Strategy & Metrics (SM)
Processes Domain - HAIAMM v3.0
Practice Overview
Objective: Stand up an AI/HAI Process Assurance program that discovers, inventories, and strategically governs all business workflows that embed AI/HAI, with shadow-AI-in-processes prevention as the primary L1 outcome and a defensible risk-tier rubric as the primary L2 deliverable.
Description: The Processes domain governs the business workflows that embed AI/HAI, the decision pipelines, customer-facing flows, human-AI collaboration chains, back-office augmentation workflows, approval and review workflows, content-generation workflows, and knowledge-management workflows that the organization operates. SM-Processes establishes the program charter, an authoritative inventory of these AI-embedded workflows, and the practice-maturity metrics that prove the program is working. SM-Processes L2 produces the risk-tier rubric every other Processes-domain L2 practice depends on, and every downstream Processes-domain practice (PC, TA, SR, SA, DR, IR, ST, EH, ML, IM) inherits its tier-calibration from the rubric authored here.
Context: Workflows embed AI faster than governance catches up, a credit decision pipeline quietly routes to an LLM-generated score, a customer support team uses AI-drafted responses without a documented review standard, an HR team runs resumes through an AI screener before a human sees them, a finance team uses an AI summarizer to triage invoices with no accuracy check. None of this is inherently wrong, but without an inventory and a governance structure it is invisible. Business workflows that embed AI raise the highest regulatory exposure in HAIAMM: a decision pipeline hitting GDPR Art. 22 automated-decisioning safeguards, an EU AI Act Annex III high-risk use in hiring or credit, or an autonomous customer-facing flow without the human-oversight model required under Art. 14. Discovery is harder here than in Software or Data because business workflows are often informal, undocumented in code, described in team wikis or tribal knowledge, and spread across HR, Finance, Legal, Customer Support, Sales, Engineering, and Operations. The amnesty path and function-by-function survey are essential. The AI/HAI Process Assurance program makes this surface visible, attaches accountable ownership to each workflow archetype, and puts a governance gate on the path from informal AI adoption to sanctioned embedded workflow, so high-risk workflows surface before they create legal exposure.
Maturity Level 1
Objective: Stand up the AI/HAI Process Assurance program, build an inventory of business workflows that embed AI/HAI across the seven archetypes, and establish baseline metrics that prove shadow AI in processes is decreasing
At this level, the organization makes its AI-embedded business workflow surface visible, assigns accountability, and begins measuring the reduction of shadow AI, unsanctioned or undisclosed AI steps embedded in business processes without governance, human-oversight standards, or regulatory assessment.
Dependencies
- None, entry-point practice for the Processes domain. SM-Processes L1 precedes all other Processes-domain L1s.
- Alignment (not a hard dependency): enterprise-wide SM strategy, CISO co-sponsorship with the Chief Operating Officer / Head of Business Operations / Chief Risk Officer, existing BPM governance programs (Camunda, ServiceNow workflow catalogs, business-process-mapping repos), and function heads (HR, Finance, Legal, Customer Support, Sales, Engineering, Operations) who own the workflows.
- Supports / unblocks: PC-Processes L1 (policies need the inventory and archetype taxonomy), TA-Processes L1 (threat modeling needs the workflow asset list), SR-Processes L1 (requirements packs key on archetype), SA-Processes L1 (reference patterns need the archetype list), IM-Processes L1 (incident routing needs the owner and sponsor structure), ML-Processes L1 (logging baseline needs the inventory).
Desired Outcomes
- Shadow AI in business processes is visible, attributed to a named owning function and team, and trending down quarter-over-quarter.
- A single AI/HAI process inventory is the authoritative source of truth across Security, Operations, Legal/Privacy, Compliance, and function heads.
- An accountable executive owns AI/HAI process risk; decision rights for approval, block, exception, and sanctioning of new AI-embedded workflows are unambiguous.
- Practice maturity is measurable from a small, automatable metric set rather than from activity counts.
- The program is positioned as an enabler, fast-track intake for low-risk archetypes (internal back-office summarization with full human review), full review for high-risk archetypes (AI-driven credit scoring or hiring decision pipelines).
Activities
A) Charter the AI/HAI Process Assurance program
Publish a short program charter that names the problem (shadow AI in business processes, undisclosed AI steps in customer-facing and decision-affecting workflows, workflows lacking human-oversight standards or regulatory assessment), defines scope, and assigns accountable ownership. The program does not need a new team, it needs a named owner and a small cross-functional working group that spans business functions.
