Strategy & Metrics (SM) - Processes Assessment

Assessment questionnaire for measuring maturity. Answer each question honestly based on current, implemented practices.

Strategy & Metrics (SM) - Processes Domain

HAIAMM Assessment Questionnaire v3.0

Canonical source-of-truth: ../practices/SM-Processes-OnePager.md. This questionnaire's questions, evidence requirements, and outcome metrics are derived from that one-pager. The canonical v3.0 model: ../HAIAMM-v3.0-Framing.md.


Practice: Strategy & Metrics (SM) Domain: Processes Purpose: Stand up an AI/HAI Process Assurance program that discovers, inventories, and strategically governs all business workflows that embed AI/HAI, with shadow-AI-in-processes prevention as the primary L1 outcome and a defensible risk-tier rubric as the primary L2 deliverable. Scoring Model: Evidence + Outcome Metrics (see Scoring Methodology below)


Instructions

  • Answer each question honestly based on current, implemented practices (not plans or aspirations)
  • Each question has two components: Evidence (what you did) and Outcome Metrics (how well it worked)
  • Scoring uses 4 tiers: Fully Mature (1.0), Implemented (0.67), Partial (0.33), Not Implemented (0.0)
  • Answer progressively, Complete all Level 1 questions before Level 2
  • Level progression, Achieve ALL questions at lower level before advancing
  • Baseline first, Record current metric values before setting targets

Scoring Methodology

Tier Score Criteria
Fully Mature 1.0 Evidence complete + ≥3 outcome metrics meet targets
Implemented 0.67 Evidence complete + 2 outcome metrics meet targets
Partial 0.33 Evidence partially complete + <2 outcome metrics meet targets
Not Implemented 0.0 No substantive evidence of practice

Practice maturity level achieved = the highest level where all 3 questions score ≥ 0.67.


Maturity Level 1

Objective: Stand up the AI/HAI Process Assurance program, build an inventory of business workflows that embed AI/HAI across the seven archetypes, and establish baseline metrics that prove shadow AI in processes is decreasing

Question 1: Charter the AI/HAI Process Assurance program

Q1.1: Do you have a published AI/HAI Process Assurance program charter that names the problem (shadow AI in business processes, undisclosed AI steps in customer-facing and decision-affecting workflows, workflows lacking human-oversight standards or regulatory assessment), defines the seven in-scope workflow archetypes, names an executive sponsor (CISO + COO / Chief Risk Officer / General Counsel, co-signed by DPO/CPO where Art. 22 or Annex III workflows are in scope), establishes a cross-functional working group spanning business functions, and defines decision rights for approving, blocking, and sanctioning new AI-embedded workflows?

Evidence Required: - [ ] Published program charter with named executive sponsor (CISO + COO / CRO / General Counsel) and DPO/CPO co-signature where applicable - [ ] Problem statement covering GDPR Art. 22 automated-decisioning safeguards, EU AI Act Annex III high-risk uses, Art. 50 transparency obligations, and sector-specific AI regulations (FCRA credit, EEOC employment AI, NYC Local Law 144, CO SB-21-169, FINRA model risk, FDA clinical) - [ ] Seven in-scope workflow archetypes listed: decision pipeline, customer-facing flow, human-AI collaboration chain, back-office augmentation, approval/review workflow, content-generation workflow, knowledge-management workflow - [ ] Working group roster spanning Security, Legal/Privacy (DPO/CPO), Compliance, Operations, and function representatives from HR, Finance, Legal, Customer Support, Sales, Engineering - [ ] Decision rights defined: who sanctions a new AI-embedded workflow, who blocks, who handles exceptions, who approves the human-oversight model for each archetype - [ ] Explicit amnesty path publicized to function heads: disclosing existing AI-embedded workflows carries no penalty

