Where this fits
The Google Cloud Adoption Framework is built on four themes — Learn, Lead, Scale, and Secure — each assessed against three maturity phases: Tactical, Strategic, and Transformational. Together these form the Cloud Maturity Scale, and the framework turns your position on that scale into a concrete program of adoption expressed as epics (discrete, ownable bodies of work). Lead is the theme that asks a deceptively simple question: is the organization, and specifically its people and its leadership, structured and motivated to adopt the cloud? Where Learn measures the quality and scale of your skilling, Lead measures the mandate — the extent to which IT teams are backed by leadership to migrate to the cloud, and the degree to which those teams are themselves cross-functional, collaborative, and self-motivated. This article goes deep on the four sub-components that make up Lead: leadership and governance, mobilizing teams, cross-functional collaboration, and executive sponsorship with a cloud operating model.
Leadership and governance
What it is
In the Lead theme, “leadership and governance” is the pairing of two things the framework treats as inseparable: a clear, top-down mandate to adopt the cloud, and a governance model that channels that mandate into enforceable guardrails without throttling delivery. Leadership sets direction and removes obstacles; governance encodes the non-negotiables — security, cost, compliance, residency — as policy that applies automatically as the estate grows. On Google Cloud, the substrate for that governance is concrete and architectural, not merely procedural: the Cloud Resource Manager hierarchy of Organization → folders → projects, on which IAM allow/deny policies and Organization Policy constraints are inherited from parent to child.
Why it matters
The Adoption Framework is explicit that maturity in Lead is the difference between cloud as a series of disconnected experiments and cloud as a strategic capability. At Tactical maturity, individual workloads exist but there is no coherent plan tying them together — wins are quick, but there is no provision for scale. The thing that closes that gap is leadership that has decided, publicly and with budget attached, plus governance that makes the right thing the easy thing. Without enforceable governance, every project re-litigates the same decisions (which region? which encryption? who can grant Owner?), drift accumulates, and the first audit or cost spike erases the credibility of the whole programme. Leadership without governance is enthusiasm; governance without leadership is a binder nobody enforces. Lead requires both.
How to do it well
- Anchor governance to the resource hierarchy, not to documents. Decide your folder taxonomy first — by environment (
prod/nonprod), by business unit, or both — because that hierarchy becomes the inheritance boundary for every policy you will ever write. A folder is “a policy inheritance point for allow, deny, and organization policies.” - Write the policy as intent first, then enforce. Borrow the discipline of business risk → policy statement → control. Name the risk a leader actually cares about (“customer data must not leave the EU”), state it in plain language, then implement it as an Organization Policy constraint (
gcp.resourceLocations) — never the other way around. - Centralize policy, delegate enforcement. A small governance body owns the strategy and the org-level constraints; platform and application teams operate within them. Leadership’s job is to grant that body explicit authority and air cover.
- Prefer guardrails over gates. Use deny by default with explicit exceptions at the org node, and let teams move freely inside the guardrail. Organization Policy constraints (e.g. restricting external IPs, disabling default service-account key creation, pinning allowed regions) are guardrails that scale; manual review boards are gates that don’t.
Concrete artifacts, decisions, and GCP tools
| Decision | Artifact you produce | GCP mechanism |
|---|---|---|
| Who has the mandate and budget | Cloud charter signed by the executive sponsor | — (org leadership) |
| How the estate is organized | Resource hierarchy design (Org → folders → projects) | Cloud Resource Manager |
| Which corporate rules are non-negotiable | Policy statements mapped to constraints | Organization Policy Service (e.g. gcp.resourceLocations, compute.vmExternalIpAccess, iam.disableServiceAccountKeyCreation) |
| Who can do what, where | IAM role-binding model with least privilege | Cloud IAM (predefined/custom roles, allow & deny policies) |
| How identities are governed centrally | Group-based access via the corporate IdP | Cloud Identity / Google Workspace + groups |
| How spend is bounded and visible | Budgets, alerts, and showback structure | Cloud Billing budgets & alerts, billing export to BigQuery |
| How we prove control to auditors | Continuous compliance posture | Security Command Center, Cloud Asset Inventory, Audit Logs |
The single most consequential decision here is the resource hierarchy, because IAM and Organization Policy both inherit down it. Get the folder taxonomy right and governance becomes a property of where a project lives; get it wrong and you will be re-binding IAM project-by-project forever.