Charter elements: - Problem statement, why AI embedded in business workflows is a distinct risk category: AI output directly drives decisions affecting people's legal status, financial standing, employment, and service access (GDPR Art. 22 automated-decisioning safeguards, EU AI Act Annex III high-risk uses); customer-facing flows using AI output may violate Art. 50 transparency obligations; human-AI collaboration chains with no HITL standards expose the org to output-integrity failures at scale; sector regulations (FCRA credit, EEOC employment AI, NYC Local Law 144 AI hiring, CO SB-21-169 insurance AI, FINRA model risk) carry enforcement risk that sits in business functions, not in the security team. - In-scope workflow archetypes, the seven canonical Processes-domain workflow types: 1. Decision pipeline, AI output materially drives a decision with legal or significant effect (approve/deny/score/route); includes credit decisions, insurance underwriting, employment screening, benefit eligibility, and content moderation decisions affecting users. 2. Customer-facing flow, AI output reaches a customer (recommendation, response, generated content, support answer, pricing); the customer experiences the AI output directly even if a human reviewed it. 3. Human-AI collaboration chain, workflow where AI assists and a human approves, edits, or escalates (HITL); the human step is load-bearing and its depth defines the oversight model. 4. Back-office augmentation, AI assists internal work (drafting, summarizing, classifying, triaging) with human review before output leaves the function; lower customer exposure but still creates accuracy and audit-trail obligations. 5. Approval / review workflow, AI screens or pre-classifies items (invoices, contracts, support tickets, compliance findings); human approves or rejects based on AI pre-work. 6. Content-generation workflow, AI generates content (marketing copy, code, documentation, legal clauses, reports) for downstream use; human review depth and publication accountability vary. 7. Knowledge-management workflow, RAG-driven internal search, Q&A, and expert assistance tools used by employees to make decisions or produce work product; lower direct customer exposure but creates output-integrity-in-decisions risk. - Executive sponsor, typically the CISO co-sponsored by the COO / Chief Risk Officer / General Counsel; co-signed by the DPO/CPO where Art. 22 or Annex III workflows are in scope. - Working group, Security, Legal/Privacy (DPO/CPO), Compliance, Operations, and function representatives (HR, Finance, Legal, Customer Support, Sales, Engineering) from each business unit embedding AI in workflows. - Decision rights, who can sanction a new AI-embedded workflow; who can block one; who handles exceptions; who approves the human-oversight model for each archetype. - Success definition for year one, a numerical target for the L1 outcome metrics below.
B) Build the AI/HAI process inventory and discover shadow AI in business processes
Establish a single AI/HAI process inventory as the program's source of truth. The Processes domain is distinct from Software and Data: many AI-embedded workflows are informal, not coded into a system, not documented in a BPM repo, and not visible from engineering signals alone. Discovery requires a mix of system signals and human survey.
Inventory fields (minimum): - Workflow name, owning function, owning team, workflow archetype (decision pipeline, customer-facing flow, human-AI collaboration chain, back-office augmentation, approval/review workflow, content-generation workflow, knowledge-management workflow). - AI/HAI capability embedded: which AI tool, model, or system provides the AI step; vendor or internal; archetype of the AI tool (from the Vendors domain taxonomy). - Decision-affecting effect: does the AI output materially drive a decision with legal or significant effect on a person? (GDPR Art. 22 trigger; EU AI Act Annex III trigger) - Customer reach: number and type of customers affected by the AI-embedded step per month. - Reversibility: is the AI-driven action reversible (edit the draft, override the recommendation) or effectively irreversible (account closed, credit denied, employment rejected, content published)? - Human-oversight depth: autonomous (no human step); human-in-the-loop with substantive review; human-in-the-loop with rubber-stamp review; human review before output leaves the org. - Regulatory scope: sector triggers in scope (clinical, financial, employment, insurance, facial recognition, content moderation with legal effect). - Data classes processed through the workflow: regulated PII / PHI / financial / biometric / employment data. - Business criticality: revenue path, customer onboarding, safety-critical, compliance-obligated. - Approval status: Sanctioned / Provisional / Under review / Prohibited / Awaiting Intake. - Risk tier assignment (populated at L2, see SM-Processes L2 Activity A). - Linked artifacts: TA threat snapshot, SR requirements-evidence map (REM), latest DR decision, latest IR finding, ML logging-baseline status.
Discovery sources (at L1, use these signals, note that Processes-domain discovery is harder than Software or Data because informal workflows leave no code footprint): - BPM and workflow platforms, Camunda, ServiceNow workflow catalog, Salesforce flows with AI steps, Microsoft Power Automate, business-process-mapping repos tagged with AI labels. - RPA platforms, UiPath, Automation Anywhere, Blue Prism: processes with AI plugins or AI-decision steps embedded. - Ticketing systems, Jira, ServiceNow ITSM, Zendesk: tickets labeled "AI-assisted," "AI-generated," "AI-reviewed," or similar; support queue routing rules that send to an AI step before human. - Customer-journey maps, customer experience artifacts that show AI touchpoints (AI-generated recommendation, AI chatbot handoff, AI-scored application); Product and CX team review. - Internal handbook and wiki search, search Confluence, Notion, internal wikis for "AI-assisted," "AI-generated," "AI review," "automated decision," "model-based," "LLM-drafted"; each hit is a candidate workflow. - Function-by-function survey, the primary discovery lever when the above signals are incomplete. A structured survey sent to function heads (HR, Finance, Legal, Customer Support, Sales, Engineering, Operations) asking: does your team use AI to assist with any step of a workflow? Does AI output reach a customer or affect a decision about a person? Is there a human review before AI output is acted on? Who owns the AI tool used? Amnesty framing: disclosing existing AI use carries no penalty. - Vendor invoice and contract review, contracts for AI-embedded SaaS tools (Salesforce Einstein, Workday AI, Greenhouse AI, Intercom AI, lending platforms with model-score APIs, etc.) reveal which business functions have AI-embedded tools in production. - Self-attestation, a short intake form publicized to function heads and operations managers with an explicit amnesty window for disclosing AI-embedded steps already in use.
