Most AI governance programs fail quietly. Teams adopt tools, write policies, and then assume everything is fine, until it isn't. A data breach, a regulator inquiry, or a lawsuit reveals that the policy was never enforced, the vendor DPAs were unsigned, and nobody knows which AI tools are actually running in production.
The fix is a metrics dashboard. Not a 60-page enterprise risk framework, a practical set of 15 indicators that tell you whether your governance program is working week to week.
This guide gives you that dashboard. For each metric: what it measures, how to collect the data (usually a spreadsheet or one-hour audit), the threshold that triggers escalation, and how often to review it.
TL;DR: 15 metrics that tell you whether your AI governance is actually working: tool registry coverage, unsigned DPA count, shadow AI incident rate, policy acknowledgment rate, vendor review frequency, and 10 more. Track weekly for fast-moving signals (incidents, new tools), monthly for everything else. No enterprise tooling required, a shared spreadsheet handles all 15.
Why Metrics Matter More Than Policy Documents
Policy documents describe intent. Metrics describe reality. A team can have a perfect AI acceptable use policy and zero enforcement. A team with a mediocre policy but consistent measurement will catch problems before they become incidents.
For small teams, the goal isn't comprehensive coverage, it's early warning. You want to know:
- Are the right tools being used?
- Are vendors compliant?
- Are people following the rules?
- Are we ready to respond if something goes wrong?
The 15 metrics below answer these questions with minimal overhead.
The 15-Metric AI Governance Dashboard
| # | Metric | How to Measure | Escalation Threshold | Review Cadence |
|---|---|---|---|---|
| 1 | AI tool inventory completeness | Count approved tools vs. tools staff report using | Any unapproved tool in production | Monthly |
| 2 | Shadow AI incidents | Count tools discovered that weren't in the approved list | ≥ 1 discovery per quarter | Quarterly |
| 3 | Vendor DPA coverage rate | (Tools with signed DPA ÷ total tools) × 100 | < 100% for any tool handling personal data | Quarterly |
| 4 | Policy acknowledgment rate | (Staff who signed AI policy ÷ total staff) × 100 | < 95% for employees; < 100% for contractors | Monthly for new hires, annual refresh |
| 5 | Training completion rate | (Staff who completed AI training ÷ total staff) × 100 | < 90% overall; 0% for any department | Quarterly |
| 6 | Incident response test date | Days since last tabletop exercise | > 180 days | Semi-annual |
| 7 | Open AI incidents (unresolved) | Count incidents in your log without a closed status | > 2 open incidents | Weekly |
| 8 | Time to close an AI incident | Average days from report to resolution | > 14 days average | Monthly |
| 9 | Vendor security review recency | Days since last due diligence check per vendor | > 365 days for any tier-1 vendor | Annual |
| 10 | Data classification coverage | % of AI tools with documented data classification | < 100% | Quarterly |
| 11 | High-risk use case review rate | (Use cases with documented risk assessment ÷ total flagged use cases) × 100 | < 100% | Monthly |
| 12 | GDPR Article 30 record freshness | Days since last update to Records of Processing Activities | > 90 days | Quarterly |
| 13 | AI output audit frequency | Number of spot audits of AI-generated outputs completed this quarter | 0 audits | Quarterly |
| 14 | Third-party sub-processor changes detected | Count of vendor sub-processor changes you were notified about | Any unreviewed change | Monthly (check vendor notification emails) |
| 15 | EU AI Act / state law deadline tracking | Count of upcoming compliance deadlines with no owner assigned | Any unowned deadline ≤ 90 days out | Monthly |
How to Use This Dashboard
Start with a baseline
Run the audit once to get your current numbers. Most teams discover:
- 3-5 tools being used that aren't in the approved inventory
- At least one vendor with no signed DPA
- Policy acknowledgment below 80%
This is normal. The goal of the baseline is to find the gaps, not to prove you're already compliant.
Pick your three red-line metrics
Not all 15 metrics are equally important for your team. Pick three that represent your highest-risk exposure. Common choices:
- B2B SaaS companies: Vendor DPA coverage (metric 3) + shadow AI (metric 2) + GDPR Article 30 freshness (metric 12)
- Healthcare: Incident response test date (metric 6) + high-risk use case review rate (metric 11) + training completion (metric 5)
- KDP/content publishing: AI tool inventory completeness (metric 1) + policy acknowledgment (metric 4) + data classification coverage (metric 10)
- Financial services: Open incident count (metric 7) + vendor security review recency (metric 9) + sub-processor change detection (metric 14)
These three become your weekly dashboard. The other 12 are monthly or quarterly reviews.
Assign owners
Each metric needs one owner. Not a committee, one person. If nobody owns it, it doesn't get measured.
For most small teams:
- Operations or legal counsel owns vendor DPAs (metric 3), GDPR records (metric 12), and sub-processor tracking (metric 14)
- HR or people ops owns training (metric 5), policy acknowledgment (metric 4)
- Engineering lead or CTO owns shadow AI detection (metric 2), tool inventory (metric 1), incident tracking (metrics 7-8)
- Executive/legal owns deadline tracking (metric 15) and high-risk use case review (metric 11)
Metric-by-Metric Implementation Guide
Metric 1: AI Tool Inventory Completeness
Data source: Compare your approved AI tool register against what shows up in your SSO dashboard, expense reports, and browser extension audit.
Practical tip: Run a survey every quarter asking "what AI tools have you used in the last 30 days?" Compare to the approved list. The delta is your shadow AI exposure.
What to do when threshold is breached: Add the tool to the register with a risk assessment, or formally prohibit it in writing to all staff. Either response is fine. Neither response is not.
