The Maturity Trap — Why Governance Programmes Plateau
There is a pattern that repeats itself in organisations that have successfully completed the foundational work. They have a data inventory. They have policies. They have a governance forum. Stewards are doing their jobs. Regulatory audits are going reasonably well.
And then nothing much changes for eighteen months.
This is the maturity plateau, and it is where many governance programmes quietly die — not in a dramatic failure, but in a slow loss of momentum. The programme becomes maintenance rather than progress. The governance forum starts to feel like a status meeting. Leadership attention drifts elsewhere.
Breaking through this plateau requires a deliberate shift in how you think about governance. In the early stages, the work is about building structure. At the maturity stage, the work is about embedding governance so deeply into how the organisation operates that it no longer requires heroic effort to sustain. The goal is to make good data behaviour the path of least resistance — not a separate programme running alongside the business.
This post shows you how to get there.
Step 1: Build a Governance Maturity Scorecard
You cannot improve what you cannot measure. The first step toward scaling maturity is replacing the informal sense of "how we're doing" with a structured scorecard that gives you an honest, consistent picture across all the dimensions that matter.
The scorecard below gives you a practical starting point. Score each dimension from 1 (ad hoc) to 5 (optimised) based on honest self-assessment — not aspirational positioning.
Use this scorecard honestly — score where you actually are, not where you want to be. The gap between your current score and a 4 or 5 in each dimension is your improvement roadmap. Review it quarterly with your governance forum and track movement over time.Step 2: Automate What Is Repetitive
The single clearest sign of a governance programme that has not yet scaled is that stewards are doing the same manual work every week — running the same queries, checking the same logs, sending the same reminder emails. Manual processes are slow, inconsistent, and dependent on individuals. They do not scale.
The automation priority order looks like this.
Data quality monitoring first. If your quality checks are still manual SQL queries, this is your first automation target. Most modern data platforms — whether you are on Microsoft Fabric, Snowflake, AWS, or Google Cloud — have native data quality monitoring capabilities. Tools like Microsoft Purview's data quality features, Great Expectations (open source), or Monte Carlo can run automated quality checks on a schedule and alert stewards when thresholds are breached. The goal is to move from "stewards discover problems" to "problems find stewards."
Access review automation second. Manual access reviews are one of the most consistently underdone governance activities, because they are time-consuming and easy to deprioritise. Microsoft Entra ID (used widely in NZ organisations) has an Access Reviews feature that automates the process — sending notifications to reviewers on a schedule, collecting responses, and revoking access automatically for non-responses. If you are on a different identity platform, most enterprise IAM solutions have equivalent functionality. Automate this before it falls off the calendar again.
Policy acknowledgement tracking third. Chasing people to acknowledge updated policies is a governance tax that nobody enjoys paying. A simple workflow tool — even Microsoft Forms with a Power Automate flow — can handle this automatically, sending reminders and recording responses. For regulated entities, this creates the audit trail that demonstrates staff awareness of policies.
Metadata harvesting last, but eventually essential. As your data catalogue matures, automated metadata harvesting — scanning connected systems and updating the catalogue with schema changes, lineage information, and usage statistics — removes the biggest maintenance burden from stewards. This is where tools like Microsoft Purview, Collibra, or Alation earn their licence fees.
Step 3: Integrate Governance into Your Data and AI Strategy
Data governance used to be a risk management discipline. That is no longer enough. In 2025 and beyond, it is also a strategic enabler — and nowhere is this more evident than in AI.
Every AI initiative your organisation pursues will eventually hit the same wall: the quality, completeness, and trustworthiness of the data feeding it. Organisations with mature data governance can move faster on AI because they start from a position of knowing what data they have, trusting its quality, and understanding its lineage. Organisations without it spend months — sometimes years — cleaning up data before they can use it productively.
Building an AI-ready data estate in the NZ context
New Zealand organisations pursuing AI initiatives need to address three governance questions that are specific to AI:
Data lineage for model inputs. When an AI model produces an output — a credit risk score, a customer recommendation, a fraud alert — can you trace which data was used to train it and generate that output? This is not just a governance best practice; it is increasingly a regulatory expectation. The Algorithm Charter for Aotearoa New Zealand, which public sector agencies are expected to follow, explicitly requires transparency about how data is used in algorithmic decision-making. Private sector organisations using AI in consequential decisions should expect similar expectations to formalise.
Bias and representativeness assessment. Training data that is unrepresentative of the New Zealand population — particularly Māori and Pasifika communities — will produce models that perform worse for those communities. This is both an ethical concern and a reputational risk. Your data governance framework should include a process for assessing whether datasets used in AI training are representative, and for documenting known gaps.
AI-specific data retention and consent. The Privacy Act 2020's principle of purpose limitation — that personal information should not be used for a purpose different from the one for which it was collected — applies to AI training data. If you are using customer data to train a model, you need to be confident that the original collection was on terms that permit this use. This should be a standard check in your AI project intake process.
If your organisation holds an ISO/IEC 42001 certification or is working toward one — the AI Management System standard released in 2023 — your data governance framework is a direct input to the AI governance requirements. The two are not separate programmes; they should be managed together.
Step 4: Develop a Data Catalogue That People Actually Use
A data catalogue is the most visible artefact of a mature data governance programme. It is also one of the most commonly failed technology investments in this space — because organisations build catalogues that are comprehensive but unusable, or usable but never populated.
A catalogue that works has three properties.
It is connected to your actual systems, not manually maintained. Data is discovered automatically through connectors to your databases, cloud storage, BI platforms, and operational systems. Stewards curate and annotate — they do not re-enter.
