Pillar: AI Infrastructure
Service: Audit Services

AI Governance Analyzer

CLAIMED GOVERNANCE POSTURE VS. DEMONSTRABLE GOVERNANCE EVIDENCE.

>_ AI Governance Maturity Assessment — No Telemetry Required
Deterministic. Evidence-based. Runs entirely in your browser.
24-question deterministic AI governance maturity assessment. Measures governance evidence across six domains and assigns an AIG-1 through AIG-5 maturity tier in under eight minutes.
>_ Launch AIGA Analyzer →
AIG Tier Assignment
AIG-1 through AIG-5 Maturity Classification
Five-tier maturity classification based on demonstrated governance evidence — not policy documentation.
Governance Score
0–100 Deterministic Score
Weighted composite across six governance domains. No inference, no curve. Score reflects what is demonstrable, not what is claimed.
Kill Switch Analysis
Foundational Governance Failures Identified
Five kill switches surface the foundational control failures that cap maturity regardless of domain performance elsewhere.
Remediation Roadmap
Fastest Path to Next Maturity Tier
Top three remediation actions with exact point gain per control — the deterministic delta between current tier and the next.

Many organizations claim AI governance maturity because policies exist. Audits, regulators, customers, and board reviews evaluate something different: evidence. The AI governance analyzer measures the gap between governance claims and demonstrable governance controls — before an audit, a regulator, or a procurement review forces the question.

Governance documentation is not governance evidence. A policy that names a data governance owner does not demonstrate that ownership is enforced. A vendor review process that exists on paper does not demonstrate that AI vendors were evaluated before deployment. An incident response plan that references AI systems does not demonstrate that response procedures were tested against an actual AI failure scenario. The distance between documentation and evidence is exactly what the AI Governance Analyzer makes visible.

The analyzer evaluates 24 questions across six governance domains, applies kill switch logic to identify foundational control failures, assigns an AIG-1 through AIG-5 maturity tier, and projects the exact remediation actions required to reach the next tier — in under eight minutes, with no data leaving your browser. This is the self-service entry point into the Rack2Cloud AI Governance Assessment methodology — the same deterministic governance model used in evidence review and full assessment engagements.

What the AI Governance Analyzer Measures

01 — Governance & Accountability

Does your organization have a named AI governance owner with defined scope and authority — or a title on an org chart? The analyzer evaluates whether accountability is structural: whether governance decisions have a traceable owner, whether policy enforcement has an operational mechanism, and whether the board receives AI risk reporting with demonstrable evidence rather than narrative summaries. Accountability without enforcement authority is documentation, not governance.

02 — Data Governance

Can your organization demonstrate that the data used to train, fine-tune, or prompt AI systems was evaluated for quality, bias, and provenance before use? Training data governance is the domain most consistently absent in organizations that claim AI maturity. The analyzer evaluates data classification coverage, bias review processes, and whether data governance controls apply to AI-specific data flows — not just enterprise data at rest.

03 — Security Controls

AI systems introduce attack surfaces that don’t exist in conventional infrastructure: prompt injection, model inversion, data exfiltration through inference endpoints, and credential exposure through AI toolchains. The analyzer evaluates whether security controls specific to AI deployment — not inherited from general IT security policy — are defined, enforced, and tested. AI-specific threat modeling is the distinguishing marker of genuine security control maturity in this domain.

04 — Operational Controls

Can your organization demonstrate that AI systems in production are monitored for drift, degradation, and output quality — and that incidents have a defined response path? Operational control maturity requires more than deployment: it requires that deployed systems have defined owners, defined performance thresholds, and documented response procedures tested against actual AI failure scenarios. The analyzer evaluates monitoring coverage, incident classification, and operational change management for AI systems.

05 — Vendor Oversight

AI vendor risk looks different from conventional third-party risk. Model behavior is not auditable through standard vendor questionnaires. Data retention and training practices vary by vendor and change without notice. The analyzer evaluates whether AI vendors — including foundation model providers, fine-tuning platforms, and AI-embedded SaaS — are subject to governance review before onboarding, and whether ongoing oversight includes AI-specific contractual and technical controls.

