Assessment questionnaire for measuring maturity. Answer each question honestly based on current, implemented practices.
Canonical source-of-truth:
../practices/SM-Data-OnePager.md. This questionnaire's questions, evidence requirements, and outcome metrics are derived from that one-pager. The canonical v3.0 model:../HAIAMM-v3.0-Framing.md.
Practice: Strategy & Metrics (SM) Domain: Data Purpose: Stand up an AI/HAI Data Assurance program that discovers, inventories, and strategically governs all data flowing into and out of AI/HAI systems, with shadow-data-in-AI prevention as the primary L1 outcome and a defensible risk-tier rubric as the primary L2 deliverable. Scoring Model: Evidence + Outcome Metrics (see Scoring Methodology below)
| Tier | Score | Criteria |
|---|---|---|
| Fully Mature | 1.0 | Evidence complete + ≥3 outcome metrics meet targets |
| Implemented | 0.67 | Evidence complete + 2 outcome metrics meet targets |
| Partial | 0.33 | Evidence partially complete + <2 outcome metrics meet targets |
| Not Implemented | 0.0 | No substantive evidence of practice |
Practice maturity level achieved = the highest level where all 3 questions score ≥ 0.67.
Objective: Stand up the AI/HAI Data Assurance program, build an inventory of data assets serving AI/HAI systems, and establish baseline metrics that prove shadow data in AI is decreasing
Q1.1: Do you have a published AI/HAI Data Assurance program charter that names the problem (shadow data in AI, ungoverned training corpora, inference inputs containing PII without consent basis, retrieval stores populated without classification review), defines the seven in-scope data archetypes, names an executive sponsor (CISO + DPO/CPO + Head of Data or Engineering), establishes a cross-functional working group, and defines decision rights for classification, retention enforcement, cross-border flow approval, and intake of new data sources?
Evidence Required: - [ ] Published program charter with named executive sponsor (CISO + DPO/CPO + Head of Data or Engineering) and Privacy/Legal co-signature - [ ] Problem statement covering EU AI Act Art. 10 data-governance duties on deployers and GDPR Arts. 5/6/9 lawful-basis requirements before personal data reaches an inference endpoint - [ ] Seven in-scope data archetypes listed: training corpus, inference input stream, retrieval store, prompt/completion log corpus, embedding store, fine-tuning dataset, evaluation/test set - [ ] Working group roster: Security, Engineering/ML Platform, Data/Analytics, Privacy/Legal, Product, application-architect reviewer - [ ] Decision rights defined: who approves a new data source feeding AI, who blocks one, who handles exceptions, who approves cross-border data flows - [ ] Year-one success definition with numerical targets for L1 outcome metrics
Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | AI/HAI data inventory coverage (% of discovered data assets in inventory) | ___ | ___ | ≥90% within 12 months | ☐ | | | Shadow-data-in-AI ratio (data assets flowing to AI without known owner or classification ÷ total AI data assets) | ___ | ___ | ≤15% and trending down | ☐ | | | % engineers and data scientists handling AI data with acknowledged AI Data AUP | ___ | ___ | ≥95% | ☐ | | | % AI/HAI data assets with a named owning team | ___ | ___ | 100% | ☐ | | | Known regulated-data-in-AI exposure events (per quarter) | ___ | ___ | trending down QoQ | ☐ | |
Metric Collection Guidance:
- Inventory coverage: Reconcile inventory count against discovery signals (data catalogs, model-registry lineage, ETL/ELT pipeline metadata, object-store inventories, vector-store listings, classification-scanner findings). Formula: inventory_count / discovered_count × 100
- Shadow-data-in-AI ratio: From inventory status field, identify data assets where owner is null or classification label is absent, flowing to an active AI/HAI system; divide by total active AI data assets
- AI Data AUP attestation: Pull acknowledgment records from HR/LMS filtered to engineers and data scientists handling AI data; denominator is that headcount
- Named owning team: Count inventory records with a non-null owning_team field vs. total; flag missing owner at record creation
- Regulated-data-in-AI exposure events: Aggregate classification-scanner findings surfacing regulated data in AI-serving stores and incident-tracker entries; count per quarter and trend
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)
Evidence Location: _____ Metric Validation Date: ____ Notes: __________
Q1.2: Do you maintain a single AI/HAI data inventory seeded from data catalogs, model-registry lineage, ETL/ELT pipeline metadata, object-store inventories, vector-store listings, classification-scanner findings, and prompt/completion log volumes, covering all seven archetypes with a minimum field set including data classification, lineage and provenance, cross-border flows, use context (training vs. inference vs. eval), decision-affecting use, and approval status?