It serves the people who need data, not just the people who manage it. This means search functionality that works like a web search, not a database query. It means business-friendly descriptions, not just technical metadata. It means showing who to contact when you have a question about a dataset. The test: could a new analyst find what they need in under five minutes without asking anyone?
It is kept accurate through governance processes, not heroic effort. Every time a new dataset is created, onboarding it to the catalogue is a step in your standard workflow — not an afterthought. Every time a dataset is retired, it is marked as such in the catalogue. The catalogue degrades the moment it is treated as optional.
For NZ organisations, the most common catalogue entry points in 2025 are Microsoft Purview (for Microsoft-heavy environments), Ataccama ONE, and Collibra. For smaller teams with limited budgets, OpenMetadata and Apache Atlas are well-regarded open-source options.
Step 5: Establish Governance KPIs That Leadership Cares About
Governance programmes that are invisible to leadership do not survive leadership changes. The antidote is a small set of KPIs that translate governance performance into language that executives and boards can understand and care about.
Avoid governance KPIs that only governance professionals care about — things like "percentage of datasets with a documented owner" are meaningful internally but do not land in a board pack. Instead, connect governance performance to outcomes that matter to the business.
Here are five KPIs that work across most NZ organisations:
Data breach preparedness score. Measured by how quickly and completely you can respond to a subject access request (the clock starts when the request is received, and under the Privacy Act 2020 you have 20 working days to respond). Track this quarterly. A declining response time is a concrete governance win you can report upward.
Data quality incident rate. The number of business decisions materially affected by data quality failures per quarter. Tracking this requires some investment in incident classification, but the payoff is a number that directly connects data quality to business risk.
Regulatory audit findings trend. Expressed as a year-on-year reduction in the number and severity of findings from internal and external audits. For regulated entities, this is a number that both the board and the regulator care about directly.
Percentage of high-risk data assets with confirmed ownership and classification. A proxy for governance coverage. A "high-risk" asset is one that contains personal information, is used in a consequential business decision, or is subject to a regulatory requirement. Track what proportion of these have a named owner and a confirmed classification level.
AI model data lineage coverage. For organisations actively developing or deploying AI: the percentage of production AI models for which complete data lineage documentation exists. Start tracking this now, before it becomes a regulatory requirement.
Step 6: Build Continuous Improvement Into the Structure
The difference between a governance programme that plateaus and one that keeps improving is structural, not motivational. You cannot sustain improvement through willpower and goodwill alone — you need mechanisms that produce it automatically.
Three mechanisms work reliably.
Annual governance review. A formal, documented review of the entire governance programme each year — not just the metrics, but the policies, the role definitions, the tooling decisions, and the maturity scorecard. Assign ownership of the review to the executive sponsor. The output is a set of specific improvement commitments for the coming year, tracked in the governance forum.
Post-incident reviews with a governance lens. Every data incident — a quality failure that affected a business decision, a breach notification, an access control failure — should trigger a short review that asks not just "what went wrong" but "what governance control, if it had existed or been followed, would have prevented this." These reviews generate the most actionable governance improvements because they are grounded in real events.
Governance embedded in change management. The most sustainable governance programmes are those where governance is a step in how the organisation changes, not a separate activity. This means: every new system acquisition includes a data governance assessment as part of procurement. Every new data product goes through a data governance intake process before it goes live. Every significant change to a business process includes an assessment of data impacts. When governance is embedded in change management, it scales with the organisation without needing a proportional increase in the governance team.
What Mature Looks Like in New Zealand
It is worth being specific about what a genuinely mature data governance programme looks like in the NZ context, because the benchmarks matter.
A mature programme in a mid-sized NZ organisation has a data catalogue covering at least 80% of critical data assets, with confirmed ownership, classification, and quality metrics for each. It has automated quality monitoring running continuously on those assets, with a mean time to detect quality issues measured in hours rather than days. It can respond to a Privacy Act subject access request within five working days — well inside the statutory limit. It has a regulatory audit record showing fewer than three minor findings per year with no majors. And its AI initiatives are backed by documented data lineage that can be produced on request.
This is not an aspirational vision. It is an achievable operational state for any NZ organisation that has committed to the work described across this three-part series. The path from ad hoc to optimised is not a leap — it is a sequence of deliberate steps, each building on the last.
The Series in Summary
Across these three posts, we have traced the complete journey from scratch to maturity.
In Part 1, we built the foundation: understanding why governance matters in the NZ regulatory environment, mapping what data you hold, establishing ownership, and winning credibility with quick wins.
In Part 2, we operationalised: writing policies that people actually follow, building a five-dimension data quality framework, structuring stewardship activity, running an effective governance forum, and navigating the Privacy Act 2020 and the expectations of the RBNZ and FMA.
In Part 3, we scaled: building a maturity scorecard, automating repetitive governance work, integrating governance into AI strategy, developing a living data catalogue, establishing KPIs that matter to leadership, and embedding continuous improvement into the structure of the organisation.
The organisations that get this right are not necessarily the ones with the biggest budgets or the most sophisticated tools. They are the ones that start, stay consistent, and keep improving. Start where you are. Use what you have. Take the next step.
Key Takeaways from Part 3
A maturity scorecard gives you an honest baseline and a measurable improvement roadmap. Score honestly, track quarterly.
Automate in order: quality monitoring first, then access reviews, then policy tracking, then metadata harvesting.
AI readiness is now a governance responsibility — data lineage, bias assessment, and consent alignment are not optional extras.
A data catalogue only works if it is connected, searchable by its actual users, and kept current through governance workflows.
Governance KPIs that land with leadership focus on business outcomes — breach preparedness, audit findings trends, AI lineage coverage — not internal process metrics.
Embed governance in change management, and it scales with the organisation without heroic effort.