06 — Monitoring & Assurance

Governance without assurance is policy without evidence. The analyzer evaluates whether AI governance controls are subject to independent review — internal audit coverage, external assessment, or regulatory examination — and whether governance metrics are measured against defined targets rather than reported as narrative status updates. Assurance maturity is what separates governance that can withstand scrutiny from governance that exists only in documentation.

AIG Maturity Tiers

AIG-1 — Ad Hoc

AI governance exists informally or not at all — decisions are made without defined policy, accountability, or oversight structure. Most organizations deploying AI tooling at pace without a governance program land here.

AIG-2 — Emerging

Governance policies are being defined, but coverage is incomplete — key domains such as vendor oversight or data governance may be absent, and accountability is not yet enforced operationally.

AIG-3 — Defined

Governance policies are documented and ownership is assigned across most domains, but enforcement is inconsistent and assurance evidence is limited — governance is real but not yet audit-ready.

AIG-4 — Controlled

Governance controls are enforced across all six domains, metrics are tracked against defined targets, and governance posture can be demonstrated with evidence — this is the threshold for regulatory examination and enterprise procurement scrutiny.

AIG-5 — Governed

Governance is continuously measured, independently assured, and integrated into AI system lifecycle decisions — the standard required for regulated industries, sovereign AI programs, and organizations where AI governance is a board-level accountability.

Kill Switch Logic and Tier Projection

The AI Governance Analyzer applies five kill switch conditions before scoring completes. A kill switch fires when a foundational governance control is absent — and when it fires, it caps the maturity tier regardless of how the remaining domains score. This is not a penalty. It reflects how governance maturity actually works: an organization without a named AI governance owner cannot be AIG-3, regardless of how strong its security controls or vendor oversight are. Accountability is structural, not compensable.

Kill switches cover the five foundational governance failures most likely to surface in an audit or regulatory review: absence of a named governance owner, absence of an AI system inventory, absence of data classification for AI-specific data flows, absence of AI-specific incident response procedures, and absence of any independent governance assurance. Each kill switch names the control, the domain it belongs to, and the maturity tier ceiling it imposes. The analyzer surfaces all triggered kill switches before presenting the tier assignment — because the board question after an audit finding is never “what is our score?” It is “what did we miss?”

Tier projection works the same way — deterministic, not inferred. For each gap between current score and the next tier threshold, the analyzer identifies the top three remediation actions, calculates the exact point gain each control would add, and presents the minimum path to the next tier. Organizations at AIG-2 can see precisely which three controls close the gap to AIG-3. There is no ambiguity in the output and no heuristic in the scoring.

AI Governance Assessment Analyzer input view showing six governance domain question cards with five-point response scale and domain progress indicators
Six governance domains. Four questions each. Deterministic scoring — no inference, no heuristics.

Why Governance Evidence Fails Under Audit

Governance evidence failures follow consistent patterns. They are not the result of bad intentions — they are the result of governance architecture built for documentation requirements, not for demonstrability under scrutiny.

Assumption-Driven Posture

The most common governance failure: organizations assume governance controls are operational because policies are documented. A data governance policy that names owners does not demonstrate that ownership is exercised. An AI security standard that references frameworks does not demonstrate that controls are implemented. Audit scrutiny — regulatory or customer — tests demonstrability, not documentation.

Evidence Concentration

Governance evidence concentrated in one team, one system, or one person creates a single point of failure for every downstream audit or review. The one compliance manager who holds all governance artifacts goes on leave. The one platform that stores governance evidence is inaccessible during an incident. Concentration risk in governance evidence is structurally identical to concentration risk in recovery authority — it surfaces at the worst possible moment.

Control Decay

Governance controls degrade when they are not actively maintained. Vendor lists become stale. Data classification coverage erodes as new AI data flows are introduced without review. Incident response procedures that were tested twelve months ago have not been retested against the AI systems deployed since. Control decay is invisible in point-in-time documentation reviews — it surfaces in operational testing and in the gaps between a policy’s last update date and the environment it was meant to govern.

Shadow AI Adoption

The most pervasive AI governance gap today: Copilot, ChatGPT Enterprise, Claude, Amazon Bedrock, Google Vertex — deployed by business units, embedded in productivity tools, and activated through vendor defaults — operating outside the governance perimeter entirely. An AI system inventory that does not include shadow AI adoption is not an inventory of AI risk. It is an inventory of AI risk the governance team already knows about.