Evidence Required: - [ ] Single authoritative data inventory with minimum fields: asset name, owning team, archetype, data classification, lineage/provenance, volume/criticality, cross-border flows, use context, decision-affecting use, subject-access-rights exposure, retention policy, approval status, linked artifacts - [ ] Data catalog discovery active (Atlan, Collibra, DataHub, Unity Catalog, AWS Glue Data Catalog) queried for assets tagged with "training," "embedding," "eval," "fine-tune," "inference," "rag," "vector" - [ ] Model-registry lineage reviewed (MLflow, W&B, SageMaker, Vertex AI) for training-data lineage fields - [ ] Object-store inventories (S3/GCS/Azure Blob) and vector-store listings (Pinecone, Weaviate, Qdrant, Chroma, pgvector) enumerated and reconciled against inventory - [ ] Classification scanners (Amazon Macie, BigID, Microsoft Purview) run against object stores and databases to surface regulated data flowing to AI - [ ] Amnesty window publicized to engineering and data science teams for disclosing assets already in use; no penalty for disclosure
Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | AI/HAI data inventory coverage (% of discovered data assets in inventory) | ___ | ___ | ≥90% within 12 months | ☐ | | | Shadow-data-in-AI ratio (data assets flowing to AI without known owner or classification ÷ total AI data assets) | ___ | ___ | ≤15% and trending down | ☐ | | | % engineers and data scientists handling AI data with acknowledged AI Data AUP | ___ | ___ | ≥95% | ☐ | | | % AI/HAI data assets with a named owning team | ___ | ___ | 100% | ☐ | | | Known regulated-data-in-AI exposure events (per quarter) | ___ | ___ | trending down QoQ | ☐ | |
Metric Collection Guidance: - Inventory coverage: Monthly reconciliation comparing inventory records to scanner output + catalog search + object-store diff + vector-store listings; unmatched signals are shadow-data candidates - Shadow-data-in-AI ratio: Filter inventory for assets with absent classification or null owner feeding an active AI/HAI system; divide by total active AI data assets; trend quarterly - Named owning team: Automated check, assets with null owning_team flagged and assigned to triage owner within 5 BD - Regulated-data-in-AI exposure: Scanner run results surfacing regulated data in AI-serving locations aggregated per quarter alongside incident-tracker entries - AUP attestation: LMS/HR query for engineers and data scientists who completed AI Data AUP acknowledgment; denominator from HR system
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)
Evidence Location: _____ Metric Validation Date: ____ Notes: __________
Q1.3: Do you baseline and report quarterly to the executive sponsor a shadow-data-in-AI scoreboard covering inventory state by archetype, new data assets discovered and their intake status, shadow-data-in-AI ratio trend over the last four quarters, AI Data AUP attestation coverage, and the top five unmitigated data risks with named owners and remediation status?
