govrn-platform — Assessment Instrument

Internal · 2026-06-07 · v0.1. The question bank the engagement runs — the productized, standard-mapped assessment across all three lenses. Each item is scored pass (100) / partial (50) / fail (0) / n-a, and each maps to a recognized standard so the resulting posture is defensible. This is the data behind the dashboard's per-lens scores; it will move into data/ as typed records once the schema lands.

Scoring key per item: signal = how it's evidenced (assessment one-time · monitored continuous · manual attestation). ref = standard. The instrument is intentionally scaled — a 120-person org answers the same questions as a Fortune-500, weighted to its size and priorities.

Lens 1 — IT-Rationalization

1.1 Inventory & Capability

  • IR-INV-01 Is there a complete, current inventory of applications? · ref: MCG method · signal: monitored
  • IR-INV-02 …of databases and data stores? · monitored
  • IR-INV-03 …of integrations (incl. manual re-entry / copy-paste workflows)? · assessment
  • IR-INV-04 …of vendor contracts with renewal dates and owners? · monitored
  • IR-CAP-01 Is every business capability mapped to the system(s) that support it? · assessment
  • IR-CAP-02 Does each system have a named business owner (not just IT)? · assessment

1.2 Duplication & Disposition

  • IR-DUP-01 Have duplicate/overlapping systems been identified (true-dup vs overlap vs adjacent vs capability-drift)? · assessment
  • IR-DIS-01 Does every system have a current disposition (retain/replace/retire) with rationale? · monitored
  • IR-DIS-02 For retire candidates, is there a defensible sunset record (successor, migration, timing, risk)? · assessment

1.3 System-of-Record & Integration

  • IR-SOR-01 Is there one authoritative system-of-record per data domain (members, finance, etc.)? · manual
  • IR-SOR-02 Where multiple systems claim authority, is there a reconciliation + stewardship plan? · manual
  • IR-INT-01 Is the integration count minimized and each integration characterized (source/dest/owner/failure-mode)? · assessment
  • IR-INT-02 Is there a single, sustainable integration pattern (vs a mix the team can't maintain)? · assessment

1.4 Roadmap & ROI

  • IR-RDM-01 Is there a multi-year roadmap (executive one-pager + portfolio view) that reflects reality? · monitored
  • IR-ROI-01 Are projected savings anchored to actual contracts/invoices (not round numbers)? · assessment
  • IR-ROI-02 Is savings realization tracked against the roadmap over time? · monitored

Lens 2 — Cybersecurity (NIST CSF 2.0 functions + CIS v8.1)

2.1 Govern (GV)

  • CS-GV-01 Is there a defined security governance structure with accountability? · ref: CSF 2.0 GV · manual
  • CS-GV-02 Is third-party/supply-chain risk governed (vendor security reviews, exit/portability)? · CSF 2.0 GV.SC / CIS C15 · monitored

2.2 Identify (ID)

  • CS-ID-01 Are assets inventoried and classified by data sensitivity? · CSF 2.0 ID.AM / CIS C1–C2 · monitored
  • CS-ID-02 Is there a current risk assessment incl. known vulnerabilities/CVEs? · CSF 2.0 ID.RA / CIS C7 · monitored

2.3 Protect (PR)

  • CS-PR-01 Is MFA enforced across all privileged and remote access? · CSF 2.0 PR.AA / CIS C5–C6 · monitored
  • CS-PR-02 Is sensitive data encrypted at rest and in transit? · CSF 2.0 PR.DS / CIS C3 · assessment
  • CS-PR-03 Is there least-privilege access control with periodic review? · CSF 2.0 PR.AA · assessment

2.4 Detect (DE)

  • CS-DE-01 Is there centralized logging and monitoring of security events? · CSF 2.0 DE / CIS C8 · monitored
  • CS-DE-02 Are vendor advisories and CVE feeds watched for fleet-relevant exposure? · CIS C7 · monitored

2.5 Respond & Recover (RS / RC)

  • CS-RS-01 Is there a documented, current incident-response plan (who calls whom, what gets shut down)? · CSF 2.0 RS / CIS C17 · manual
  • CS-RC-01 Are backups taken on a defined cadence AND restore-tested? · CSF 2.0 RC / CIS C11 · assessment
  • CS-RC-02 Is there SaaS-specific backup (M365/Salesforce) against accidental deletion/ransomware? · CIS C11 · assessment

2.6 Privacy

  • CS-PRV-01 Are applicable privacy laws mapped (state laws, GDPR, PIPEDA, FERPA, HIPAA, PCI v4.0.1)? · manual
  • CS-PRV-02 Does every vendor relationship have a documented exit path with data portability? · manual

Lens 3 — AI-Governance (the differentiator — the surface security misses)

3.1 Model Inventory / AI-BOM

  • AI-INV-01 Is there a complete inventory of AI models/LLMs/agents in use (sanctioned)? · ref: NIST AI RMF MAP / ISO 42001 · monitored
  • AI-INV-02 Is shadow AI (unsanctioned model use) actively discovered? · NIST AI RMF MAP · monitored
  • AI-INV-03 For each model: provider, version, use-case, data-access, owner, hosting documented? · ISO 42001 · monitored
  • AI-INV-04 Are datasets, prompts, and fine-tunes inventoried (not just the model)? · NIST AI RMF MAP · assessment

3.2 Bias & Fairness

  • AI-BIA-01 Are high-impact models tested for biased/disparate outcomes before and during use? · NIST AI RMF MEASURE / ISO 42005 / EU AI Act · assessment→monitored
  • AI-BIA-02 Is there an impact assessment for consequential AI decisions? · ISO 42005 / EU AI Act · assessment

3.3 Prompt-Injection / Adversarial

  • AI-PI-01 Have LLM/agent inputs been tested for prompt-injection/jailbreak? · OWASP LLM01 / MITRE ATLAS · monitored
  • AI-PI-02 Are guardrails in place for system-prompt leakage and unsafe output? · OWASP LLM (2025) · assessment
  • AI-PI-03 For RAG systems, are vector/embedding weaknesses addressed? · OWASP LLM (2025) · assessment

3.4 Data Provenance

  • AI-DP-01 Is training/RAG data origin, rights, and lineage documented? · ISO 42001 / NIST AI 600-1 / EU AI Act · manual
  • AI-DP-02 Is there consent/licensing clarity for data the model was trained on or retrieves? · EU AI Act data-governance · manual

3.5 Human Oversight (HITL)

  • AI-HITL-01 Does a human gate every consequential AI decision (member/financial/safety impact)? · EU AI Act Art.14 / NIST AI RMF GOVERN · assessment
  • AI-HITL-02 Is the human approver-of-record logged for AI-driven actions? · EU AI Act Art.14 · assessment

3.6 Drift & Performance

  • AI-DRF-01 Is there a baseline and continuous monitoring of model accuracy/behavior drift? · NIST AI RMF MANAGE / ISO 5338 · monitored
  • AI-DRF-02 Are degradation thresholds defined that trigger review? · NIST AI RMF MANAGE · monitored

3.7 Agentic Controls

  • AI-AGT-01 Do agents operate under least-privilege tool/permission scopes (no excessive agency)? · OWASP LLM06 / MITRE ATLAS / CSA Agentic · assessment
  • AI-AGT-02 Are autonomous agent actions bounded and auditable? · OWASP LLM06 · assessment

3.8 Foundation-Model / Third-Party Risk

  • AI-FM-01 Is foundation/third-party model risk tracked (provider, weights, terms, GPAI obligations)? · EU AI Act GPAI / ISO 42001 supplier / Databricks DASF · monitored
  • AI-FM-02 Is there a fallback/exit plan if a model provider changes terms or is deprecated? · ISO 42001 supplier · manual

3.9 Acceptable-Use

  • AI-AUP-01 Is there a current, enforced AI acceptable-use policy? · ISO 42001 / NIST AI RMF GOVERN · manual

3.10 Transparency / Explainability

  • AI-TR-01 Is AI use disclosed to affected people where required? · EU AI Act transparency / CHAI model cards · manual
  • AI-TR-02 Do high-impact models have model cards (purpose, limits, data, performance)? · CHAI model card / NIST AI RMF · manual

3.11 AI Incident Response

  • AI-IR-01 Is there a playbook for AI-specific incidents (hallucination harm, jailbreak, harmful output)? · EU AI Act incident reporting / NIST AI 600-1 · manual
  • AI-IR-02 Are serious-incident reporting obligations mapped (EU AI Act, sectoral)? · EU AI Act · manual

Sector overlays (pluggable add-ons)

  • Health → Joint Commission responsible-AI guidance + CHAI Applied Model Cards (NOT the scrapped assurance labs).
  • Finance → model-risk-management discipline (SR 11-7 framing).
  • Real estate (Grace Hill) → multi-entity/franchisee tenant-hierarchy; PropTech vendor sprawl.

How it scores

Lens posture = mean of assessed items in that lens (pass=100, partial=50, fail=0; n-a excluded, surfaced as coverage gap). Overall = weighted mean (weights set per client priorities at engagement start). Coverage % = assessed ÷ applicable — shown alongside the score so a buyer sees both how they're doing and how much isn't yet watched. As monitored items gain live signals, they re-score automatically — the instrument becomes the living dashboard.