C) Establish foundational metrics that measure practice maturity and shadow-AI-in-processes reduction
Baseline and track a small set of outcome, process, and effectiveness metrics. Keep L1 metrics simple, automatable where possible, and tied to the L1 outcome (shadow AI in processes reduced; inventory coverage growing).
Shadow-AI-in-processes scoreboard (published quarterly to the executive sponsor): 1. AI-embedded workflows in inventory (total / sanctioned / provisional / prohibited / awaiting intake), broken out by archetype. 2. New AI-embedded workflows discovered this quarter and their intake status. 3. Shadow-AI-in-processes ratio trend (last 4 quarters): AI-embedded workflow steps operating without a known owner, human-oversight standard, or governance record. 4. AI-in-Business-Process Policy attestation coverage across function heads, process owners, and operations managers. 5. Top 5 unmitigated process risks (TA-flagged, compliance-flagged, or external-advisory-flagged) with owners and remediation status.
Outcome Metrics (L1)
| Metric | Baseline | L1 Target | Source |
|---|---|---|---|
| AI/HAI process inventory coverage (% of discovered AI-embedded workflows in inventory) | measure | ≥85% within 12 months | Inventory vs. discovery-source reconciliation |
| Shadow-AI-in-processes ratio (AI-embedded workflow steps without known owner or governance record ÷ total AI-embedded workflow steps) | measure | ≤20% and trending down | Inventory status field |
| % function heads and process owners with acknowledged AI-in-Business-Process Policy | measure | ≥90% | HR / LMS attestation |
| % AI-embedded workflows in production with a named owning team and documented human-oversight model | measure | 100% for decision-affecting and customer-facing archetypes | Inventory |
| Known AI-process compliance events per quarter (regulatory inquiry, customer complaint citing AI decision, Art. 22 challenge) | measure | trending down QoQ | Legal / compliance tracker |
Process Metrics (leading)
- Discovery cadence, function-by-function survey sweep and BPM/RPA/ticketing-system review run at least quarterly; internal wiki/handbook search run monthly.
- Intake SLA, new AI-embedded workflow intake triaged within 5 business days; provisional approval within 10 BD for Low-tier archetypes (back-office augmentation with full human review, no regulated data, no customer-facing output).
- Inventory freshness, ≥75% of inventory records reviewed or confirmed by the owning function within the last 90 days.
- Working-group cadence, at least monthly; function representatives required; minutes published.
Effectiveness Metrics (business value)
- Function-team cycle-time impact, the time from "function team requests intake" to "provisional approval issued" should decrease as the program matures; the program is not a bottleneck.
- Regulatory-inquiry response time, when a regulator, auditor, or individual invokes Art. 22 rights or Annex III compliance inquiry, the org can produce the inventory record, human-oversight model, and workflow documentation within 5 business days.
- Avoided-incident stories, documented cases where early discovery caught a high-risk workflow before it created legal or reputational exposure (Art. 22 automated-decisioning violation caught before customer complaints, Annex III workflow identified and FRIA commissioned before deployment).
Success Criteria
- Program charter published and sponsored by an accountable executive (CISO + COO / Chief Risk Officer / General Counsel / DPO).
- AI/HAI process inventory exists as a single source of truth with ≥85% coverage of discovered AI-embedded workflows within 12 months, broken out by archetype.
- Shadow-AI-in-processes ratio baselined and trending down for two consecutive quarters.
- ≥90% of function heads and process owners have acknowledged the AI-in-Business-Process Policy.
- Quarterly shadow-AI-in-processes scoreboard delivered to the executive sponsor with archetype-level breakdown.
Maturity Level 2
Objective: Risk-tier every AI-embedded workflow using the canonical rubric, calibrate the program's intensity per tier, and measure practice maturity and shadow-AI reduction per tier, establishing the rubric every other Processes-domain L2 practice depends on
At this level, the program stops treating every AI-embedded workflow the same. Risk tiers drive how deep intake goes, what human-oversight standards apply, what compliance assessments are required, and what the sponsor sees on the scoreboard. A Critical-tier decision pipeline routing credit decisions via an AI score is not equivalent to a Low-tier back-office augmentation workflow where a human always rewrites the AI draft. Per §9.3 of the v3.0 framing, the rubric established here is the prerequisite for L2 at PC, TA, SR, SA, DR, IR, ST, EH, ML, and IM in the Processes domain.
Dependencies
- SM-Processes L1 (required): inventory, charter, working group, and baseline metrics are the substrate L2 tiers and calibrates.