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | AI/HAI process inventory coverage (% of discovered AI-embedded workflows in inventory) | ___ | ___ | ≥85% within 12 months | ☐ | | | Shadow-AI-in-processes ratio (AI-embedded workflow steps without known owner or governance record ÷ total AI-embedded workflow steps) | ___ | ___ | ≤20% and trending down | ☐ | | | % function heads and process owners with acknowledged AI-in-Business-Process Policy | ___ | ___ | ≥90% | ☐ | | | % AI-embedded workflows in production with named owning team and documented human-oversight model | ___ | ___ | 100% for decision-affecting and customer-facing archetypes | ☐ | | | Known AI-process compliance events per quarter (regulatory inquiry, customer complaint citing AI decision, Art. 22 challenge) | ___ | ___ | trending down QoQ | ☐ | |

Metric Collection Guidance: - Inventory coverage: Reconcile inventory count against discovery signals (BPM/RPA/ticketing-system signals, internal wiki/handbook search, function-by-function survey, vendor-contract review, self-attestation). Formula: inventory_count / discovered_count × 100. Note: the Processes domain has a ≥85% L1 target (not 90%) due to the informal nature of AI-embedded workflows - Shadow-AI-in-processes ratio: From inventory status field, count AI-embedded workflow steps where owner is null or governance record is absent; divide by total AI-embedded workflow steps in active use - Policy attestation: HR/LMS acknowledgment records for AI-in-Business-Process Policy filtered to function heads and process owners; denominator is that population - Named owning team and HITL model: Inventory records for decision-affecting and customer-facing archetypes with both owning_team and human_oversight_model fields populated; target = 100% for those archetypes - Compliance events: Legal/compliance tracker entries for regulatory inquiries, customer complaints citing AI decisions, and Art. 22 challenges; count per quarter and trend

Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)

Evidence Location: _____ Metric Validation Date: ____ Notes: __________


Question 2: Build the AI/HAI process inventory and discover shadow AI in business processes

Q1.2: Do you maintain a single AI/HAI process inventory seeded from BPM and workflow platforms, RPA platforms, ticketing systems, customer-journey maps, internal wiki/handbook search, function-by-function surveys sent to all major business functions, and vendor-contract review, covering all seven archetypes with a minimum field set including archetype, AI capability embedded, decision-affecting effect, customer reach, reversibility, human-oversight depth, regulatory scope, and approval status?

Evidence Required: - [ ] Single authoritative process inventory with minimum fields: workflow name, owning function, owning team, archetype, AI capability embedded (vendor or internal), decision-affecting effect (Art. 22/Annex III trigger), customer reach, reversibility, human-oversight depth, regulatory scope, data classes processed, business criticality, approval status, linked artifacts - [ ] BPM platform discovery active: Camunda, ServiceNow workflow catalog, Salesforce flows with AI steps, Microsoft Power Automate, business-process-mapping repos queried for AI-labeled workflows - [ ] RPA platforms reviewed: UiPath, Automation Anywhere, Blue Prism, processes with AI plugins or AI-decision steps - [ ] Function-by-function survey sent to function heads (HR, Finance, Legal, Customer Support, Sales, Engineering, Operations) with explicit amnesty framing; at least one survey cycle completed - [ ] Internal wiki/handbook search run monthly: Confluence, Notion, internal wikis searched for "AI-assisted," "AI-generated," "AI review," "automated decision," "model-based," "LLM-drafted" - [ ] Vendor-contract and invoice review used to identify AI-embedded SaaS tools (Salesforce Einstein, Workday AI, Greenhouse AI, Intercom AI, lending platforms with model-score APIs) deployed in business functions

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | AI/HAI process inventory coverage (% of discovered AI-embedded workflows in inventory) | ___ | ___ | ≥85% within 12 months | ☐ | | | Shadow-AI-in-processes ratio (AI-embedded workflow steps without known owner or governance record ÷ total AI-embedded workflow steps) | ___ | ___ | ≤20% and trending down | ☐ | | | % function heads and process owners with acknowledged AI-in-Business-Process Policy | ___ | ___ | ≥90% | ☐ | | | % AI-embedded workflows in production with named owning team and documented human-oversight model | ___ | ___ | 100% for decision-affecting and customer-facing archetypes | ☐ | | | Known AI-process compliance events per quarter (regulatory inquiry, customer complaint citing AI decision, Art. 22 challenge) | ___ | ___ | trending down QoQ | ☐ | |

