Standards
Accounts

Account, subscription, and project layout that scales with teams and risk.

We design orgs, accounts, and subscriptions so ownership, blast radius, and cost are obvious to everyone. Isolation is the primary control surface. Org layout mirrors risk domains and team boundaries, guardrails are codified rather than inherited as tribal knowledge, and costs trace cleanly to the teams that incur them.

Signals
Governance Drift Environment Drift
Mandates
Infrastructure Pipeline Integrity Market Data Governance Aggregation

Baseline structure

A layout that works across AWS, Azure, and GCP. Names differ; intent does not.

  • A root organization or tenant that contains all accounts, with centralized billing and identity.
  • Logical groupings that separate security boundaries, shared services, development and production workloads, and analytics.
  • An explicit mapping between teams and the account groups they own, so that permissions and cost follow organizational lines.

Why it matters

Account structure is the first decision that shapes everything downstream. Getting it right early means that environment isolation, pipeline ownership, and governance boundaries all have a clean foundation to build on. Blast radius is contained by design, cost attribution is transparent, and permission models scale predictably as teams grow.

  • Security incidents are contained to the account boundary rather than spreading across the organization.
  • Cost allocation is transparent because spending maps directly to the team and workload that generated it.
  • New teams and projects onboard through a repeatable account provisioning process rather than ad hoc requests.