- PC-Processes L1 (required): the priority compliance map provides several tier dimensions (EU AI Act Annex III / Art. 22 scope, GDPR Art. 22 automated decisioning, sector-specific regulatory triggers).
- TA-Processes L1 (required): the threat library provides threat dimensions (output-integrity risk, excessive agency in automated steps, goal-hijack via workflow inputs, rogue process drift in long-running pipelines).
- Supports / unblocks: PC-Processes L2 (tier-driven policy depth and FRIA gate for Annex III workflows), TA-Processes L2 (per-workflow deep threat models for Critical/High), SR-Processes L2 (per-tier requirements packs), SA-Processes L2 (tier-conditional reference patterns), DR/IR/ST/EH/ML/IM-Processes L2 (all per-tier calibrated).
Desired Outcomes
- Every AI-embedded workflow in the inventory carries a risk-tier assignment tied to explicit, auditable dimensions, not reviewer intuition.
- Program intensity is visibly differentiated: Critical decision pipelines with customer-legal-effect get the full program (FRIA gate, deep TA, full SR pack, mandatory HITL standards review, sector-specific compliance evidence), Low back-office augmentation stays fast-tracked.
- The quarterly scoreboard splits by tier; the sponsor can see which tiers are healthy and which are drifting.
- Tier movements (a workflow upgraded when it gains customer-facing output, automated decision capability, or regulatory scope) are tracked, rationale-logged, and sponsor-visible.
- Practice maturity is defensible per tier: "we are mature at Critical and still building at Medium" is a real, evidenced statement.
Activities
A) Define the AI/HAI process risk-tier rubric
Four tiers, Critical / High / Medium / Low, assigned from a small set of auditable dimensions specific to AI-embedded workflows. This rubric is the canonical source of truth; all downstream Processes-domain L2 practices inherit it.
Decision-affecting effect: - AI output materially drives a decision with legal or significant effect on a person (credit approve/deny, employment hire/reject, benefit eligibility, insurance underwriting, content-moderation account action) → Critical (EU AI Act Annex III trigger; GDPR Art. 22 trigger). - AI output influences (but a human decides) a decision with significant effect → High. - AI output informs internal operational decisions (routing, prioritization, triage) with limited personal effect → Medium. - AI assists internal drafting / summarization with full human review; no decision affecting persons directly → Low.
Customer reach: - AI-embedded step reaches >10,000 customers per month → elevate. - AI-embedded step reaches 1,000–10,000 customers → High or above. - AI-embedded step is internal-only → neutral.
Reversibility of AI-driven action: - Action is effectively irreversible (credit denial processed, account terminated, employment rejected, medical triage decision acted on) or carries significant financial harm → Critical or High; elevate the tier. - Action is reversible with a clear override mechanism documented and tested → neutral.
Human-oversight depth: - Autonomous step with no human in the loop → elevate to Critical or High. - Human-in-the-loop with rubber-stamp review (human rarely overrides; SLA too short for substantive review) → treat as elevated; requires HITL design assessment. - Human-in-the-loop with substantive review (human reads, edits, or escalates meaningfully) → neutral. - Full human review before output leaves the org → neutral or lower.
Regulatory scope: - EU AI Act Annex III high-risk use categories (employment, credit, education, biometric, critical infrastructure, law enforcement, immigration, justice, essential services) → Critical. - Sector-specific AI rules in scope (FCRA credit decisions, EEOC employment AI, NYC Local Law 144 AI hiring, CO SB-21-169 insurance AI, FINRA model-risk guidance for automated advice, FDA clinical workflow, FRT facial recognition) → Critical or High depending on severity. - GDPR Art. 22 automated-decisioning obligation with legal or similarly significant effect → Critical.
Data classes processed through the workflow: - Biometric, health / PHI, financial / credit, employment, special-category GDPR data → elevate to Critical or High. - Regulated PII (name, address, government ID) → High. - Internal business data only → Medium or Low.
Business criticality: - Workflow is on the critical path of a revenue-generating product, customer onboarding, safety-critical service, or a regulated-control surface → elevate. - Workflow is internal back-office with low volume and full human review → neutral or lower.
Tier derivation is deterministic from the rubric inputs; human overrides are allowed but recorded with rationale and reviewed by the working group.
B) Calibrate program intensity per tier
Publish a tier-treatment matrix, what each tier gets from the Processes-domain program. Every downstream practice inherits this calibration.