Metric Collection Guidance: - Inventory coverage: Monthly reconciliation comparing inventory records to BPM/RPA/ticketing signals + wiki search hits + survey disclosures + vendor-contract review; unmatched signals are shadow-AI-in-processes candidates - Shadow-AI-in-processes ratio: Filter inventory for workflow steps with null owner or absent governance record; divide by total active AI-embedded workflow steps; trend quarterly. Note: discovery relies heavily on surveys, so the ratio may initially be higher than other domains - Named owning team and HITL model: Inventory check for decision-affecting and customer-facing archetypes; both fields must be populated; track completion rate per archetype - Policy attestation: HR/LMS query for function heads and process owners who completed AI-in-Business-Process Policy acknowledgment; denominator is that population from HR system - Compliance events: Legal/compliance tracker entries aggregated per quarter; trend downward is the L1 success signal

Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)

Evidence Location: _____ Metric Validation Date: ____ Notes: __________


Question 3: Establish foundational metrics and the shadow-AI-in-processes scoreboard

Q1.3: Do you baseline and report quarterly to the executive sponsor a shadow-AI-in-processes scoreboard covering inventory state by archetype, new AI-embedded workflows discovered and their intake status, shadow-AI-in-processes ratio trend over the last four quarters, AI-in-Business-Process Policy attestation coverage, and the top five unmitigated process risks with named owners and remediation status?

Evidence Required: - [ ] Quarterly shadow-AI-in-processes scoreboard published and delivered to the executive sponsor, at least two consecutive quarters on record - [ ] Scoreboard includes archetype-level breakdown (decision pipeline, customer-facing flow, human-AI collaboration chain, back-office augmentation, approval/review workflow, content-generation workflow, knowledge-management workflow) - [ ] Shadow-AI-in-processes ratio trended over last 4 quarters with commentary on direction - [ ] AI-in-Business-Process Policy attestation percentage reported with function heads and process owners denominator - [ ] Top 5 unmitigated process risks listed with named owner and remediation status (TA-flagged, compliance-flagged, or external-advisory-flagged) - [ ] Intake SLA tracked: new AI-embedded workflow intake triaged within 5 BD; provisional approval within 10 BD for Low-tier archetypes (back-office augmentation, full human review, no regulated data, no customer-facing output)

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | AI/HAI process inventory coverage (% of discovered AI-embedded workflows in inventory) | ___ | ___ | ≥85% within 12 months | ☐ | | | Shadow-AI-in-processes ratio (AI-embedded workflow steps without known owner or governance record ÷ total AI-embedded workflow steps) | ___ | ___ | ≤20% and trending down | ☐ | | | % function heads and process owners with acknowledged AI-in-Business-Process Policy | ___ | ___ | ≥90% | ☐ | | | % AI-embedded workflows in production with named owning team and documented human-oversight model | ___ | ___ | 100% for decision-affecting and customer-facing archetypes | ☐ | | | Known AI-process compliance events per quarter (regulatory inquiry, customer complaint citing AI decision, Art. 22 challenge) | ___ | ___ | trending down QoQ | ☐ | |

Metric Collection Guidance: - Scoreboard delivery cadence: Confirm last two quarters have a dated scoreboard delivered to exec sponsor with acknowledgment on record; function representatives at the working group should confirm archetype-level accuracy - Archetype breakdown: Scoreboard section shows counts per archetype (sanctioned / provisional / prohibited / awaiting intake); detects archetype classes growing unchecked - Shadow-AI-in-processes ratio trend: Four-quarter chart or table; downward trend is the L1 success signal; discovery quality depends on survey completeness, so annotation is important - Policy attestation: Percentage with denominator (function heads and process owners) explicitly stated; HR/LMS is authoritative; updated each quarter - Top-5 risks: Each entry lists risk description, source, named owner, and remediation status; legal/compliance risks given priority due to regulatory exposure

Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)

Evidence Location: _____ Metric Validation Date: ____ Notes: __________


Maturity Level 2

Objective: Risk-tier every AI-embedded workflow using the canonical rubric, calibrate the program's intensity per tier, and measure practice maturity and shadow-AI reduction per tier, establishing the rubric every other Processes-domain L2 practice depends on

Question 1: Define the AI/HAI process risk-tier rubric

Q2.1: Do you have a published risk-tier rubric (Critical / High / Medium / Low) assigning a tier to every AI-embedded workflow based on seven auditable dimensions, decision-affecting effect (GDPR Art. 22 / EU AI Act Annex III), customer reach, reversibility of AI-driven action, human-oversight depth, regulatory scope, data classes processed, and business criticality, with tier derivation deterministic, human overrides recorded with rationale, and 100% of inventory records carrying a current tier?

Evidence Required: - [ ] Published tier-rubric document listing all seven auditable dimensions with deterministic assignment logic - [ ] 100% of inventory records carry a current tier assignment derived from the rubric - [ ] Decision-affecting effect dimension: AI output materially drives a decision with legal or significant effect on a person → Critical (GDPR Art. 22 / EU AI Act Annex III trigger) - [ ] Human-oversight depth dimension: autonomous step with no human in the loop → elevate to Critical or High; rubber-stamp HITL → treat as elevated and require HITL design assessment - [ ] Regulatory scope dimension: EU AI Act Annex III high-risk categories (employment, credit, education, biometric, critical infrastructure, law enforcement, immigration, justice, essential services) → Critical; sector-specific AI rules (FCRA, EEOC, NYC LL144, CO SB-21-169, FINRA, FDA, FRT) → Critical or High - [ ] Customer reach dimension: AI-embedded step reaches >10,000 customers per month → elevate tier - [ ] Human override log maintained: overrides recorded with rationale and reviewed by working group

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | % of inventory with a current tier assignment | ___ | ___ | 100% | ☐ | | | Tier-treatment matrix adherence, % Critical workflows with full-scope treatment in last 12 months | ___ | ___ | ≥95% | ☐ | | | Tier-weighted shadow-AI-in-processes ratio (Critical-weighted) | ___ | ___ | Critical = 0 unsanctioned in production; overall trending down | ☐ | | | Per-tier SLA adherence across practices | ___ | ___ | ≥90% per tier | ☐ | | | FRIA completion rate for EU AI Act Annex III workflows | ___ | ___ | 100% before go-live | ☐ | | | Tier drift rate (tier changes per year) | ___ | ___ | tracked; unexplained changes = 0 | ☐ | |

Metric Collection Guidance: - % inventory with tier assignment: Automated check, records with null risk_tier flagged for remediation within 5 BD; stale tier (no re-confirmation after a material change) also flagged - Tier-treatment matrix adherence: For each Critical-tier workflow, verify: FRIA commissioned (for Annex III), HITL standards assessment completed, deep TA completed, full SR pack completed, full-lane DR completed; ≥95% must show all treatments in last 12 months - FRIA completion rate: FRIA register checked for every EU AI Act Annex III workflow; no record should show production status without a corresponding FRIA entry (commissioned, in-progress, or completed) - Tier-weighted shadow-AI-in-processes ratio: Critical-tier AI-embedded workflow steps without sanctioned status in production must be 0; overall ratio should trend down - Per-tier SLA adherence: From intake, DR, IR, ST, and IM trackers; % on-time per tier; report monthly

Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)

Evidence Location: _____ Metric Validation Date: ____ Notes: __________


Question 2: Calibrate program intensity per tier

Q2.2: Do you have a published tier-treatment matrix defining differential controls across all downstream Processes-domain practices (PC, TA, SR, SA, DR, IR, ST, EH, ML, IM) for each tier, and is this matrix enforced, with Critical-tier workflows receiving full SR pack + full REM + FRIA gate (Annex III) + executive + DPO/CPO sign-off, substantive-HITL-SLA review, per-workflow deep TA, full-lane DR with Legal/Privacy representation, semi-annual IR, and full ST battery?

