What is the role of architecture governance in integrating threat models and risk assessments?

Architecture governance coordinates how systems are designed, built, and operated, aligning them with security policies, standards, and risk tolerance. Its role in integrating threat models and risk assessments is to treat those analyses as living inputs to the architecture process. When threat models identify attacker goals, assets, and attack paths, and risk assessments quantify impact and likelihood, governance ensures those findings drive design decisions, control selection, and prioritization of security activities throughout the project lifecycle. This creates a feedback loop where architecture decisions are reviewed against analyzed threats and risks, residual risk is tracked, and changes require evidence that controls remain adequate as threats evolve and environments change. In practice, threat modeling is done early and revisited, controls are chosen to mitigate prioritized risks, and compliance requirements are mapped to architectural artifacts for traceability and auditing. It also prevents security from being tacked on after design; governance enforces ongoing alignment between risk posture and the architecture, guiding continuous improvement. Not just budget approvals, governance does address technical risk; it should not duplicate but instead embed and act on risk assessments to maintain an effective security posture.