Quarterly refresh
Scores recompute on the first of January, April, July, and October. Ensures boardroom-cadence freshness even when no governance events fire.
Methodologygovernance-index-v1
How the governance index is scored.
A weighted, eight-dimension score measuring an organization's AI governance maturity across inventory, regulatory controls, policy enforcement, detection, remediation, and evidence readiness. Scale 0–100.
How the score is computed
The governance index is a composite score derived from eight weighted dimensions. Each dimension is computed independently and scores stay within the 0-100 range. The final score is the weighted sum of all dimension scores, rounded to the nearest integer.
score = Σ (dimension_score_i × weight_i) where each dimension_score_i ∈ [0, 100]
Scores update quarterly (Jan, Apr, Jul, Oct) and on event-driven triggers (control status changes, finding triage, policy updates). Each snapshot pins the methodology version and all inputs for replay.
Components and weights
| Dimension | Weight | What is measured |
|---|---|---|
| Inventory completeness | 15% | Percentage of owned systems, systems with a recorded status, and resolved shadow AI discoveries. Average of the three ratios. |
| Risk assessment coverage | 15% | Percentage of systems with a risk score and a recorded autonomy tier. Freshness of most recent assessment factored in. |
| Regulatory and control coverage | 20% | Percentage of mapped controls that are implemented, evidenced, and assessed. Highest weight, reflects direct regulatory alignment. |
| Policy enforcement maturity | 15% | Active policy ratio, lifecycle event activity, sector pack adoption, and rollback pressure penalty. |
| Detection and monitoring coverage | 10% | Starts at 100, then subtracts severity-weighted penalties for open severe findings (−12 each) and unprocessed governance events (−2 each). Floored at 25 when findings data is present. |
| Review and remediation discipline | 10% | Resolved-finding rate, closed workflow task rate, and penalty for overdue tasks (−10 per overdue item). |
| Evidence and audit readiness | 10% | Percentage of controls with attached evidence, presence of an audit log trail (contributes 80 points), and presence of a governance event trail (contributes 70 points). |
| Change management | 5% | Processed-event rate, audit log presence (80 points), and rollback pressure penalty (−15 per rollback). |
Normalization and clamping
Each dimension score is clamped to [0, 100] before weighting. No dimension can drag the composite below zero or above the cap defined by its weight alone. The formula for the highest-weight dimension (regulatory and control coverage) at 20% weight can contribute at most 20 points to the composite.
dimension_score = clamp(raw_score, 0, 100)
composite_score = round(Σ dimension_score_i × weight_i)
Detection and monitoring is the only dimension with a floor condition: if finding data exists for the organization, the dimension score is floored at 25 (not 0) to prevent a zero score from masking the presence of a detection surface.
Confidence levels
The score carries a confidence label based on data completeness:
- High: verified or observed evidence covers ≥ 65% of assessed controls; fewer than 3 critical missing evidence items.
- Medium: neither high nor low conditions met.
- Low: ≥ 3 critical missing evidence items or ≥ 8 total missing evidence items.
When scores recompute
Event-driven triggers
Recompute fires on control status changes, finding triage transitions, policy lifecycle events, shadow AI registration or dismissal, and risk score updates.
Snapshot pinning
Each recompute produces an immutable snapshot: methodology version (governance-index-v1), all dimension inputs, computed weights, and final score. Snapshots are replayable.
What this score does not measure
- It does not reflect actual harm or incident frequency. It measures governance process maturity.
- A high score does not constitute a regulatory audit opinion or certification.
- Organizations with a small AI fleet may score high on coverage ratios with limited absolute scale; cohort context from peer benchmarking is recommended alongside the composite score.
- The score is bounded by what is ingested into the KoraSafe™ platform. Systems not yet registered do not contribute to any dimension.
Document version: governance-index-v1
Published by: KoraSafe™ Research
Last reviewed: 2026 Q2
Corresponds to: KoraSafe™ platform B2 milestone, governance index product release