Behavioral Governance

The approval architecture must be faster than the workaround. Gravitee: 81% of teams actively deploying, only 14.4% with full approval. If governance takes months and an agent takes an afternoon, people build in the dark. Governance speed is a design choice.

Sprint-based governance cadence: decision rights reviewed, contested, and reallocated in response to conditions on the ground — not committee cycles that move at institutional speed while agents multiply at machine speed.

The standard is not “stop shadow AI” — that ship has sailed. The standard: a clear, fast path from shadow to sanctioned. Detection → assessment → integration, not detection → punishment → repeat.

“If you wanted to launch a small AI pilot tomorrow, who would you ask? How long would it take?” Diagnostic: “I don't know” or “months” = espoused governance. “I'd just build it” = failed governance.

Pilot request → approval time (target: <2 weeks for low-stakes). Shadow AI ratio: sanctioned / total agents. Governance Circle cadence logs. Governance modifications in last 90 days.

Do people go through governance or around it? Key ratio: formal requests vs. informal deployments. If governance channels are quiet but AI usage is growing, governance is being routed around — a design problem, not a people problem.

Agent autonomy calibrated to model reliability — recalibrated as reliability changes (Floridi's oversight calibration). Model improves → dial turns up. New hallucination domain → dial turns down. Calibration is continuous, not annual.

Low stakes (drafts, brainstorming): full autonomy, spot-check. Medium (customer-facing, analytical): agent acts, human reviews before delivery. High (financial, legal, reputational): human-in-the-loop mandatory. Tier determined by consequence, not capability. Critical dependency: if underlying data is garbage, autonomy dials down regardless of model quality — authority is a data question before a technology question.

The authority question: not just “what can this agent do?” but “what can it authorize other agents to do?” Autonomous scope expansion without human decision is the failure mode. Every agent chain needs: scope boundary, escalation trigger, human checkpoint at defined intervals.

“Do you know what your AI agents are authorized to do autonomously? Has that scope changed in the last 90 days?” “They do whatever they were set up to do” = ungoverned autonomy.

Agent autonomy map: scope per agent + last review date. Autonomy tier distribution. Scope change frequency. Agent chain depth: max chain length without human checkpoint. Orphaned agent count.

When a new model release changes capability, does the organization recalibrate agent autonomy — or does the same scope persist? If agent authority hasn't changed in six months, it's not calibrated — it's frozen.

When risk data reaches a decision-maker, something observably changes. If risk data circulates without altering behavior, governance is decorative. Test: name the last governance decision that changed because of risk data. If you can't, risk intelligence is absent.

Most AI risk data doesn't exist yet — failure modes are novel, precedent is thin. The standard: make explicit decisions under acknowledged uncertainty. “We don't know the risk profile; here's how we're proceeding; here's what we're watching.” Deploying without acknowledging the gap and freezing until certainty arrives are both governance failures.

Can the people making governance decisions read the risk landscape? Not technical risk (that's engineering) — organizational risk: reputational exposure, regulatory surface, business-model disruption. Risk literacy is a capability, not a compliance checkbox.

“When did risk data last change a governance decision?” “What's your biggest AI risk where you lack adequate data?” Diagnostic: “I can't remember” + “we have it covered” = absent risk intelligence.

Decision change log: governance decisions modified by risk data in 90 days. Acknowledged uncertainty register: deployments with explicitly documented unknowns. Risk literacy scores. Incident response time + governance modification rate post-incident.

When risk data is presented, does the room engage or glaze? When data is absent, does someone name the gap — or does the decision proceed as if certainty existed? The quality of the uncertainty conversation is the observable.

Utilization Depth — integration into workflows, not adoption rate. Capability Expansion Rate — 1st-derivative: speed of new capability absorption. Trust Stability — RIST scores tracked over time. Iteration Velocity — governance response speed. Leadership Delta — gap between current leadership behavior and what AI demands.

Every governance metric assessed at three layers: self-report, evidence, behavioral observation. The gap between layers IS the diagnostic.

Governance review aligned to model release cadence. If technology changes every 6 weeks, governance that reviews every 6 months is governing a system that no longer exists.

“Is the governance system itself measured — or assumed to be working?” “When did we last change a protocol based on evidence it wasn't working?” Never revised = either perfect or unmeasured.

Five Dials dashboard: all five metrics tracked, trended, reviewed at cadence. Governance change log: protocols modified in last 90 days based on measurement data. Empty log = measurement disconnected from action.

Does anyone reference Five Dials data in governance reviews — or is discussion anecdote-driven? “The data shows X, so we're changing Y” = governance intelligence enacted.

Traditional talent governance measures what people know. 1st-derivative measures how fast they're learning. A team with moderate skills and a steep curve beats a team with strong skills and a flat one. Track the derivative, not the function.

Roles evolve as AI capability evolves — not static job descriptions frozen at hire date. When AI takes over 40% of a role's tasks, the role must transform — not just lose headcount.

At CAIO level: who is leaving and why? If top AI talent exits because governance is too slow or culture punishes experimentation, governance is eating its own seed corn. Retention of high-velocity learners: a governance metric, not an HR metric.

“How much faster are you learning AI skills this quarter vs. last?” “Has your role changed in the last 6 months because of AI?” Self-assessed learning velocity, calibrated against evidence.

Capability expansion rate (Five Dials). Upskilling velocity: new capabilities per quarter per team. Top AI performer retention rate. Role evolution: % of roles materially redefined in 12 months. Attrition analysis: are fast learners staying or leaving?

Are people experimenting with new AI tools — or using the same ones the same way as 6 months ago? Learning velocity is visible in tool adoption patterns, workflow evolution, and the quality of questions asked. Stagnation is equally visible.

Someone has sight of the full AI landscape: agents, models, risk exposure, talent pipeline, strategic alignment. The CAIO dashboard is the governance instrument — where CTO data governance, CHRO talent data, and risk-function exposure maps converge. The CAIO doesn't own data infrastructure (CTO/CIO does). But the CAIO owns the question: are we locked into SaaS data moats? Is data portable? Data governance is the CTO's job; data strategy as it constrains AI adoption is the CAIO's.

Is the agent marketing built talking to the agent ops built? Is there a learning loop where one team's discovery accelerates another's? The CAIO's unique problem: the connective tissue of adoption. Pockets of excellence that don't connect are not a strategy — they're a coincidence.

The five other dimensions must cohere. Decision rights contradicting agent authority = confusion. Talent strategy disconnected from risk intelligence = blind spots. Are six dimensions pulling together — or optimizing locally while the system fragments? Every governance decision traceable to a strategic objective; if it can't explain why it exists, it's bureaucratic accretion.

“Can anyone describe the full AI governance picture?” “Do you know what other teams are building with AI?” If every team describes their initiatives but no one describes the system, coherence is absent.

CAIO dashboard: exists and integrates all six dimensions? Cross-team integration map. Organizational learning velocity: time from one team's discovery to another's adoption. Cross-dimension contradiction audit. Data portability score. Vendor lock-in assessment: SaaS moat exposure across AI estate.

Does AI governance review happen as an integrated whole — or does each dimension present separately with no synthesis? “But that contradicts what we decided in risk governance” = coherence working. No one notices the contradiction = coherence absent.