Evidence Required: - [ ] Tier-treatment matrix published covering all downstream practices with explicit controls per tier - [ ] Critical-tier treatment documented: full SR pack + full REM + FRIA gate (Annex III) + executive + DPO/CPO sign-off; substantive-review SLA documented and tested + override authority named; per-workflow deep TA including output-integrity, AGH via workflow inputs, EA in automated steps, RA in long-running pipelines; full-lane DR with named architect and Legal/Privacy representative; semi-annual IR + on material change; full ST battery (output-integrity probes, HITL bypass tests, input-injection probes, excessive-agency tests, logging-completeness, kill-switch); IM SLA ack ≤4h/mitigate ≤48h - [ ] Low-tier fast-track documented: base SR pack only; human-review step confirmed; no DR required; go-live IR only; spot-check ST; baseline logging; IM SLA ack ≤5BD/mitigate ≤30d - [ ] FRIA gate operational: no Critical Annex III workflow reaches production without a commissioned FRIA; FRIA register maintained - [ ] HITL standards assessments completed for all Critical/High workflows within 30 days of intake; substantive depth verified (not just binary human-exists check)

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | % of inventory with a current tier assignment | ___ | ___ | 100% | ☐ | | | Tier-treatment matrix adherence, % Critical workflows with full-scope treatment in last 12 months | ___ | ___ | ≥95% | ☐ | | | Tier-weighted shadow-AI-in-processes ratio (Critical-weighted) | ___ | ___ | Critical = 0 unsanctioned in production; overall trending down | ☐ | | | Per-tier SLA adherence across practices | ___ | ___ | ≥90% per tier | ☐ | | | FRIA completion rate for EU AI Act Annex III workflows | ___ | ___ | 100% before go-live | ☐ | | | Tier drift rate (tier changes per year) | ___ | ___ | tracked; unexplained changes = 0 | ☐ | |

Metric Collection Guidance: - Tier-treatment matrix adherence: For each Critical-tier workflow, verify: FRIA on file (commissioned/in-progress/completed), HITL standards assessment on file with substantive-review SLA documented, TA report exists, DR completed, IR within cadence; ≥95% must show all treatments in last 12 months - FRIA gate: FRIA register entry required before any Annex III workflow enters production; register checked at each quarterly working-group meeting; overdue FRIAs flagged as headline findings - HITL standards assessment: Assessment documents for Critical/High workflows reviewed for substance, does the assessment confirm the human review SLA is sufficient for real oversight, or does it just confirm a human step exists? - Per-tier SLA adherence: Aggregated from intake, DR, IR, ST, and IM trackers; % on-time per tier; reported monthly - Tier drift rate: Governance log reviewed at each working-group meeting; changes without dimension-change rationale are unexplained; target = 0

Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)

Evidence Location: _____ Metric Validation Date: ____ Notes: __________


Question 3: Per-tier scoreboard and governance

Q2.3: Does the quarterly shadow-AI-in-processes scoreboard report inventory state per tier and per archetype with Critical-tier unsanctioned AI in production explicitly tracked at zero, include a tier-movement log with rationale, include FRIA completion status for all Annex III workflows, report per-tier SLA adherence, and is it reviewed by the executive sponsor who discusses tier-balance?