Metric 3: Vendor DPA Coverage Rate
Data source: Your AI vendor DPA tracker. For each tool that processes personal data (EU users, GDPR applies), there should be a signed Data Processing Agreement with a completion date.
What counts as personal data: Names, email addresses, job titles, IP addresses, content that could identify an individual. If your employees paste customer names into ChatGPT to summarize a complaint, that's personal data processing.
Common gap: Many teams sign up for AI tools via a self-serve checkout. The standard click-through terms are usually not a valid DPA under GDPR Article 28. You need a separately executed DPA or a signed order form that incorporates DPA terms.
Metric 6: Incident Response Test Date
What "tested" means: At minimum, a 90-minute tabletop exercise where your team walks through a scenario (e.g., "our AI vendor had a breach and processed customer PII, what do we do?"). You don't need a full-scale simulation.
Why this matters: Most small teams have an AI incident response plan. Almost none of them have tested it. When an actual incident happens, you discover the plan assumes resources or contacts that don't exist.
Run a tabletop every 6 months. If you've never done one, use the agentic AI liability checklist as a starting scenario.
Metric 11: High-Risk Use Case Review Rate
What counts as high-risk: Use cases where AI output affects a decision about a person (hiring, credit, benefits, medical, legal), where AI generates content that could be defamatory or misleading if wrong, or where AI has access to sensitive systems without human review in the loop.
Review process: A written record that someone on your team evaluated the use case, identified the risks, and decided either (a) to proceed with controls or (b) not to proceed. One paragraph in a shared doc is enough.
Metric 12: GDPR Article 30 Record Freshness
What GDPR Article 30 requires: Every controller processing personal data must maintain a Record of Processing Activities (RoPA). AI tools create new processing activities, each tool that handles personal data needs an entry.
Data source: Your GDPR Article 30 template. The "last updated" date on each entry tells you if it's stale.
Staleness definition: If a vendor updated their sub-processors, changed their data residency, or updated their retention terms and your record doesn't reflect it, the record is stale. Check vendor change notification emails monthly.
Metric 15: EU AI Act / State Law Deadline Tracking
Upcoming deadlines in 2026:
- August 2, 2026: GPAI model compliance under EU AI Act
- October 1, 2026: Connecticut SB 5 (consumer-facing AI with consequential decisions)
- June 10, 2026: Washington State AI likeness law
How to track: A simple table with three columns: Deadline | Law | Owner. If the Owner column is blank, you're at risk.
Minimum Viable Governance Dashboard (One Hour Per Month)
If you can only commit one hour per month to governance metrics, here are the five to focus on:
| Priority | Metric | Time required |
|---|---|---|
| 1 | Vendor DPA coverage rate | 15 min, check your DPA tracker |
| 2 | Policy acknowledgment rate | 5 min, check HR system |
| 3 | Open AI incidents | 5 min, check your incident log |
| 4 | Tool inventory completeness | 20 min, check SSO/expenses vs. register |
| 5 | Upcoming deadline tracking | 15 min, check calendar for ≤90 day deadlines |
Total: 60 minutes. If anything hits an escalation threshold, escalate immediately, don't wait for the next review cycle.
Connecting Metrics to Your Broader Governance Program
Metrics are only useful if they connect to action. Here's how the dashboard links to the rest of your governance infrastructure:
- Tool inventory gaps → trigger your AI vendor due diligence checklist for any new tool
- DPA gaps → trigger your vendor DPA tracker update and a legal review request
- Policy acknowledgment gaps → trigger HR to re-send the policy with a deadline
- Incident response staleness → schedule a tabletop exercise within 30 days
- GDPR record staleness → update your GDPR Article 30 template within the week
- Deadline without owner → escalate to executive team for assignment
Your monthly AI governance review checklist is the right place to run through these metrics in a structured format.
What "Effective" AI Governance Looks Like
After 6 months of consistent measurement, an effective AI governance program looks like this:
- Vendor DPA coverage: 100%
- Policy acknowledgment: ≥ 95%
- Shadow AI incidents: ≤ 1 per quarter (some shadow AI is expected; the goal is detection, not elimination)
- Open incidents: ≤ 1 at any time
- Incident response tested: within the last 6 months
- GDPR records: updated within 90 days
- No unowned compliance deadlines within 90 days
Most small teams won't hit all of these on the first audit. The goal is a trend line moving toward compliance, not perfection from day one.
Start with the baseline. Pick your three red-line metrics. Assign owners. Review monthly. That's it.
Frequently Asked Questions
Q: Do I need special software to run this dashboard? No. A shared Google Sheet or Notion table is sufficient for teams under 50 people. The data points are simple counts and percentages that don't require purpose-built GRC software.
Q: How do I handle metrics where I have no data? Treat "no data" as a failed metric. If you don't know how many tools are approved, that's the same as having 0% inventory completeness. The lack of data is itself a risk signal.
Q: How do I present this to leadership? Focus on the three red-line metrics and whether each one is green, yellow, or red. Leadership doesn't need to see all 15, they need to know whether you're above or below the escalation threshold on the things that matter most.
Q: What's the difference between this and a risk assessment? A risk assessment evaluates what could go wrong. This dashboard measures whether your controls are actually working. They're complementary, your risk assessment identifies what to protect; this dashboard tells you if you're protecting it.
Q: Our team has 5 people. Is this overkill? For a 5-person team, start with just metrics 1, 2, 3, and 15. That covers your core risk exposure (unauthorized tools, vendor compliance, and upcoming deadlines) with about 2 hours of work per quarter.