| Treatment | Critical | High | Medium | Low |
|---|---|---|---|---|
| Intake depth | Full SR pack + full REM + FRIA gate (Annex III) + executive + DPO/CPO sign-off | Full SR pack + REM + privacy-officer review + HITL standards assessment | Base SR pack + REM + HITL documentation | Base SR pack only |
| FRIA (Fundamental Rights Impact Assessment) | Required for EU AI Act Annex III workflows before production | Required if Art. 22 applies and scale exceeds threshold | Not required unless voluntarily commissioned | Not required |
| HITL standards assessment | Required: substantive-review SLA documented and tested; override authority named | Required: HITL model documented | HITL documented | Human-review step confirmed |
| TA depth | Per-workflow deep threat model including output-integrity, AGH via workflow inputs, EA in automated steps, RA in long-running pipelines | Archetype model + workflow deltas + regulatory-scope overlay | Archetype model | Archetype model |
| SA pattern adherence | Must follow reference pattern; deviations require full-lane DR | Reference pattern preferred; deviations documented | Reference pattern preferred | Reference pattern recommended |
| Design review (DR) | Required, full-lane, with named architect and Legal/Privacy representative | Required; full-lane if deviation, else fast-lane | Fast-lane | Not required |
| Implementation review (IR) cadence | Go-live + semi-annual + on every material change (new AI step, new data class, scope change, new customer population) | Go-live + annual + on material change | Go-live + annual | Go-live |
| Security testing (ST) | Full battery (output-integrity probes, HITL bypass tests, input-injection probes for AGH, excessive-agency tests, logging-completeness, kill-switch) + quarterly red-team | Full battery | Subset battery | Spot-check |
| Monitoring (ML) | Full workflow telemetry: AI step inputs/outputs, human-oversight events (approvals, overrides, escalations), decision outcomes; audit trail for Art. 26/22 evidence | Core telemetry + HITL event logging | Shadow-AI detections + baseline logging | Baseline logging |
| IM SLA | Critical findings: ack ≤4h, mitigate ≤48h, root-cause ≤30d | Ack ≤24h, mitigate ≤7d, root-cause ≤45d | Ack ≤48h, mitigate ≤14d | Ack ≤5BD, mitigate ≤30d |
| Re-review on material change | Mandatory within 14 days | Mandatory within 30 days | Mandatory within 60 days | At annual review |
C) Per-tier scoreboard and governance
The L1 shadow-AI-in-processes scoreboard becomes tier-aware at L2: - Inventory state reported by tier and by archetype; a Critical-tier decision pipeline is its own row. - Shadow-AI-in-processes ratio reported per tier, a Critical-tier undisclosed AI decision pipeline is a headline; a Low-tier back-office augmentation is a line item. - SLA adherence per tier (intake, DR, IR, ST, ML, IM) reported monthly. - Tier-movement log, workflows that moved up a tier (tighter treatment now applies) or down (with rationale) this quarter. - FRIA completion status for all Annex III workflows: commissioned, in-progress, completed, or flagged as overdue. - Quarterly executive review discusses tier-balance: is the program's effort matching the risk profile?
Outcome Metrics (L2)
| Metric | Baseline | L2 Target | Source |
|---|---|---|---|
| % of inventory with a current tier assignment | measure | 100% | Inventory |
| Tier-treatment matrix adherence, % Critical workflows with full-scope treatment in last 12 months | measure | ≥95% | Cross-practice artifacts × inventory |
| Tier-weighted shadow-AI-in-processes ratio (Critical-weighted) | measure | Critical = 0 unsanctioned in production; overall trending down | Inventory + discovery |
| Per-tier SLA adherence across practices | measure | ≥90% per tier | Program telemetry |
| FRIA completion rate for EU AI Act Annex III workflows | measure | 100% before go-live | FRIA register |
| Tier drift rate (tier changes per year) | measure | tracked; unexplained changes = 0 | Governance log |
Process Metrics (leading)
- Tier-rubric review cadence, reviewed every 2 quarters; changes change-logged.
- FRIA gate exercised for all Annex III workflows; no Critical-Annex-III workflow reaches production without a commissioned FRIA.
- Per-tier queue depth monitored; no tier's backlog exceeds a published threshold.
- HITL standards assessments completed for all Critical/High workflows within 30 days of intake.
Effectiveness Metrics (business value)
- Effort allocation match, % of reviewer hours on Critical+High tiers vs. Medium+Low; should rise relative to L1.
- Regulatory-inquiry response time, evidence package for any Art. 22 / Annex III inquiry produced within 5 business days from the tier-treatment record.
- Avoided-incident stories where tier-differentiation caught a high-risk workflow before legal exposure (Annex III workflow caught at intake before deployment, Art. 22 violation avoided by FRIA gate).
Success Criteria
- Risk-tier rubric published and applied; tier assigned to 100% of inventory.
- Tier-treatment matrix published; downstream practices (PC, TA, SR, SA, DR, IR, ST, EH, ML, IM) calibrated to it.
- Per-tier shadow-AI-in-processes ratio reported quarterly; Critical-tier unsanctioned AI in production = 0.
- Per-tier SLA adherence ≥90% across practices.
- FRIA gate operational; 100% of EU AI Act Annex III workflows in the inventory have a FRIA on file before production.
- Tier-movement governance active, changes logged with rationale, reviewed by the sponsor.