Evidence Required: - [ ] Quarterly scoreboard includes a tier × archetype breakdown table (Critical/High/Medium/Low rows by archetype columns) - [ ] Critical-tier unsanctioned AI-embedded workflow steps in production is a named metric; target is 0; any non-zero value is a headline finding - [ ] Tier-movement log included: workflows that moved up or down in the quarter, with dimension(s) that changed and rationale for each move - [ ] FRIA completion status for all Annex III workflows: commissioned / in-progress / completed / flagged as overdue - [ ] SLA adherence per tier reported for intake, DR, IR, ST, ML, and IM - [ ] Quarterly executive review documented (agenda + minutes) showing tier-balance discussion and sponsor acknowledgment; FRIA completion status reviewed

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | % of inventory with a current tier assignment | ___ | ___ | 100% | ☐ | | | Tier-treatment matrix adherence, % Critical workflows with full-scope treatment in last 12 months | ___ | ___ | ≥95% | ☐ | | | Tier-weighted shadow-AI-in-processes ratio (Critical-weighted) | ___ | ___ | Critical = 0 unsanctioned in production; overall trending down | ☐ | | | Per-tier SLA adherence across practices | ___ | ___ | ≥90% per tier | ☐ | | | FRIA completion rate for EU AI Act Annex III workflows | ___ | ___ | 100% before go-live | ☐ | | | Tier drift rate (tier changes per year) | ___ | ___ | tracked; unexplained changes = 0 | ☐ | |

Metric Collection Guidance: - Per-tier scoreboard delivery: Last two consecutive quarterly scoreboards must include tier × archetype table; each shows delta from prior quarter - Critical-tier unsanctioned count: Named metric; source is inventory filtered on tier=Critical AND (status != Sanctioned OR HITL_model = null) AND production; target = 0 - FRIA completion status: FRIA register extract showing all Annex III workflows with their FRIA status; any workflow in production without a completed or accepted FRIA is a headline finding - Tier-movement log completeness: Each entry must have workflow name, prior tier, new tier, dimension(s) that changed, reviewer name, and date; unexplained changes target = 0 - SLA adherence per tier: Pulled from intake, DR, IR, ST, and IM systems; % on-time per tier per quarter - Executive review: Filed governance document confirming exec sponsor reviewed tier-balance and FRIA completion sections

Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)

Evidence Location: _____ Metric Validation Date: ____ Notes: __________


Maturity Level 3

Objective: Automate inventory and tier maintenance from workflow-execution telemetry, benchmark the program against external peers (APQC, BPM ISACs, sector AI working groups), and contribute to industry AI-process-governance standards

Question 1: Continuous inventory and tier automation from workflow-execution telemetry

Q3.1: Does the AI/HAI process inventory auto-update from live BPM platform events, RPA platform run-log events, ticketing-system AI-routing events, CX-platform AI events, and contract/procurement events, with tier assignments rule-based and replayable, tier changes auto-triggering downstream practice obligations (including FRIA commissioning for new Annex III workflows) within 24 hours, and a published data-quality SLO of ≥99% correctly tiered within 48 hours of a material change?

Evidence Required: - [ ] Published data-quality SLO: ≥99% of active AI-embedded workflows correctly tiered within 48 hours of a material change; ≥95% inventory completeness against discovery-source reconciliation. Note: a ≥75% auto-curation target (vs. 80% in other domains) is expected due to the informal nature of process workflows - [ ] Automated feeds operational: BPM platform events (new workflow created, AI step added/removed, routing rule changed), RPA run-log events (new AI-plugin invocation), ticketing-system AI-routing events (new queue routing to an AI step), CX-platform AI events (new AI chatbot flow activated), contract/procurement events (new AI-embedded SaaS licensed to a business function), workflow-execution telemetry showing new AI-step latency patterns, self-attestation and intake - [ ] Tier rules documented as versioned, replayable logic; rule changes change-logged and replayable - [ ] Tier-change events auto-trigger downstream obligations (e.g., Medium→Critical adding an automated credit-scoring step triggers FRIA commissioning, DR, and full-lane treatment) within 24h - [ ] Human curation queue defined for: new archetypes, ambiguous workflow descriptions, workflows spanning multiple archetypes, dimensional-input conflicts - [ ] Automation health dashboard: on-call paged when feed staleness threshold exceeded