Evidence Required: - [ ] Quarterly shadow-data-in-AI scoreboard published and delivered to the executive sponsor, at least two consecutive quarters on record - [ ] Scoreboard includes archetype-level breakdown (training corpus, inference input stream, retrieval store, prompt/completion log corpus, embedding store, fine-tuning dataset, evaluation/test set) - [ ] Shadow-data-in-AI ratio trended over last 4 quarters with commentary on direction - [ ] AI Data AUP attestation percentage reported with explicit denominator (engineers and data scientists handling AI data) - [ ] Top 5 unmitigated data risks listed with named owner and remediation status (TA-flagged, classification-scanner-flagged, or external-advisory-flagged) - [ ] Intake SLA tracked: new data-source intake triaged within 5 BD; provisional approval within 10 BD for Low-tier (public data, no regulated content)
Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | AI/HAI data inventory coverage (% of discovered data assets in inventory) | ___ | ___ | ≥90% within 12 months | ☐ | | | Shadow-data-in-AI ratio (data assets flowing to AI without known owner or classification ÷ total AI data assets) | ___ | ___ | ≤15% and trending down | ☐ | | | % engineers and data scientists handling AI data with acknowledged AI Data AUP | ___ | ___ | ≥95% | ☐ | | | % AI/HAI data assets with a named owning team | ___ | ___ | 100% | ☐ | | | Known regulated-data-in-AI exposure events (per quarter) | ___ | ___ | trending down QoQ | ☐ | |
Metric Collection Guidance: - Scoreboard delivery cadence: Confirm last two quarters have a dated scoreboard delivered to exec sponsor with acknowledgment on record - Archetype breakdown: Scoreboard section shows counts per archetype (sanctioned / provisional / prohibited / awaiting intake); detects archetype classes growing unchecked - Shadow-data-in-AI ratio trend: Four-quarter chart or table; downward trend is the L1 success signal; source is inventory status field reconciled monthly against discovery sweeps - AUP attestation: Percentage with denominator explicitly stated; LMS or HR system is authoritative; updated each quarter - Top-5 risks: Each entry lists risk description, source, named owner, and current remediation status (open / in-progress / mitigated)
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)
Evidence Location: _____ Metric Validation Date: ____ Notes: __________
Objective: Risk-tier every AI/HAI data asset using the canonical rubric, calibrate the program's intensity per tier, and measure practice maturity and shadow-data reduction per tier, establishing the rubric every other Data-domain L2 practice depends on
Q2.1: Do you have a published risk-tier rubric (Critical / High / Medium / Low) assigning a tier to every AI/HAI data asset based on seven auditable dimensions, data classification, lineage and provenance, volume and criticality, cross-border flows, use in training vs. inference vs. eval, decision-affecting use, and subject-access-rights exposure, with tier derivation deterministic, human overrides recorded with rationale, and 100% of inventory records carrying a current tier?
Evidence Required: - [ ] Published tier-rubric document listing all seven auditable dimensions with deterministic assignment logic - [ ] 100% of inventory records carry a current tier assignment derived from the rubric - [ ] Data classification dimension: regulated PII/PHI/PCI/source code/customer confidential → Critical or High; org confidential → High; internal → Medium; public → Low - [ ] Training-use dimension: data used in training or fine-tuning elevates posture vs. the same data at inference only; eval/test sets for Critical-tier models → at least High - [ ] Cross-border flows dimension: personal data transfer to a third country triggers GDPR Art. 44–49 assessment → elevate to at least High; Critical if no adequacy decision or SCC in place - [ ] Decision-affecting use dimension: EU AI Act Annex III high-risk systems and GDPR Art. 22 automated decisioning → Critical - [ ] Human override log maintained: overrides recorded with rationale and reviewed by working group quarterly
Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | % of inventory with a current tier assignment | ___ | ___ | 100% | ☐ | | | Tier-treatment matrix adherence, % Critical data assets with full-scope treatment in last 12 months | ___ | ___ | ≥95% | ☐ | | | Tier-weighted shadow-data-in-AI ratio (Critical-weighted) | ___ | ___ | Critical = 0 unclassified or ungoverned; overall trending down | ☐ | | | Per-tier SLA adherence across practices (intake, IR, ML, IM) | ___ | ___ | ≥90% per tier | ☐ | | | Critical data assets with HSM-rooted encryption at rest | ___ | ___ | 100% | ☐ | | | Tier drift rate (tier changes per year) | ___ | ___ | tracked; unexplained changes = 0 | ☐ | |