Maturity Level 3
Objective: Automate inventory and tier maintenance from workflow-execution telemetry, benchmark the program against external peers (APQC, BPM ISACs, sector AI working groups), and contribute to industry AI-process-governance standards
At this level, the program is signal-driven rather than survey-driven. Workflow-execution telemetry (BPM platform events, RPA run logs, ticketing-system AI-step events, CX-platform AI routing events) updates the inventory and flags tier changes automatically. Human review is exception-based. The program benchmarks against APQC process-maturity data, BPM-community AI-governance standards, HR-AI and FinAI and ClinAI working groups, and sector-specific enforcement-action learnings. It contributes to ISO/IEC 42005 AI impact assessment, OECD AI-in-business-processes guidance, and sector-specific AI deployment officer credentialing paths.
Dependencies
- SM-Processes L2 (required): tiering and calibration must be settled before automation is trustworthy.
- ML-Processes L2+ (required): workflow-execution telemetry (BPM events, HITL event logs, AI-step input/output logs) needs the monitoring pipeline behind them.
- EG-Processes L2+ (required): process-owner and practitioner literacy enables teams to self-attest inventory accurately at the workflow level.
- Supports / unblocks: the other 11 Processes-domain practices can move to L3 automation patterns because SM now supplies automated inventory and tier data.
Desired Outcomes
- Inventory accuracy is measured in hours of latency, not quarters.
- Tier assignments adjust automatically when dimensional inputs change (a workflow gains a new customer population, an AI step is changed from advisory to decision-making, a new regulated data class flows through); humans intervene only on exceptions.
- External benchmarking is routine, the program sponsor can answer "how do we compare on AI-process governance maturity?" with specific deltas against APQC and sector peers.
- The organization contributes to industry AI-process-governance standards, ISO/IEC 42005, OECD, sector AI deployment officer pathways, and BPM-community AI-governance frameworks reference program outputs.
Activities
A) Continuous inventory and tier automation from workflow-execution telemetry
- Inventory auto-updates from: BPM platform events (new workflow created, AI-step added or removed, routing rule changed), RPA platform run-log events (new AI-plugin invocation, new process including an AI decision step), ticketing-system AI-routing events (new queue routing rule sends to an AI step), CX-platform AI events (new AI chatbot flow, new AI-generated response template activated), contract and procurement events (new AI-embedded SaaS tool licensed to a business function triggers a Processes intake), workflow-execution telemetry showing new AI-step latency patterns, self-attestation and intake.
- Tier assignments are rule-based on the L2 rubric inputs; rule changes are versioned and replayable; tier changes auto-trigger downstream practice obligations (e.g., a Medium→Critical upgrade for a workflow that added an automated credit-scoring step triggers FRIA commissioning, DR, and full-lane treatment).
- Human curation handles: new archetypes, ambiguous workflow descriptions, dimensional-input conflicts, workflows that span multiple archetypes.
- A data-quality SLO is published: ≥99% of active AI-embedded workflows correctly tiered within 48 hours of a material change; ≥95% inventory completeness against discovery-source reconciliation.
B) External benchmarking
- Program metrics compared against peer benchmarks via:
- APQC (American Productivity & Quality Center) process-maturity frameworks adapted for AI-embedded workflows.
- BPM-community AI-governance working groups (Object Management Group BPM + AI, Camunda community, SAP Signavio practitioner networks).
- HR-AI working groups (SHRM AI in HR initiative, IEEE Ethically Aligned Design for HR AI).
- FinAI working groups (FS-ISAC, FINRA model-risk practitioner communities, OCC third-party risk AI guidance).
- ClinAI working groups (ONC, AHA, H-ISAC AI-in-clinical-workflows tracks).
- Sector-specific enforcement-action learnings (FTC AI enforcement, CFPB AI credit-decision guidance, EEOC AI employment guidance).
- A published "how we compare" brief refreshed semi-annually covers: inventory coverage, shadow-AI-in-processes ratio, per-tier SLA adherence, FRIA completion rate, HITL substantive-review SLA adherence, time from "new AI-embedded workflow proposed" to "provisional approval issued."
- Benchmark deltas inform program investment and the next year's L2/L3 priorities.
C) Contribute to industry AI-process-governance standards
- Contribute to:
- ISO/IEC 42005 AI impact assessment (implementation guidance for AI-embedded business workflows, FRIA methodology for Annex III use cases).
- OECD AI Policy Observatory AI-in-business-processes guidance.
- Sector AI deployment officer credentialing paths (emerging credentials in financial services, healthcare, HR, and public sector).
- BPM community AI-governance frameworks (process-archetype taxonomy, HITL design standards, workflow-telemetry logging patterns for AI steps).
- CSA AI Safety Initiative controls matrix for AI-embedded processes.
- ISO/IEC 42001 AIMS community implementation guidance for Processes-domain workflows.
- Target: minimum 4 substantive contributions per year; quality over volume; every contribution anonymized and legally vetted.
