fires faster but don’t prevent them. Engineering velocity is dragged by the cost of every schema change being a negotiation. Compliance reviews require multi-week archaeology.

Investment to move up. End-to-end lineage across the full stack (ingest, transform, BI, reverse-ETL) and contract enforcement on the top 20 producer tables. Pick a tool that resolves column-level lineage from source system to dashboard, not just within the warehouse. Ship contracts as CI checks that block PRs, not as documentation.

Tier 3 — Defined

Signals. Producers and consumers are named for every critical asset. Contracts gate breaking changes in CI. Lineage is column-level and end-to-end. The catalog is trusted enough that analysts use it as their first stop. Quality SLOs exist on tier-1 assets — freshness, completeness, distribution drift — and breach the right pager. PII is classified at ingestion, propagates through transforms, and is enforced at the BI layer. Access is role-based, reviewed quarterly, and tied to identity, not channel membership.

What it costs. You’re now spending real money on platform — typically 15–25% of the data org’s budget on governance tooling and the FTEs to run it. The tradeoff is real: incident MTTR drops materially, exec trust in numbers stops being a recurring conversation, and audits become routine rather than disruptive.

Investment to move up. Move from defining quality to predicting it. This means data observability that profiles every tier-1 asset continuously, not just runs your hand-written tests. It also means treating the metrics layer as a product with a roadmap, an owner, and SLAs — not a side project of the analytics team.

Tier 4 — Managed

Signals. Data quality is monitored continuously across hundreds of assets, not just the critical few. Anomalies are detected before consumers notice. The metrics layer is the canonical interface for analytics, with versioned definitions and a deprecation process. Cost per query and per pipeline run is observable and budgeted by team. Access is just-in-time and brokered, with full audit trails. Data products have published contracts, support tiers, and named owners with on-call rotations. Privacy controls (row-level security, dynamic masking, purpose-binding) are enforced in the warehouse and inherited downstream.

What it costs. This tier is where the discipline shows up in financial statements. Cloud spend is rationalized because waste is visible. Audit costs drop. Customer-facing incidents tied to bad data become rare enough to be memorable. The investment is mostly organizational — platform engineering, data product management, and a privacy engineering function — not tooling.

Investment to move up. Treat governance itself as a product surface. Programmatic policy: declarative rules for retention, classification, access, and quality, enforced by infrastructure rather than by human review. Federate ownership to domains while retaining central platform standards.

Tier 5 — Optimized

Signals. Governance is invisible because it is automated. New domains onboard in days against a paved road that enforces standards by default. Policy is code. Quality, lineage, access, cost, and privacy controls are the same control plane, queryable and auditable. The metrics layer composes across domains. Data products are discovered, evaluated, and consumed without a Slack thread. Regulatory change becomes a config update, not a project. The data org spends its time on net-new value, not maintaining trust.

What it costs. Few organizations live here, and most that do got here by treating data infrastructure as a tier-1 product with the staffing and standards that implies. The marginal investment is no longer about governance per se — it is about the broader platform discipline that governance is one expression of.

How to use this

Locate your organization on the tier where you can defend the signals, not the one where the framework deck lives. The gap between Tier 2 and Tier 3 is where most $100M+ companies stall, because the next investment is unglamorous, expensive, and crosses team boundaries. The tier you target should be the one where the cost of unreliability — in lost deals, audit exposure, regulatory risk, executive time — exceeds the cost of the next investment. Below that line, governance is theater. Above it, it pays for itself.