Metric Collection Guidance: - % inventory with tier assignment: Automated check, records with null risk_tier or no re-confirmation after a material change are flagged for remediation within 5 BD - Tier-treatment matrix adherence: Cross-reference Critical-tier assets against full-scope treatment evidence: HSM/BYOK key confirmed, lineage documented, DPIA closed or accepted, retention audited, EU AI Act Art. 10 evidence package filed - Tier-weighted shadow-data-in-AI ratio: Critical-tier assets with absent classification or null owner in production must be 0; overall ratio should trend down - Per-tier SLA adherence: From intake tracker, IR schedule, and IM system; % on-time per tier; report monthly - Critical assets with HSM-rooted encryption: Infrastructure attestation report listing each Critical asset with key-management configuration; 100% must show HSM/BYOK/customer-managed
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)
Evidence Location: _____ Metric Validation Date: ____ Notes: __________
Q2.2: Do you have a published tier-treatment matrix defining differential controls across all downstream Data-domain practices (PC, TA, SR, SA, DR, IR, ST, EH, ML, IM) for each tier, and is this matrix enforced, with Critical-tier data assets receiving HSM-rooted encryption per asset, full source-to-model lineage, DPIA gate before production, retention-policy enforcement and audit, EU AI Act Art. 10 evidence package, subject-access-rights capability testing, and semi-annual IR?
Evidence Required: - [ ] Tier-treatment matrix published covering all downstream practices with explicit controls per tier - [ ] Critical-tier treatment documented: full classification review + DPIA gate + privacy-officer + executive sign-off; HSM-rooted key per asset; full lineage; label propagation to all downstream derivatives; retention policy enforced and audited; EU AI Act Art. 10 evidence package; deletion and access-response capability tested; semi-annual IR + on material change; IM SLA ack ≤4h/mitigate ≤48h - [ ] Low-tier fast-track documented: lineage record only; managed encryption; retention policy defined; go-live IR only; not required to have DPIA or EU AI Act Art. 10 evidence - [ ] DPIA gate operational: no Critical asset reaches production without a closed or accepted DPIA; DPIA register maintained - [ ] Downstream practices acknowledged calibration via working-group decision record
Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | % of inventory with a current tier assignment | ___ | ___ | 100% | ☐ | | | Tier-treatment matrix adherence, % Critical data assets with full-scope treatment in last 12 months | ___ | ___ | ≥95% | ☐ | | | Tier-weighted shadow-data-in-AI ratio (Critical-weighted) | ___ | ___ | Critical = 0 unclassified or ungoverned; overall trending down | ☐ | | | Per-tier SLA adherence across practices (intake, IR, ML, IM) | ___ | ___ | ≥90% per tier | ☐ | | | Critical data assets with HSM-rooted encryption at rest | ___ | ___ | 100% | ☐ | | | Tier drift rate (tier changes per year) | ___ | ___ | tracked; unexplained changes = 0 | ☐ | |
Metric Collection Guidance: - Tier-treatment matrix adherence: For each Critical-tier asset, verify: DPIA on file (closed/accepted), HSM/BYOK key confirmed, lineage document exists, retention audit completed, EU AI Act Art. 10 evidence filed, IR within cadence; ≥95% must show all treatments in last 12 months - DPIA gate: DPIA register checked for every Critical and applicable High asset; no record shows production status without a corresponding DPIA entry - Classification-scanner cadence: Scanner logs showing at least monthly execution against Critical/High inventory assets; findings reviewed and dispositioned - HSM-rooted encryption: Infrastructure attestation report for each Critical asset; 100% must show HSM/BYOK/customer-managed key configuration - Per-tier SLA adherence: Aggregated from intake, IR, and IM trackers; % on-time per tier; reported monthly
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)
Evidence Location: _____ Metric Validation Date: ____ Notes: __________
Q2.3: Does the quarterly shadow-data-in-AI scoreboard report inventory state per tier and per archetype with Critical-tier unclassified or ungoverned data assets in production explicitly tracked at zero, include a tier-movement log with rationale, report per-tier SLA adherence, and is it reviewed by the executive sponsor who discusses tier-balance?