Outcome Metrics (L3)
| Metric | Baseline | L3 Target | Source |
|---|---|---|---|
| Inventory auto-update latency | measure | ≤48h for material changes | Inventory telemetry |
| % inventory entries auto-curated vs. human-curated | measure | ≥75% auto (reflects informal workflow nature) | Curation telemetry |
| Inventory completeness against discovery-source reconciliation | measure | ≥99% | Reconciliation report |
| Tier-rule auto-trigger of downstream obligations on tier change | measure | 100% within 24h | Workflow telemetry |
| External benchmarks tracked | 0 | ≥5 peer-comparable metrics (APQC, BPM-community, sector ISACs) | Benchmarking brief |
| Industry contributions per year | 0 | ≥4 substantive | Contribution log |
| Executive ROI narrative refreshed with external benchmarks | n/a | semi-annual | Program sponsor review |
Process Metrics (leading)
- Automation health, signal-feed freshness and error rate monitored; on-call paged when a feed staleness threshold is exceeded.
- Benchmarking cadence honored (semi-annual brief published on schedule).
- Contribution pipeline always has ≥2 items in-flight (draft, in-review, or being prepared).
- Tier-rule change-log healthy, rule changes versioned, replayable, reviewed quarterly by the working group.
Effectiveness Metrics (business value)
- Sponsor decisions (budget, headcount, scope) citing benchmark data and tier-level metrics.
- Industry recognition, citations of the program's contributions, invitations to working groups, peer adoption of published HITL design standards and workflow-archetype taxonomy.
- Regulatory-inquiry turnaround time trending down as the automated inventory supplies evidence on demand.
- Faster sanctioned workflow onboarding, time from "function team proposes a new AI-embedded workflow" to "provisional approval issued" is industry-leading.
Success Criteria
- Inventory auto-update SLO published and met.
- Tier-assignment automation operational with published rules, replayable change-log, and exception-based human review.
- Semi-annual external-benchmarking brief published to the sponsor with ≥5 peer-comparable metrics.
- ≥4 substantive industry contributions per year, anonymized and cited.
- ROI narrative including external benchmarks delivered to exec/board at least annually.
Key Success Indicators
Level 1: - AI/HAI Process Assurance program charter published and sponsored by an accountable executive (CISO + COO / CRO / General Counsel / DPO), with a cross-functional working group spanning Security, Legal/Privacy, Compliance, Operations, and function representatives (HR, Finance, Legal, Customer Support, Sales, Engineering). - AI/HAI process inventory exists as a single source of truth, covering all seven in-scope archetypes (decision pipeline, customer-facing flow, human-AI collaboration chain, back-office augmentation, approval/review workflow, content-generation workflow, knowledge-management workflow). - Shadow AI in processes actively discovered each quarter using function-by-function surveys, BPM/RPA/ticketing-system signals, internal wiki/handbook search, vendor-contract review, and self-attestation; amnesty window prominent and tracked. - AI-in-Business-Process Policy acknowledged by ≥90% of function heads and process owners. - Foundational metrics baselined: inventory coverage, shadow-AI-in-processes ratio, policy attestation, intake SLA; quarterly shadow-AI-in-processes scoreboard delivered to the exec sponsor with archetype-level breakdown.
Level 2: - Risk-tier rubric published and applied, 100% of inventory carries a current tier from auditable dimensions (decision-affecting effect, customer reach, reversibility, human-oversight depth, regulatory scope, data classes, business criticality). - Tier-treatment matrix published; downstream practices (PC, TA, SR, SA, DR, IR, ST, EH, ML, IM) calibrated to it. - FRIA gate operational; 100% of EU AI Act Annex III workflows have a FRIA on file before production. - Quarterly shadow-AI-in-processes scoreboard reports per tier and per archetype; Critical-tier unsanctioned AI in production = 0. - Per-tier SLA adherence ≥90% across program activities. - Tier-movement governance operating with logged rationale and sponsor review.
Level 3: - Inventory auto-update latency ≤48 hours for material changes; ≥75% of curation automated; ≥99% inventory completeness against discovery-source reconciliation. - Tier-assignment automation operates on a published, versioned rule set with exception-based human review; tier changes auto-trigger downstream obligations within 24 hours. - Semi-annual external-benchmarking brief published, citing ≥5 peer-comparable metrics from APQC / BPM-community / sector ISACs / FinAI / HR-AI / ClinAI working groups. - ≥4 substantive anonymized industry contributions per year (ISO/IEC 42005, OECD AI guidance, sector deployment officer pathways, BPM AI-governance frameworks, CSA AI Safety Initiative, ISO/IEC 42001 AIMS community). - Executive/board ROI narrative refreshed at least annually with external benchmarks and documented avoided-loss examples.
Common Pitfalls
Level 1: - ❌ Inventory is seeded only from "AI features the product team announced", misses informal AI-embedded steps in HR screening, finance approval, legal review, customer support routing, and back-office ops that exist entirely outside any code repo. - ❌ Relying only on engineering signals (LLM SDK imports, model registry) to discover Processes-domain workflows, most informal AI-embedded steps involve AI-embedded SaaS tools leaving no engineering footprint in the monorepo. - ❌ Survey is optional and unaccompanied by amnesty framing, function heads assume disclosure creates compliance liability and decline to surface existing AI-embedded steps. - ❌ Executive sponsor is security-only; COO/CRO/General Counsel/DPO are not co-owners, so the program lacks cross-functional authority to require function-head participation. - ❌ Metrics count surveys completed and forms submitted instead of outcomes (shadow-AI-in-processes ratio down, compliance events trending down, HITL standards documented). - ❌ Inventory archetypes too coarse ("AI workflow"), Critical decision pipelines and Low back-office augmentation tools are conflated; the program cannot tier without re-inventorying. - ❌ No amnesty window, function teams with undisclosed AI-embedded steps fear enforcement and hide them; the shadow inventory grows.
