Tag: compliance

Corporate Boards are no longer asking whether their organizations will use artificial intelligence. The business has already answered that question. The only question that matters now is whether AI is being governed well enough to support growth without creating unmanaged risk.

For the corporate compliance officer, this reality creates both pressure and opportunity. Pressure, because Boards with minimal AI literacy still carry full fiduciary responsibility. Opportunity, because compliance is uniquely positioned to translate complex AI activity into oversight-ready information. The bridge between those two worlds is the right set of Board-level  Key Performance Indicators (KPIs) for AI governance. Moreover, I believe the DOJ’s Evaluation of Corporate Compliance Programs (ECCP) can serve as a framework for developing appropriate KPIs for your Board.

In this blog post, we detail a set of Board-level KPIs for compliance professionals tasked with educating growth-oriented Boards on AI governance using a blended, ECCP-centric framework. It assumes that AI is already deployed across the enterprise, including generative AI, and that governance must enable innovation while enforcing guardrails.

Why Boards Need AI KPIs Now

The ECCP makes one point repeatedly and without ambiguity: regulators care less about written policies and far more about whether controls work in practice. Boards are expected to exercise oversight over risk, including emerging and technology-driven risks. AI is now firmly in that category.

AI governance KPIs are not about teaching directors how models work. They are about answering three questions every Board must be able to answer:

1. Do we know where AI is being used?
2. Do we control how AI changes over time?
3. Can we detect, respond to, and remediate AI-related harm quickly?

If a Board cannot answer those questions with evidence, not narrative reassurance, the organization is exposed. The role of compliance is to ensure those answers are delivered in a form that directors can understand and act upon.

The KPI Philosophy: Enablement With Guardrails

Because this is a growth-oriented Board, the goal is not to slow AI adoption. The goal is to make AI scalable, defensible, and sustainable. KPIs must therefore do three things simultaneously:

• Demonstrate coverage and control without micromanagement
• Surface risk early, before incidents become enforcement events
• Support informed decision-making, not technical debate

This means Boards should receive KPIs, escalation triggers, and narrative context. Numbers alone are insufficient. Context without metrics is worse.

Six Board-Level KPIs for AI Governance

The following six KPIs apply to all AI systems, including generative AI, within a unified governance framework. They are evidence-based, auditable, and aligned with the ECCP expectations for testing, monitoring, and continuous improvement.

1. Risk Inventory Coverage

This KPI measures the percentage of in-scope AI systems with a current, signed risk record documenting use case, data sources, impacts, potential harms, and safeguards. If AI is operating outside the risk inventory, it is operating outside governance. This KPI answers the most basic oversight question: do we know what we have? Any material AI system without a documented risk assessment or with an expired review date should be escalated for review.

The ECCP begins with risk assessment for a reason. Under the ECCP, they are directed to consider whether a company has identified and prioritized its risks, including emerging risks. AI, particularly GenAI, now squarely fits within that expectation. Risk Inventory Coverage directly answers the ECCP question: “What methodology has the company used to identify, analyze, and address the particular risks it faces? ” If AI systems are operating without a documented risk record, the program fails at step one. From an ECCP perspective, undocumented AI use is indistinguishable from unmanaged risk.

2. Model Change Control Adherence

This measures the percentage of AI model changes, including code, data, prompts, parameters, or vendors, that followed the approved change management process. Uncontrolled change is the fastest way for compliant AI to become noncompliant. This KPI assures directors that innovation is disciplined, not chaotic. Any production AI change implemented without pre-deployment testing, approval, or rollback capability should be escalated for review.

ECCP Alignment:

The ECCP explicitly evaluates whether policies are followed in practice, not merely written. Adherence to change control shows whether AI governance has real authority over business and technology decisions. Unapproved model changes undermine every safeguard the company believes it has in place. From the DOJ’s perspective, a control that can be bypassed without consequence is not a control. For your Board, this KPI demonstrates that AI innovation is disciplined and governed, not uncontrolled experimentation that creates hidden compliance exposure.