Mobilizing teams
What it is
“Mobilizing teams” is the operational counterpart to leadership: turning a mandate into people who are organized, funded, and motivated to deliver cloud outcomes. In the Lead theme this is fundamentally about a shift from project-based thinking to product-based ownership — from temporary teams that disband at go-live to durable, accountable teams that own a service through its life. The organizational pattern Google recommends for catalysing this is a Cloud Center of Excellence (CCoE): a small, senior, cross-functional team of cloud architects, security specialists, and platform engineers that centralizes governance, advocacy, and enablement so the rest of the organization can move faster.
Why it matters
The framework’s definition of Lead literally measures “the degree to which the teams themselves are cross-functional, collaborative, and self-motivated.” You cannot reach Strategic or Transformational maturity with a workforce that treats cloud as someone else’s project. Mobilization matters because the bottleneck in most enterprise cloud programmes is not technology — it is the absence of a team that owns the platform and an operating rhythm that lets product teams self-serve. A CCoE that is staffed but powerless becomes a ticket queue; a mandate with no team to execute it becomes a slide deck. Mobilizing teams is what makes the mandate move.
How to do it well
- Stand up a CCoE, but keep it small and senior. Its job is to enable, not to operate everything. The anti-pattern is a CCoE that becomes a gatekeeping bottleneck; the goal is a CCoE that builds golden paths and then gets out of the way.
- Split the platform from the products. A dedicated platform team owns the landing zone, shared services, and the paved road (Terraform modules, base images, CI/CD templates). Product teams consume that road and own their workloads end to end — the “you build it, you run it” model.
- Fund teams, not projects. Persistent product ownership requires persistent funding. Move from capitalising one-off migrations to funding standing teams measured on outcomes.
- Make self-service the default. Mobilization is real when a product team can get a compliant, fully-governed project without filing a ticket. Build that with project factory automation (Terraform
project-factorymodule) feeding landing-zone folders, so every new project is born inside the guardrails.
Concrete artifacts, decisions, and GCP tools
| What you mobilize | Artifact | GCP / tooling |
|---|---|---|
| The enabling team | CCoE charter, RACI, staffing plan | — (org design) |
| The platform team’s product | Landing zone + paved-road modules | Terraform, Cloud Foundation Fabric / project-factory, Infrastructure Manager |
| Self-service onboarding | Project-vending pipeline | Infrastructure Manager / Cloud Build + Terraform, Service Catalog |
| Standardized golden paths | Reference architectures, base images, CI templates | Cloud Build, Artifact Registry, Cloud Deploy |
| Team-level visibility | Per-team folders with scoped IAM and budgets | Resource Manager, Cloud Billing, Cloud Monitoring (per-project) |
The defining artifact is the CCoE charter — who is on it, what authority it holds, and crucially what it does not do. The defining capability is self-service project vending, because it is the proof that the platform team has productized governance instead of administering it by hand.
Cross-functional collaboration
What it is
Cross-functional collaboration is the explicit requirement, called out in the Lead theme, for shared accountability for business outcomes across the boundaries that normally silo an enterprise: development, operations, security, networking, finance, compliance, and the business itself. In practice it means embedding the disciplines that used to throw work over the wall — security (DevSecOps), operations (SRE), and cost (FinOps) — directly into the teams that build, and giving them a shared definition of success.
Why it matters
The framework’s hallmark of the Transformational phase is a culture of experimentation and innovation sponsored consistently across the C-suite. That culture is impossible when security is a late-stage gate, ops is a separate kingdom, and finance only sees the bill after the fact. Collaboration matters because the cost of a siloed handoff compounds: the security review that lands two weeks before launch, the production incident nobody owns, the budget overrun discovered at month-end. Shared accountability replaces sequential handoffs with concurrent ownership, which is the only way to combine cloud’s velocity with an enterprise’s risk posture.