Output Architecture

All output derives from declared governance state — no inference, no heuristics, no benchmark interpolation. The analyzer evaluates responses across six domains, applies kill switch logic, and surfaces findings in five structured outputs organized from the tier verdict outward.

AIG Tier Assignment

AIG-1 through AIG-5 maturity classification, derived from kill switch state and domain scores. The tier is the first output — displayed prominently before domain scores or remediation detail — because the governance question an executive or regulator asks first is not “what is your score?” It is “what tier are you at?” The tier is the answer that drives every conversation that follows.

AIGA Score

0–100 weighted composite across six governance domains. Score and tier are presented as distinct outputs — the score provides precision within a tier, the tier provides the classification that audit and procurement frameworks reference. An organization scoring 58 and an organization scoring 72 are both AIG-3, but the remediation path to AIG-4 is materially different.

Kill Switch Analysis

All triggered kill switches are listed before domain scores — because a kill switch identifies a foundational control absence that caps tier regardless of domain performance. Each triggered switch names the missing control, the domain it belongs to, and the maturity ceiling it imposes. Kill switches are the governance equivalent of a recovery kill switch: the thing that stops the entire system before anything else matters.

Domain Score Breakdown

Individual scores across all six governance domains — Governance & Accountability, Data Governance, Security Controls, Operational Controls, Vendor Oversight, and Monitoring & Assurance — rendered as labeled score bars. Domain breakdown identifies which specific areas are driving the aggregate score and which are the highest-leverage remediation targets.

Remediation Projection

The deterministic path to the next tier: top three remediation actions, exact point gain per control, projected score and tier after implementation. Remediation projection answers the governance question that follows every assessment: “What do we do first?” The answer is not a prioritization opinion — it is the mathematically minimum path to the next tier given the current gap.

Executive Summary Narrative

A generated narrative summary of the governance posture assessment — AIG tier, AIGA score, triggered kill switches, top gaps, and recommended actions — formatted for direct use in a board briefing, audit preparation package, or executive governance review. Most people read the narrative first. It is the output that makes every other finding accessible to the audience that needs to act on them.

AIGA Analyzer output showing AIG tier assignment, governance score, kill switch analysis, and domain score breakdown across six governance domains
Kill switch logic fires before scoring completes. A foundational control failure caps tier regardless of domain performance elsewhere.

AI Governance Analyzer: Key Features

  • 24-question deterministic scoring: Six governance domains, four questions per domain, five-point response scale. No inference engine, no AI-scored responses — every output derives from a fixed scoring map applied to declared governance state.
  • Kill switch logic (KS-01–KS-05): Five foundational governance failures identified before scoring completes. Each triggered kill switch caps the maturity tier and names the specific control that must be addressed before the ceiling lifts.
  • AIG-1 through AIG-5 tier assignment: Five-tier maturity classification based on kill switch state and domain scores — the classification framework used in Rack2Cloud AI governance assessments and evidence reviews.
  • Deterministic tier projection: Top three remediation actions with exact point gain per control and projected tier after implementation. The minimum path to the next tier, not a prioritization opinion.
  • Printable scorecard: Print-optimized output with AIG badge, six domain score bars, kill switch summary, top findings, remediation priorities, and assessment ID — formatted for direct use in governance review packages.
  • Client-side only — no telemetry: All scoring runs locally in your browser. No data is transmitted, logged, or stored. No account required. Governance posture is sensitive operational information — it belongs in your environment, not in a SaaS platform’s database.

Built on the AIGA Framework

The analyzer implements the same deterministic governance model used by the Rack2Cloud AI Governance Assessment methodology. The scoring map, kill switch logic, and tier thresholds derive directly from five frameworks in the Rack2Cloud corpus.

Framework #155
AI Governance Assurance Gap
Primary framework — the assurance gap model the analyzer is built to measure.
Framework #107
Governance Runtime Control
Defines the operational enforcement layer that separates governance policy from governance evidence.
Framework #118
Authority Layer Framework
Informs the accountability domain scoring — governance authority must be structural, not nominal.
Framework #121
Evidence and Attribution Framework
Defines the evidence standard the Monitoring & Assurance domain is scored against.
Framework #123
Control Plane Integrity Framework
Informs Security Controls domain scoring — AI-specific control plane integrity requirements.
AI Governance — Next Steps

THE ANALYZER SURFACES THE GAPS.
A REVIEW CLOSES THEM.