3. Model Lineage and Provenance Completeness

This KPI measures the percentage of AI systems with end-to-end traceability, enabling the reconstruction of how outputs were generated and decisions were approved. When something goes wrong, regulators and plaintiffs will ask how the AI reached its decision. This KPI determines whether the company can answer. Any high-impact AI system lacking sufficient documentation to support root cause analysis should be escalated for review.

This KPI is derived from the ECCP sections on Continuous Improvement, Periodic Testing, and Review, as well as Investigation, Analysis, and Remediation of Misconduct. The ECCP asks whether a company can understand why something went wrong and conduct effective root cause analysis. Without lineage and provenance, AI decisions cannot be reconstructed, tested, or explained. This KPI directly supports DOJ’s expectation that companies can investigate incidents, identify systemic weaknesses, and remediate effectively. For your Board, this KPI determines whether the organization can defend its AI decisions after the fact or whether it will be forced into speculation and guesswork.

4. Third-Party Model Assurance Coverage

This KPI measures the percentage of third-party AI tools and services that have completed due diligence, contractual controls, and periodic reassessment. Most AI risk now enters organizations through vendors. Boards must know whether those risks are being actively managed. Any use of third-party AI without completion of onboarding or with unresolved high-risk findings should be escalated for review.

This ties to the ECCP section around Third-Party Management. The ECCP is unambiguous on third parties. Companies are expected to conduct risk-based due diligence, impose contractual controls, and monitor third-party performance over time. Most AI risk now enters through vendors, platforms, APIs, and embedded models. Treating third-party AI differently from other third-party risks would be inconsistent with DOJ guidance. For your Board, this KPI shows that AI vendor risk is governed with the same rigor as bribery, sanctions, or data security risks.

5. AI Incident Mean Time to Resolution (MTTR)

This KPI measures the median time from detection of an AI incident to containment and recovery. Incidents are inevitable. What matters is how fast the organization responds. This KPI demonstrates operational resilience. Repeated incidents with increasing resolution times or incomplete remediation should be escalated.

This ties to the ECCP sections on Investigation, Analysis, and Remediation of Misconduct. The ECCP focuses heavily on how quickly and effectively companies respond to detected issues. Speed matters. Delayed containment signals weak controls and inadequate monitoring. AI Incident MTTR translates this expectation into a measurable operational outcome. It demonstrates whether the company can detect, contain, and remediate AI-related harm before it escalates into regulatory or reputational damage. For your Board, the key takeaway is that this KPI demonstrates operational resilience and governance maturity, not merely technical incident response.

6. Fairness and Robustness Pass Rate

This KPI measures the percentage of AI systems passing predefined fairness, bias, and robustness tests across relevant segments and use cases. It connects AI governance to ethical outcomes and reputational risk. Any material AI system deployed with known fairness or robustness failures should be escalated for review.

This ties to the ECCP sections on Continuous Improvement, Periodic Testing, and Review. The ECCP repeatedly asks whether companies test their controls and whether those controls work in practice. Fairness and robustness testing is the AI equivalent of transaction testing in anti-corruption or sanctions compliance. This KPI shows that AI systems are not only reviewed at launch but are continuously validated against defined risk thresholds. For your Board, the key takeaway is that this KPI demonstrates that ethical and legal AI commitments are enforced through testing, not slogans.

Board Oversight Questions Tied to AI KPIs

To close, here are Board-level questions compliance officers should encourage directors to ask:

1. Which AI systems fall outside our current risk inventory, and why?
2. Where have we accepted AI risk, and what safeguards justify that decision?
3. Are AI changes happening faster than our governance can keep up with?
4. How quickly can we detect and contain AI-related harm?
5. Which third-party AI risks would cause us to pause or exit a deployment?
6. How do these KPIs support growth rather than restrict it?

AI governance KPIs are not about slowing innovation. They are about making growth durable. For compliance professionals, delivering these metrics in a clear, disciplined, and Board-ready way is how AI governance becomes a strategic asset rather than a regulatory afterthought.

If you would like specific KPIs based on this blog, go over and subscribe to my Substack. At this point, it is free. Check it out here.