How to do it well
- Adopt SRE as the shared operations contract. Define SLOs and error budgets jointly between product and operations so reliability becomes a shared, quantified goal rather than an argument. The error budget is the collaboration mechanism: it tells everyone, objectively, when to ship and when to stabilize.
- Shift security left and make it the platform’s job. Bake controls into the paved road so collaboration is structural — Binary Authorization in the deploy pipeline, org-policy guardrails, Security Command Center findings routed to the owning team, secrets in Secret Manager — rather than a meeting.
- Make cost a first-class, shared signal (FinOps). Give every team its own slice of the billing export in BigQuery, dashboards in Looker Studio, and a budget with alerts. When engineers see their own spend in near-real-time, cost becomes an engineering input, not a finance surprise.
- Engineer collaboration through the hierarchy and groups. Use Cloud Identity groups mapped to IAM roles so cross-functional membership is explicit and auditable, and use shared folders to give security and platform the cross-cutting visibility they need.
Concrete artifacts, decisions, and GCP tools
| Discipline | Shared artifact | GCP tooling |
|---|---|---|
| Reliability (SRE) | SLOs, error budgets, on-call & incident model | Cloud Monitoring SLOs, Error Reporting, Cloud Logging, on-call runbooks |
| Security (DevSecOps) | Threat-modelled controls in the pipeline | Security Command Center, Binary Authorization, Secret Manager, Artifact Analysis |
| Cost (FinOps) | Per-team budgets, showback/chargeback model | Cloud Billing export → BigQuery → Looker Studio, budget alerts, committed-use discounts |
| Access (shared) | Group-to-role mapping (least privilege) | Cloud Identity groups, IAM, Access Context Manager |
| Change (shared) | Progressive-delivery release process | Cloud Deploy, Cloud Build, IaC review gates |
The cross-functional KPI set is where this becomes measurable:
| KPI | What it proves about collaboration | Target direction |
|---|---|---|
| SLO attainment / error-budget burn | Product and ops share a reliability goal | Within budget |
| Lead time for change (DORA) | Security and ops aren’t blocking delivery | Trending down |
| Change-failure rate (DORA) | Quality is shared, not bolted on | Trending down |
| % spend covered by a budget with an owner | Finance and engineering share cost accountability | → 100% |
| Mean time to remediate SCC findings | Security ownership is distributed, not central | Trending down |
Executive sponsorship and a cloud operating model
What it is
This sub-component is the apex of the Lead theme. Executive sponsorship is the active, visible, sustained backing of the cloud programme by senior leadership — and the framework is precise about what mature sponsorship looks like: at Transformational maturity, “sponsorship is comprehensive across the entire C-level to include marketing, finance, operations, HR, and more, and extends down to all levels of management.” It is not a single sign-off from the CIO; it is the whole executive layer setting the tone for a culture of experimentation. The cloud operating model is the durable system that sponsorship institutionalizes: how the platform team, product teams, the CCoE, and the governance body relate; who owns what; and how cloud practices are run enterprise-wide so the model outlives any individual project or sponsor.
Why it matters
Sponsorship is the variable that most strongly predicts whether a cloud programme stalls at Tactical or progresses. Money, mandate, and the authority to break ties all flow from it. But sponsorship is fragile and personal — re-orgs and departures can evaporate it overnight. The operating model matters because it is what converts a sponsor’s energy into a system that persists: explicit ownership, funding mechanisms, decision rights, and a governance cadence that keep cloud running whether or not any one champion is in the room. The framework’s whole arc — Tactical → Strategic → Transformational — is really the maturation of the operating model from “a few sponsored experiments” to “the default way the enterprise builds.”
How to do it well
- Secure sponsorship that owns outcomes, not attendance. A real sponsor holds a line item, sets the strategic objectives the programme is measured against, and personally clears the largest blockers (procurement, compliance, headcount). Give them a one-page executive scorecard — migration progress, DORA metrics, cost vs. budget, posture score — so their backing is anchored in data.
