In my experience starting from the conceptual "big picture" of risk (assessment, appetite, management, etc) ...
Then within that painting the picture of common tasks, governance, controls, validation, etc .. provides a useful "map" that is applicable to any scenario.
Then finally "instancing" these with examples specific to data science, engineering and app dev illustrates the concepts.
The bottom up approach too often seen in the dev community isn't helpful in my experience.