The AIGA Analyzer is the self-service entry point into the Rack2Cloud AI Governance Assessment methodology. Evidence gaps identified by the analyzer can be resolved through an Evidence Review or a Full Assessment engagement.

>_ Assessment Engagement

AI Governance Assessment

From Evidence Review to Full Assessment — a structured engagement against your analyzer findings, resolving governance evidence gaps and producing an audit-ready governance posture report.

  • > Evidence Review — $499 (gap validation against analyzer findings)
  • > Full Assessment — $3,500–$5,000 (six-domain structured engagement)
  • > Kill switch remediation architecture
  • > Audit-ready governance posture report
>_ View Assessment Options
>_ The Dispatch

Architecture Playbooks. Field-Tested Blueprints.

Weekly breakdowns of AI governance architecture, evidence standards, and the control decisions that determine whether governance posture survives audit scrutiny.

  • > AI governance evidence architecture
  • > Kill switch remediation patterns
  • > Shadow AI governance design
  • > Vendor oversight architecture for AI platforms
[+] Get the Playbooks

Zero spam. Unsubscribe anytime.

Frequently Asked Questions

Q: What does the AI Governance Analyzer actually measure?

A: The analyzer measures the gap between claimed AI governance posture and demonstrable governance evidence across six domains: Governance & Accountability, Data Governance, Security Controls, Operational Controls, Vendor Oversight, and Monitoring & Assurance. It does not measure governance intent, policy documentation, or self-reported maturity. It measures what is demonstrable — the standard applied in regulatory examination, enterprise procurement review, and independent audit. An organization with strong policies and weak evidence will score below an organization with fewer policies and stronger demonstrable controls.

Q: How is the AI Governance Analyzer different from the AI Governance Assessment service?

A: The AI Governance Analyzer is the self-service entry point into the Rack2Cloud AI Governance Assessment methodology — a 24-question deterministic tool that surfaces your AIG tier, AIGA score, kill switches, and remediation roadmap in under eight minutes, with no data leaving your browser. The AI Governance Assessment service (/audits/ai-governance-assessment/) is the structured engagement that follows: an Evidence Review ($499) validates analyzer findings against actual governance artifacts, and a Full Assessment ($3,500–$5,000) is a six-domain structured engagement producing an audit-ready governance posture report. The analyzer identifies the gaps. The assessment closes them.

Q: What are the kill switches and how do they fire?

A: Kill switches (KS-01–KS-05) identify foundational governance control absences that cap maturity tier regardless of domain score performance. The five kill switches cover: absence of a named AI governance owner (KS-01), absence of an AI system inventory (KS-02), absence of data classification for AI-specific data flows (KS-03), absence of AI-specific incident response procedures (KS-04), and absence of independent governance assurance (KS-05). A triggered kill switch fires before tier assignment and sets a maturity ceiling — an organization with KS-01 triggered cannot be assigned above AIG-2, regardless of domain scores. Kill switches are not penalties; they reflect the governance reality that certain foundational controls are prerequisites for maturity, not compensable by performance in other areas.

Q: Can I improve my score without improving governance?

A: No. The analyzer uses deterministic scoring applied to declared governance state — there is no pathway to a higher score without addressing the underlying control gaps the questions evaluate. Kill switch logic further constrains this: a triggered foundational control absence imposes a tier ceiling that domain score performance cannot overcome. The scoring model is designed so that the output reflects actual governance evidence posture, not the most favorable interpretation of ambiguous declarations.

Q: Is any data sent to a server or stored?

A: No. All analysis — AIG tier assignment, AIGA score, kill switch evaluation, domain score breakdown, remediation projection, executive summary narrative — runs locally in your browser. Nothing entered is transmitted, logged, or stored. The analyzer produces no network requests after the initial page load. Governance posture is sensitive operational information — it belongs in your environment, not in a SaaS platform’s database. The only exception is the optional intake form presented after scoring, which submits contact information to the Rack2Cloud assessment team if you choose to engage.

🔒 Privacy Architecture: No cookies. No tracking pixels. No server-side database.
This logic runs entirely in your local browser session.