- Codify the operating model explicitly. Document the target operating model (TOM): the CCoE, the platform team, product teams, and the governance body, with a RACI across landing zone, security, cost, and delivery. Ambiguity about ownership is where velocity dies.
- Run a governance cadence, not a governance project. A standing Cloud Business Council (sponsor + CCoE + platform + security + finance leads) on a regular rhythm to review the scorecard, arbitrate exceptions, and re-prioritize the epic backlog. Governance is a loop, not a launch.
- Tie the model to the program of adoption. The operating model exists to deliver the framework’s epics; make epic ownership and funding explicit so the model has a concrete output to point at.
Operating-model components and ownership
| Operating-model component | Owner | Primary GCP mechanism |
|---|---|---|
| Strategy, funding, tie-breaks | Executive sponsor + Cloud Business Council | — (governance forum) |
| Org-level guardrails & policy | Governance body / CCoE | Organization Policy, IAM at org node, SCC |
| Landing zone & paved road | Platform team | Terraform / Infrastructure Manager, Cloud Foundation Fabric |
| Self-service onboarding | Platform team | Project factory, Service Catalog |
| Workload build & run | Product teams (you build it, you run it) | Full project-scoped autonomy within guardrails |
| Cost governance (FinOps) | FinOps function + each team | Billing export → BigQuery, budgets, CUDs |
| Reliability (SRE) | Product + central SRE practice | Cloud Monitoring SLOs, error budgets |
| Continuous compliance & audit | Security + governance | Security Command Center, Cloud Asset Inventory, Audit Logs |
Maturing the operating model across the Cloud Maturity Scale
| Aspect | Tactical | Strategic | Transformational |
|---|---|---|---|
| Sponsorship | One champion, ad-hoc budget | CIO/CTO with a funded programme | Whole C-suite + all management layers |
| Team model | Project teams, disband at go-live | Standing platform team + a CCoE forming | Product teams + mature CCoE; build-it/run-it is the norm |
| Governance | Manual, per-project | Org-level policy guardrails, MVP enforced | Continuous, automated, measured by score |
| Collaboration | Siloed handoffs | DevSecOps/SRE/FinOps emerging in teams | Shared accountability is the culture |
| Outcome focus | Lift-and-shift, cost of discrete systems | Strategic workloads, scale provisioned | Experimentation & innovation, enterprise-wide |
Real-world enterprise scenario
Meridian Freight Group is a fictional logistics and supply-chain company: ~14,000 employees, ~₹9,800 crore in revenue, headquartered in Pune with operations across India, the EU, and the US. Their estate is a mix of on-prem SAP, a fleet-telematics platform, and a sprawl of “shadow” cloud projects created by individual teams with personal billing accounts. A Google Cloud maturity assessment scores them Tactical on Lead: real workloads exist, but there is no mandate, no central team, no governance, and finance has no idea what cloud actually costs. The board has approved a three-year goal to reach Strategic maturity. Here is how they apply each sub-component of Lead.
Leadership and governance. The CTO, Ananya Rao, secures a board-level mandate and becomes the executive sponsor with a dedicated three-year budget line. The first artifact is a one-page cloud charter signed by the CEO. The CCoE then designs the Resource Manager hierarchy: a single Organization resource backed by Cloud Identity, with top-level folders prod, nonprod, and shared, and second-level folders per business unit (fleet, sap, customer-portal, data-platform). At the org node they enforce Organization Policy constraints: gcp.resourceLocations restricted to in:eu-locations and in:asia-south1 to satisfy EU residency for customer data, compute.vmExternalIpAccess denied by default, and iam.disableServiceAccountKeyCreation enabled. IAM is group-based via Cloud Identity, with Owner removed from all human users above the project level. The shadow projects are migrated under the Organization and brought into the hierarchy within the first quarter.
Mobilizing teams. Meridian charters a 9-person CCoE (2 architects, 2 security, 3 platform engineers, 1 FinOps lead, 1 program manager) reporting to Ananya. The platform engineers build a landing zone using Cloud Foundation Fabric and a Terraform project-factory pipeline running on Cloud Build with state in a dedicated seed project. The headline win: a product team now requests a new environment through a pull request, and a compliant, fully-governed project lands in the correct folder — with budgets, baseline IAM, logging sinks, and VPC attachment — in under 30 minutes, versus the previous ~3-week ticket cycle. Three pilot product teams (fleet-telematics, customer-portal, data-platform) are stood up as standing, funded teams that own their services in production.