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | Inventory auto-update latency | ___ | ___ | ≤48h for material changes | ☐ | | | % inventory entries auto-curated vs. human-curated | ___ | ___ | ≥75% auto (reflects informal workflow nature) | ☐ | | | Inventory completeness against discovery-source reconciliation | ___ | ___ | ≥99% | ☐ | | | Tier-rule auto-trigger of downstream obligations on tier change | ___ | ___ | 100% within 24h | ☐ | | | External benchmarks tracked | ___ | ___ | ≥5 peer-comparable metrics (APQC, BPM-community, sector ISACs) | ☐ | | | Industry contributions per year | ___ | ___ | ≥4 substantive | ☐ | | | Executive ROI narrative refreshed with external benchmarks | ___ | ___ | semi-annual | ☐ | |

Metric Collection Guidance: - Auto-update latency: Measure time from a known material change event (new AI step added to a BPM workflow, new AI-routing rule in ticketing system) to the corresponding inventory record update; P95 across 20 sampled events per quarter - % auto-curated: From the curation log, count records updated by automated feeds vs. human-initiated edits; 75% target (vs. 80% in other domains) reflects the inherently informal nature of process workflows where self-attestation and survey remain essential - Inventory completeness: Full reconciliation across BPM/RPA/ticketing + wiki search + CX-platform + contract review; report completeness % and list archetypes below 99% - Downstream obligation auto-trigger: Workflow telemetry showing each tier-change event produced a FRIA gate trigger, DR ticket, or ST job within 24h; report % within SLO - External benchmarks tracked: Count distinct benchmark data points in semi-annual brief; each traceable to APQC, BPM-community, sector ISAC, or enforcement-action source

Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)

Evidence Location: _____ Metric Validation Date: ____ Notes: __________


Question 2: External benchmarking

Q3.2: Do you publish a semi-annual external-benchmarking brief comparing the program against at least five peer-comparable metrics via APQC process-maturity frameworks, BPM-community AI-governance working groups, HR-AI working groups (SHRM, IEEE), FinAI working groups (FS-ISAC, FINRA), ClinAI working groups (ONC, AHA, H-ISAC), and sector-specific enforcement-action learnings, and do benchmark deltas explicitly inform program investment decisions?

Evidence Required: - [ ] Semi-annual benchmarking brief published, two most recent on file with dates, each containing ≥5 peer-comparable metrics from named external sources - [ ] Benchmarking sources include at least two of: APQC / BPM-community AI-governance (OMG BPM + AI, Camunda, SAP Signavio) / HR-AI working groups (SHRM, IEEE Ethically Aligned Design) / FinAI working groups (FS-ISAC, FINRA model-risk practitioner communities) / ClinAI working groups (ONC, AHA, H-ISAC) / sector enforcement-action learnings (FTC, CFPB, EEOC AI guidance) - [ ] Metrics benchmarked cover: inventory coverage, shadow-AI-in-processes ratio, per-tier SLA adherence, FRIA completion rate, HITL substantive-review SLA adherence, time from "new AI-embedded workflow proposed" to "provisional approval issued" - [ ] Benchmark deltas explicitly referenced in a program investment or prioritization decision; documentation filed within 90 days of each brief - [ ] Peer selection rationale documented, peers chosen to stretch the program

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | Inventory auto-update latency | ___ | ___ | ≤48h for material changes | ☐ | | | % inventory entries auto-curated vs. human-curated | ___ | ___ | ≥75% auto (reflects informal workflow nature) | ☐ | | | Inventory completeness against discovery-source reconciliation | ___ | ___ | ≥99% | ☐ | | | Tier-rule auto-trigger of downstream obligations on tier change | ___ | ___ | 100% within 24h | ☐ | | | External benchmarks tracked | ___ | ___ | ≥5 peer-comparable metrics (APQC, BPM-community, sector ISACs) | ☐ | | | Industry contributions per year | ___ | ___ | ≥4 substantive | ☐ | | | Executive ROI narrative refreshed with external benchmarks | ___ | ___ | semi-annual | ☐ | |

