KPI/KRI Definitions & Dashboard Spec
Purpose
Defines key performance and risk indicators for AI governance with targets, thresholds, and dashboard specifications.
Related Controls
1. Purpose
Explain why KPIs and KRIs are needed and how they drive decisions.
This document defines the Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) that measure the health, effectiveness, and risk posture of [ORGANIZATION NAME]'s AI governance program. These metrics drive data-informed decisions, surface emerging risks, and demonstrate program maturity to stakeholders.
Document Owner: [ROLE TITLE], [DEPARTMENT]
Last Updated: [DATE]
KPIs measure how well the AI governance program is performing against its objectives.
KRIs provide early warning signals of increasing risk that require attention or intervention.
2. KPI Definitions
Define each KPI with targets, data sources, and measurement frequency.
| KPI ID | Name | Description | Target | Data Source | Frequency |
|---|---|---|---|---|---|
| KPI-01 | Policy Training Completion | % of employees who completed AI policy training | > 95% | LMS / HR System | Monthly |
| KPI-02 | Control Implementation Rate | % of required controls fully implemented | > 85% | GRC Platform | Quarterly |
| KPI-03 | AI Asset Inventory Accuracy | % of AI systems registered vs. discovered | > 95% | Asset Register + Discovery Scan | Quarterly |
| KPI-04 | Mean Time to Resolve AI Incidents | Average time from detection to resolution | < 4 hours (High), < 24 hours (Medium) | Incident Management System | Monthly |
| KPI-05 | Vendor Review Completion | % of AI vendors with current evaluation | 100% | Vendor Management | Quarterly |
| KPI-06 | Deployment Gate Pass Rate | % of deployments passing all gates on first attempt | > 80% | CI/CD Pipeline | Monthly |
3. KRI Definitions
Define each KRI with warning and critical thresholds.
| KRI ID | Name | Description | Warning | Critical | Data Source | Frequency |
|---|---|---|---|---|---|---|
| KRI-01 | Prompt Injection Attempts | Count of detected injection attempts | > 50/week | > 200/week | WAF / AI Gateway Logs | Daily |
| KRI-02 | Output Quality Decline | % decrease in output accuracy from baseline | > 5% decline | > 15% decline | Evaluation Pipeline | Weekly |
| KRI-03 | Unregistered AI Systems | Count of AI systems found outside inventory | > 1 | > 3 | Discovery Scan | Quarterly |
| KRI-04 | Overdue Risk Remediations | Count of overdue remediation items | > 3 | > 10 | Risk Register | Weekly |
| KRI-05 | AI Incident Frequency | Number of AI-related incidents per month | > 3/month | > 8/month | Incident Management | Monthly |
| KRI-06 | Policy Exceptions Active | Number of active policy exceptions | > 5 | > 10 | Exception Register | Monthly |
4. Dashboard Specification
Define the layout and components of the governance dashboard.
Dashboard Layout
Section 1 — Executive Summary (Top Row)
- Overall governance health score (composite RAG status)
- KPI trend sparklines (6-month view)
- Active incident count
- Days since last Severity 1 incident
Section 2 — KPI Detail (Middle Row)
- 6 KPI cards with current value, target, trend arrow, and RAG indicator
- Click-through to detailed metric history and drill-down
Section 3 — KRI Heatmap (Middle Row)
- 6 KRI tiles with current status (Green/Amber/Red)
- Warning and critical threshold indicators
- Trend indicator (improving/stable/degrading)
Section 4 — Operational (Bottom Row)
- Recent incidents list (last 30 days)
- Upcoming reviews and deadlines
- Open remediation items by severity
Access Control
- Executive view: Summary metrics only (Section 1)
- Management view: Full dashboard (Sections 1-4)
- Operational view: Sections 2-4 with drill-down capability
5. Reporting Cadence
Define how and when KPI/KRI data is reported to stakeholders.
Reporting Schedule
- Daily: KRI monitoring (automated, alerts on threshold breach)
- Weekly: Operational team reviews KPI/KRI dashboard
- Monthly: AI Program Lead presents KPI summary to management
- Quarterly: Full KPI/KRI report to AI Governance Committee including trends, analysis, and recommendations
- Annually: Year-over-year maturity assessment incorporating KPI/KRI trends
Report Distribution
- AI Governance Committee: Quarterly report + dashboard access
- Executive Leadership: Monthly executive summary
- System Owners: Monthly metrics for their systems
- Security Team: Weekly KRI alerts and trends
Target Review Process
KPI targets and KRI thresholds are reviewed quarterly. Adjustments require AI Governance Committee approval and must be documented with rationale.