Cross-functional collaboration. Each pilot team embeds the three disciplines. SRE: the customer-portal team defines a 99.9% availability SLO in Cloud Monitoring with an explicit error budget; when the budget burns, feature work pauses by prior agreement between product and ops. DevSecOps: Binary Authorization is wired into Cloud Deploy so only attested images reach production, Security Command Center Premium routes findings to the owning team, and all secrets move to Secret Manager. FinOps: the FinOps lead stands up billing export to BigQuery with a Looker Studio dashboard per team and a budget+alert on every project. Within two quarters, 100% of projects have a budgeted owner, and engineers see their own spend daily.
Executive sponsorship and the operating model. Ananya chairs a monthly Cloud Business Council (sponsor, CCoE lead, platform lead, security lead, FinOps lead, plus the SAP and customer-portal product owners) that reviews a one-page executive scorecard and arbitrates org-policy exceptions. The CFO and the COO join the council within six months — sponsorship widening beyond IT, exactly as the Transformational phase describes. The target operating model is documented with a RACI: CCoE owns guardrails, platform owns the paved road, product teams own build-and-run, FinOps owns cost governance. The model is tied directly to the program of adoption, with each epic (e.g. “migrate fleet-telematics”, “stand up the EU-resident data platform”) assigned a named owner and funding.
Measurable outcome (12 months). A re-assessment moves Meridian from Tactical to Strategic on Lead. Concretely: shadow projects eliminated (from ~40 ungoverned projects to 0); new-environment provisioning down from ~3 weeks to under 30 minutes; 100% of cloud spend now under a budget with a named owner; cloud cost variance to forecast inside ±8%; DORA lead-time for the three pilot teams down ~60%; and a Security Command Center posture score that the council can now track as a trendline rather than discover at audit.
Deliverables & checklist
Common pitfalls
- The CCoE becomes a bottleneck. Stood up as a central approval gate, it turns into a ticket queue that teams route around — re-creating the shadow IT it was meant to end. Avoid it: charter the CCoE to enable (golden paths, self-service vending) and write down what it explicitly does not gatekeep.
- Sponsorship is a one-time sign-off, not active ownership. A CIO blesses the kickoff and disengages; the first procurement or compliance blocker stalls everything. Avoid it: hold the sponsor accountable for outcomes via an executive scorecard, give them tie-break authority, and deliberately widen sponsorship to the CFO/COO before the original champion can become a single point of failure.
- Governance is written before the hierarchy is designed. Teams hand-apply IAM and policy project-by-project because no folder taxonomy exists to inherit from, and the estate drifts. Avoid it: design the Resource Manager hierarchy first, then attach IAM and Organization Policy at the org and folder nodes so governance inherits automatically.
- Funding projects instead of teams. Migrations are capitalised as one-offs; the team disbands at go-live and nobody owns the service in production. Avoid it: fund standing product teams measured on outcomes, and make “you build it, you run it” the operating norm.
- Collaboration declared, not engineered. Leadership announces “DevSecOps” but security stays a late gate, ops stays a silo, and finance still sees cost only at month-end. Avoid it: make collaboration structural — controls in the paved road, joint SLOs/error budgets, and per-team billing dashboards — and measure it with shared KPIs.
- Skipping straight for Transformational. The programme tries to leap to enterprise-wide product ownership without the Strategic-phase scaffolding (a real platform team, an enforced governance MVP, a funded CCoE) and collapses under its own ambition. Avoid it: treat the Cloud Maturity Scale as a sequence — earn Strategic before you reach for Transformational.
What’s next
With the Lead theme establishing the mandate, the teams, and the operating model, the next part of the Google Cloud Adoption Framework series turns to the Scale theme — productizing the platform and using cloud-native and automation practices to grow adoption without growing toil.