Evidence Required: - [ ] Quarterly scoreboard includes a tier × archetype breakdown table (Critical/High/Medium/Low rows by archetype columns) - [ ] Critical-tier unclassified or ungoverned data assets in production is a named metric; target is 0; any non-zero value is a headline finding - [ ] Tier-movement log included: assets that moved up or down in the quarter, with dimension(s) that changed and rationale for each move - [ ] SLA adherence per tier reported for intake, IR, ML, and IM - [ ] Quarterly executive review documented (agenda + minutes) showing tier-balance discussion and sponsor acknowledgment - [ ] Per-tier queue depth monitored; no tier's backlog exceeds a published threshold; DPIA gate completion status reported
Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | % of inventory with a current tier assignment | ___ | ___ | 100% | ☐ | | | Tier-treatment matrix adherence, % Critical data assets with full-scope treatment in last 12 months | ___ | ___ | ≥95% | ☐ | | | Tier-weighted shadow-data-in-AI ratio (Critical-weighted) | ___ | ___ | Critical = 0 unclassified or ungoverned; overall trending down | ☐ | | | Per-tier SLA adherence across practices (intake, IR, ML, IM) | ___ | ___ | ≥90% per tier | ☐ | | | Critical data assets with HSM-rooted encryption at rest | ___ | ___ | 100% | ☐ | | | Tier drift rate (tier changes per year) | ___ | ___ | tracked; unexplained changes = 0 | ☐ | |
Metric Collection Guidance: - Per-tier scoreboard delivery: Last two consecutive quarterly scoreboards must include tier × archetype table; each scoreboard shows delta from prior quarter - Critical-tier unclassified/ungoverned count: Named metric; source is inventory filtered on tier=Critical AND (classification_label = null OR owner = null OR approval_status != Sanctioned) AND production status = in-production; target = 0 - Tier-movement log completeness: Each entry must have asset name, prior tier, new tier, dimension(s) that changed, reviewer name, and date; unexplained changes target = 0 - SLA adherence per tier: Pulled from intake, IR, and IM systems; aggregated per tier; reported as % on-time per tier per quarter - Executive review: Filed governance document confirming exec sponsor reviewed tier-balance section and issued follow-up or signed off
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)
Evidence Location: _____ Metric Validation Date: ____ Notes: __________
Objective: Automate inventory and tier maintenance from catalog, lineage, classifier, and pipeline telemetry; benchmark against external data-governance peers; and contribute to industry data-governance and AI-risk-management standards
Q3.1: Does the AI/HAI data inventory auto-update from live catalog metadata events, model-registry lineage events, ETL/ELT pipeline runs, classification-scanner findings, object-store inventory diffs, vector-store collection changes, and prompt/completion log volume spikes, with tier assignments rule-based and replayable, tier changes auto-triggering downstream obligations within 24 hours, and a published data-quality SLO of ≥99% correctly tiered within 48 hours of a material change?
