Governance Best Practices
Treat production schema as regulated infrastructure. Use this list when auditing Postgres governance maturity or standing up a new data platform program.
How to Use This List
- Score each product database quarterly (0 = missing, 1 = partial, 2 = complete).
- Target score 80%+ before declaring governance "done."
- Pair with internal audit or SOC2 change-management controls.
- Publish summary to engineering leadership, not only DBA team.
A - Standards
- Single schema style guide in git with CODEOWNERS. All teams reference same doc.
- Naming and COMMENT standards enforced in migration review. Undocumented tables blocked.
- ER diagrams versioned alongside migrations. DBML or equivalent text format.
- ADR process for exceptions with expiry dates. No permanent hacks without review.
B - Access and Extensions
- Role model: migrator vs app read/write separation. No superuser in app path.
- Extension allowlist with owner and review date. Drift detection automated.
- RLS or tenant isolation documented per product. Tested in CI where feasible.
- Break-glass accounts logged and rotated. pgaudit or equivalent on sensitive schemas.
C - Lifecycle
- N-1 major policy with upgrade calendar. Cluster registry YAML in git.
- PostgreSQL roadmap doc updated each minor release. Deprecations tracked to tickets.
- Retention and legal hold jobs audited. GDPR delete runbook tested annually.
- Case studies replayed after major upgrades. Reference architectures stay current.
D - People and Process
- Database council with cross-team attendance. Decisions published as ADRs.
- Career ladder for DBA → staff data engineer. Retain deep Postgres expertise.
- Query and migration review standards mandatory. Linked from team agreements.
- Blameless post-mortems update governance docs. Same sprint as action items.
FAQs
Minimum viable governance for startup?
Style guide, migrator role, allowlist, and monthly patch calendar before council.
How to measure maturity?
Quarterly rubric score across four sections above; trend over quarters.
Governance vs agility?
Defaults speed common cases; exceptions use fast ADR not silent prod psql.
Multi-region compliance?
Data residency row in cluster registry; RLS and retention per jurisdiction.
Acquiree integration?
90-day convergence plan: naming, roles, extensions, upgrade calendar merge.
Open source compliance?
Track extension licenses in allowlist (PostgreSQL, MIT, etc.).
AI-generated schema?
Same review bar; generator output is draft not approved DDL.
Audit evidence package?
Export calendar, allowlist, sample migration tickets, post-mortem links quarterly.
When to hire dedicated governance lead?
Above 50 engineers touching Postgres or regulated industry audit findings.
What should I read next?
Start with Governance Basics.
Related
- Governance Basics - program intro
- Naming & Documentation Standards - docs bar
- Extension & Plugin Governance - allowlist
- Upgrade Calendar - N-1 scheduling
- PostgreSQL Project Rules Checklist - team rules
Stack versions: This page was written for PostgreSQL 18.4 (stable 18, maintenance 17), pgvector 0.8+, PgBouncer 1.x, Patroni 3.x, and PostGIS 3.5+.