Metric Collection Guidance: - External benchmarks tracked: Each brief lists ≥5 named benchmark data points; each traceable to an APQC/BPM-community/sector-ISAC/enforcement-action source - Benchmark-driven investment: Program planning or budget document explicitly citing a benchmark delta as rationale; filed within 90 days of each brief - Semi-annual cadence: Two briefs within a 12-month window; no gap > 7 months - Executive ROI narrative: Annual exec/board deck references external benchmarks, regulatory-inquiry response time trending, FRIA completion status, and avoided-loss examples (Annex III workflow caught at intake before deployment, Art. 22 violation avoided by FRIA gate)

Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)

Evidence Location: _____ Metric Validation Date: ____ Notes: __________


Question 3: Contribute to industry AI-process-governance standards

Q3.3: Does the program contribute at least four substantive, anonymized artifacts per year to industry AI-process-governance standards through ISO/IEC 42005 AI impact assessment, OECD AI Policy Observatory, sector AI deployment officer credentialing paths, BPM community AI-governance frameworks, CSA AI Safety Initiative, or ISO/IEC 42001 AIMS community, with each contribution anonymized, legally vetted, and traceable to a published standard or working-group output?

Evidence Required: - [ ] Contribution log maintained listing all submissions: target body (ISO/IEC 42005, OECD, sector deployment officer pathway, BPM community, CSA, ISO/IEC 42001 AIMS), submission type (FRIA methodology template, HITL design standard, workflow-archetype taxonomy, process-AI control guidance), date submitted, anonymization review, status - [ ] At least 4 substantive contributions per year in the most recent 12-month window; each is a technical artifact accepted or in active review; panels and press releases do not count - [ ] Each contribution has a legal/privacy review sign-off confirming anonymization before submission - [ ] Contributions traceable to published outputs: ISO/IEC 42005 working-group documents, OECD AI Policy Observatory publications, sector credentialing pathway guidance, BPM community AI-governance framework publications, CSA controls matrix updates - [ ] Contribution pipeline shows ≥2 items in-flight (draft, in-review, or being prepared)

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | Inventory auto-update latency | ___ | ___ | ≤48h for material changes | ☐ | | | % inventory entries auto-curated vs. human-curated | ___ | ___ | ≥75% auto (reflects informal workflow nature) | ☐ | | | Inventory completeness against discovery-source reconciliation | ___ | ___ | ≥99% | ☐ | | | Tier-rule auto-trigger of downstream obligations on tier change | ___ | ___ | 100% within 24h | ☐ | | | External benchmarks tracked | ___ | ___ | ≥5 peer-comparable metrics (APQC, BPM-community, sector ISACs) | ☐ | | | Industry contributions per year | ___ | ___ | ≥4 substantive | ☐ | | | Executive ROI narrative refreshed with external benchmarks | ___ | ___ | semi-annual | ☐ | |

Metric Collection Guidance: - Industry contributions per year: Count entries in the contribution log for trailing 12 months where status = submitted or accepted to a named body; only substantive technical artifacts (HITL design standards, FRIA methodology templates, workflow-archetype taxonomies) count - Contribution pipeline health: At any working-group meeting, pipeline log shows ≥2 items not yet in submitted status; noted in minutes - Legal/privacy review: Each contribution log entry must have reviewer name and date; no contribution submitted without this sign-off - Executive ROI narrative: Filed annually to exec/board; references external benchmarks, regulatory-inquiry turnaround time trending down, and avoided-loss examples; faster sanctioned workflow onboarding time is a key metric

Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)

Evidence Location: _____ Metric Validation Date: ____ Notes: __________


Summary Scorecard

Level Q1 Q2 Q3 Avg Achieved?
L1 __ __ __ __
L2 __ __ __ __
L3 __ __ __ __

Practice maturity level achieved: ___ (highest level where all 3 questions score ≥ 0.67)


Document Version: HAIAMM v3.0 Practice: Strategy & Metrics (SM) Domain: Processes Last Updated: 2026-05-15 Author: Verifhai

Instructions:

  • Answer based on current practices, not plans
  • “Yes” requires documented evidence
  • Complete all Level 1 questions before Level 2
  • Partial implementation = “No”

↓ Download as Markdown