I have yet to walk into a large ServiceNow environment where someone does not say “we have a governance process” — and then in the same breath admit that half the team bypasses it. Sound familiar?
The issue is almost always the same. Governance gets designed as a gate — every change funnels through a review board, approvals pile up, and eventually developers just stop asking. I have seen a 200-person IT org where the architecture review board met biweekly and had a three-week backlog. People were making changes anyway. They just were not telling anyone.
What actually works, in my experience, is a tiered model. Not everything deserves the same scrutiny. A field label change and a core data model extension are not the same risk — so why route them through the same process? I like to break it into three lanes: automated validation for low-risk config changes, async architecture review with written decision records for mid-tier work, and synchronous board review reserved for the stuff that can genuinely break things.
The other piece people skip is instrumentation. If you are relying on people to self-report compliance, you do not have governance — you have suggestions. Instance Scan, Update Set analytics, and ATF coverage should feed a live dashboard. Make compliance visible and most teams will self-correct.
Governance should feel like guardrails on a highway, not a toll booth.