Level 2: - ❌ Tier-rubric inputs are subjective ("important decision," "many customers"), reviewers tier differently; auditors cannot trace the derivation; tier movements feel political. - ❌ FRIA gate announced but never enforced, Annex III workflows reach production without a completed FRIA because no blocking mechanism exists. - ❌ HITL standards treated as binary (human exists vs. does not exist) rather than assessed for substantive depth, rubber-stamp HITL is logged as compliant; Art. 14 oversight obligations go unmet. - ❌ Scoreboard reported in aggregate, hiding that Critical-tier decision pipelines lack FRIA coverage because overall averages look acceptable. - ❌ Tier upgrades get resistance from business function heads because they trigger FRIA gates and deeper review, no governance on tier-movement means workflows stay under-tiered. - ❌ Downstream practices treat tier as advisory, DR/IR/ST don't differentiate scope by process tier, defeating the purpose of L2.
Level 3: - ❌ Automation runs without a data-quality SLO, signal-driven inventory silently drifts; informal workflows added by function teams are never captured; Legal and Compliance stop trusting the inventory. - ❌ Benchmarking chooses peers that flatter the program (comparing against small-scale AI pilots when operating regulated customer-facing AI workflows at enterprise scale). - ❌ Industry "contributions" are panels and press releases, not technical artifacts (HITL design standards, workflow-archetype taxonomies, FRIA methodology templates) that standards bodies actually use. - ❌ Automated tiering rules encode the informal nature of early-phase discovery, under-tiering persists for function-owned workflows because the signal source (self-attestation) systematically under-reports criticality. - ❌ FRIA completion metric reported but FRIA quality never assessed, completed FRIAs are superficial box-checks; no review for substance or coverage of actual Annex III risk dimensions.
Practice Maturity Questions
Level 1: 1. Is there a published AI/HAI Process Assurance program charter with a named executive sponsor (CISO + COO / CRO / General Counsel / DPO), a cross-functional working group spanning all major business functions, and clear decision rights for approving, blocking, and sanctioning AI-embedded workflows, with an explicit amnesty path publicized to function heads? 2. Does a single AI/HAI process inventory exist, seeded from function-by-function surveys, BPM/RPA/ticketing-system signals, internal wiki/handbook search, and vendor-contract review, covering all seven Processes-domain archetypes with ≥85% coverage of discovered AI-embedded workflows within 12 months? 3. Are the L1 outcome metrics baselined and reported quarterly to the sponsor, inventory coverage, shadow-AI-in-processes ratio (≤20% and trending down), AI-in-Business-Process Policy attestation (≥90% of function heads and process owners), workflows with named owning team and HITL model (100% for decision-affecting and customer-facing), and known compliance events?
Level 2: 1. Is every AI-embedded workflow in the inventory assigned a risk tier based on auditable dimensions (decision-affecting effect, customer reach, reversibility, human-oversight depth, regulatory scope, data classes, business criticality), and is there a published tier-treatment matrix driving differential intensity across PC, TA, SR, SA, DR, IR, ST, EH, ML, IM? 2. Is a FRIA gate operational for all EU AI Act Annex III workflows, and are Critical-tier workflows receiving full-scope treatment including substantive HITL standards assessment, deep TA, full SR pack, and full-lane DR, with ≥95% of Critical workflows showing full-scope treatment in the last 12 months? 3. Does the quarterly shadow-AI-in-processes scoreboard report per tier and per archetype (with Critical-tier unsanctioned workflows at zero), and does tier-movement get logged and reviewed by the program sponsor?
Level 3: 1. Does inventory and tier assignment auto-update from workflow-execution telemetry (BPM events, RPA logs, ticketing-system AI-routing events, CX-platform AI events) with a published data-quality SLO, and is ≥75% of curation handled automatically with exception-based human review? 2. Do you publish a semi-annual external-benchmarking brief comparing the program against ≥5 peer-comparable metrics from APQC / BPM-community / sector ISACs / FinAI / HR-AI / ClinAI working groups, and does it drive program investment decisions? 3. Does the program contribute ≥4 substantive anonymized artifacts per year to industry AI-process-governance standards (ISO/IEC 42005, OECD AI guidance, sector deployment officer pathways, BPM AI-governance frameworks, CSA AI Safety Initiative, ISO/IEC 42001 AIMS community), and does the exec/board ROI narrative cite external benchmarks?
Document Version: HAIAMM v3.0 Practice: Strategy & Metrics (SM) Domain: Processes Last Updated: 2026-05-14 Author: Verifhai
☑ Interactive Self-Assessment
Answer each question based on your current, implemented practices only. Progress saves automatically in your browser.