Evidence Required: - [ ] Published data-quality SLO: ≥99% of active AI/HAI data assets correctly tiered within 48 hours of a material change; ≥95% inventory completeness against discovery-source reconciliation - [ ] Automated feeds operational: catalog metadata events, model-registry lineage, ETL/ELT pipeline run destinations, classification-scanner findings, object-store inventory diffs, vector-store collection changes, prompt/completion log volume spikes, self-attestation and intake - [ ] Tier rules documented as versioned, replayable logic; rule changes change-logged and replayable against historical inventory state - [ ] Tier-change events auto-trigger downstream obligations (e.g., Medium→Critical triggers DPIA gate, encryption upgrade, IR reconfiguration) within 24h; monitored via workflow telemetry - [ ] Human curation queue defined for: new archetypes, ambiguous classification-scanner findings, dimensional-input conflicts - [ ] Automation health dashboard: on-call paged when any feed exceeds staleness threshold
Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | Inventory auto-update latency | ___ | ___ | ≤48h for material changes | ☐ | | | % inventory entries auto-curated vs. human-curated | ___ | ___ | ≥80% auto | ☐ | | | Inventory completeness against discovery-source reconciliation | ___ | ___ | ≥99% | ☐ | | | Tier-rule auto-trigger of downstream obligations on tier change | ___ | ___ | 100% within 24h | ☐ | | | External benchmarks tracked | ___ | ___ | ≥5 peer-comparable metrics (CDMC, EDM, DAMA, ISAC, ISO/IEC 23894) | ☐ | | | Industry contributions per year | ___ | ___ | ≥4 substantive | ☐ | | | Executive ROI narrative refreshed with external benchmarks | ___ | ___ | semi-annual | ☐ | |
Metric Collection Guidance: - Auto-update latency: Measure time from a known material change event (new classified data detected in a retrieval store, new training dataset registered) to the corresponding inventory record update; P95 across 20 sampled events per quarter - % auto-curated: From the curation log, count records updated by automated feeds vs. human-initiated edits; report as a ratio per quarter - Inventory completeness: Full discovery-source reconciliation across all seven archetype signal sources; report completeness % and list archetypes below 99% - Downstream obligation auto-trigger: Workflow telemetry showing each tier-change event produced a DPIA gate trigger, encryption-upgrade task, or IR reconfiguration event within 24h; report % within SLO - External benchmarks tracked: Count distinct benchmark data points in the semi-annual brief; each traceable to CDMC, EDM Council, DAMA, sector ISAC, or ISO/IEC 23894 source
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)
Evidence Location: _____ Metric Validation Date: ____ Notes: __________
Q3.2: Do you publish a semi-annual external-benchmarking brief comparing the program against at least five peer-comparable metrics via CDMC maturity assessments, EDM Council DCAM, DAMA DMBOK practitioner communities, ISO/IEC 23894 AI risk-management working groups, and sector ISACs with AI data-governance tracks, and do benchmark deltas explicitly inform program investment decisions?
Evidence Required: - [ ] Semi-annual benchmarking brief published, two most recent on file with dates, each containing ≥5 peer-comparable metrics from named external sources - [ ] Benchmarking sources include at least two of: CDMC / EDM Council DCAM / DAMA DMBOK / ISO/IEC 23894 working groups / sector ISACs (FS-ISAC, H-ISAC, IT-ISAC) / formal CISO/DPO peer roundtables - [ ] Metrics benchmarked cover: inventory coverage, shadow-data-in-AI ratio, per-tier SLA adherence, automation level, classification accuracy, retention-enforcement rate, time from "new data source proposed" to "provisional approval issued" - [ ] Benchmark deltas explicitly referenced in a program investment or prioritization decision; documentation filed within 90 days of each brief - [ ] Peer selection rationale documented, peers chosen to stretch the program, not flatter it
Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | Inventory auto-update latency | ___ | ___ | ≤48h for material changes | ☐ | | | % inventory entries auto-curated vs. human-curated | ___ | ___ | ≥80% auto | ☐ | | | Inventory completeness against discovery-source reconciliation | ___ | ___ | ≥99% | ☐ | | | Tier-rule auto-trigger of downstream obligations on tier change | ___ | ___ | 100% within 24h | ☐ | | | External benchmarks tracked | ___ | ___ | ≥5 peer-comparable metrics (CDMC, EDM, DAMA, ISAC, ISO/IEC 23894) | ☐ | | | Industry contributions per year | ___ | ___ | ≥4 substantive | ☐ | | | Executive ROI narrative refreshed with external benchmarks | ___ | ___ | semi-annual | ☐ | |
Metric Collection Guidance: - External benchmarks tracked: Each brief lists ≥5 named benchmark data points; each traceable to a CDMC/EDM/DAMA/ISAC/ISO report or named peer roundtable - Benchmark-driven investment: Program planning or budget document explicitly citing a benchmark delta as rationale; filed within 90 days of each brief - Semi-annual cadence: Two briefs within a 12-month window; no gap > 7 months between consecutive briefs - Executive ROI narrative: Annual exec/board briefing deck includes benchmark comparisons and avoided-loss examples (PII in fine-tuning caught before training run, cross-border transfer caught before go-live)
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)
Evidence Location: _____ Metric Validation Date: ____ Notes: __________
Q3.3: Does the program contribute at least four substantive, anonymized artifacts per year to industry standards through DAMA DMBOK working groups, EDM Council AI Risk and Data Governance, ISO/IEC 23894, NIST AI RMF Playbook Data chapter, CSA AI Safety Initiative, OpenSSF AI, or sector ISACs, with each contribution anonymized, legally vetted, and traceable to a published working-group output?
Evidence Required: - [ ] Contribution log maintained listing all submissions: target body, submission type, date submitted, anonymization review completed, status - [ ] At least 4 substantive contributions per year in the most recent 12-month window; each is a technical artifact accepted or in active review by the named body - [ ] Each contribution has a legal/privacy review sign-off confirming anonymization before submission - [ ] Contributions traceable to published outputs: DAMA community publications, EDM Council guidance editions, ISO/IEC 23894 working-group documents, NIST AI RMF Playbook chapters, CSA controls matrix, OpenSSF advisories - [ ] Contribution pipeline shows ≥2 items in-flight (draft, in-review, or being prepared) at any working-group review
Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | Inventory auto-update latency | ___ | ___ | ≤48h for material changes | ☐ | | | % inventory entries auto-curated vs. human-curated | ___ | ___ | ≥80% auto | ☐ | | | Inventory completeness against discovery-source reconciliation | ___ | ___ | ≥99% | ☐ | | | Tier-rule auto-trigger of downstream obligations on tier change | ___ | ___ | 100% within 24h | ☐ | | | External benchmarks tracked | ___ | ___ | ≥5 peer-comparable metrics (CDMC, EDM, DAMA, ISAC, ISO/IEC 23894) | ☐ | | | Industry contributions per year | ___ | ___ | ≥4 substantive | ☐ | | | Executive ROI narrative refreshed with external benchmarks | ___ | ___ | semi-annual | ☐ | |
Metric Collection Guidance: - Industry contributions per year: Count entries in the contribution log for trailing 12 months where status = submitted or accepted to a named body; conference talks and press releases do not count - Contribution pipeline health: At any working-group meeting, pipeline log shows ≥2 items not yet in submitted status; noted in working-group minutes - Legal/privacy review: Each contribution log entry must have reviewer name and date; no contribution submitted without this sign-off - Executive ROI narrative: Filed annually to exec/board; references external benchmarks and avoided-loss examples; DPO/privacy-team audit-preparation overhead trending down is a key narrative point at L3
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)
Evidence Location: _____ Metric Validation Date: ____ Notes: __________
| Level | Q1 | Q2 | Q3 | Avg | Achieved? |
|---|---|---|---|---|---|
| L1 | __ | __ | __ | __ | ☐ |
| L2 | __ | __ | __ | __ | ☐ |
| L3 | __ | __ | __ | __ | ☐ |
Practice maturity level achieved: ___ (highest level where all 3 questions score ≥ 0.67)
Document Version: HAIAMM v3.0 Practice: Strategy & Metrics (SM) Domain: Data Last Updated: 2026-05-15 Author: Verifhai
Instructions: