> For the complete documentation index, see [llms.txt](https://docs.cortex.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.cortex.io/solutions/ai-governance/in-action.md). # AI governance in action Your workspace is configured. Now the job is maintaining your compliance posture over time: catching gaps before they become audit findings, keeping ownership current as teams change, and building the track record that demonstrates your governance program is working. ## What good looks like: A real example A security team preparing for an external compliance audit uses Cortex to check their AI Governance Scorecard and finds something unexpected: a dozen AI model services in production have no documented incident response plan and aren't running automated vulnerability scanning — both Silver-level requirements. Here's how they use Cortex to address it before the audit: 1. They filter the Scorecard to the failing rules and identify the 12 affected services and their owners. 2. They create an Initiative ("AI service security remediation") targeting those two rules, with a two-week deadline and automated reminders to each service owner. 3. Jira tickets are auto-generated for each failing service, so owners know exactly what's required. 4. By audit day, all 12 services are passing. The compliance report shows zero critical governance gaps. This is the loop: {% stepper %} {% step %} ### Measure {% endstep %} {% step %} ### Identify gaps {% endstep %} {% step %} ### Drive action {% endstep %} {% step %} ### Verify improvement {% endstep %} {% endstepper %} ## Day-to-day: Staying on top of Scorecard gaps Governance gaps have a different urgency than general engineering quality gaps. A service missing a runbook is a reliability risk. A service missing vulnerability scanning or a data handling policy is an active compliance liability. The faster you catch and close these gaps, the lower your exposure. Scorecard failures surface in three places: * **Engineering homepage** - Engineers see the governance requirements they're responsible for and where they're falling short, every time they log in. See [Engineering homepage](/streamline/homepage.md) * **Notifications** - Configure Slack, Microsoft Teams, or email alerts when a rule starts failing. Proactive notification matters here: a governance gap that sits unaddressed for weeks is more serious than one caught the same day. See [Notifications](/configure/settings/notifications.md) * **Scorecard reports** - Track compliance trends across teams over time in [reports](/improve/reports.md), or review the current state of a specific Scorecard in [Evaluate Scorecards](/standardize/scorecards/evaluate.md). Scorecard pass rate trends are useful evidence during audits and leadership reviews. ### Remediating a failing rule There are three ways to address a failing rule: * **Use Cortex MCP** - Ask ***What are quick wins for my AI governance Scorecard?*** to get a prioritized list of gaps that are low effort to close. Useful when you need to improve compliance posture quickly ahead of a review. * **Create an Initiative** - For gaps that span multiple teams or require a deadline, Initiatives assign the work to service owners with automated reminders and progress tracking. You can auto-generate issues in Jira, ClickUp, Azure DevOps, or GitHub so there's a clear audit trail of remediation. See [Creating issues from Initiatives](/improve/initiatives/issue-config.md) * **Fix it directly** - For simple gaps (a missing file, an unset integration), an engineer can resolve it immediately from the homepage action item. The rule rechecks automatically. **Example** A compliance review surfaces that several AI model services are missing their data privacy policy file, a Bronze-level requirement that's also checked during vendor audits. Rather than tracking down owners individually, the team creates an Initiative with a one-week deadline. Cortex auto-generates Jira tickets, sends reminders, and tracks completion. The team closes the gap before the vendor audit without a single status meeting. ## Measuring impact with Eng Intelligence [Eng Intelligence](/improve/eng-intelligence.md) gives you the historical view needed to demonstrate that your governance program is working — not just today, but consistently over time. ### Validate that standards are holding Pull up the [DORA dashboard](/improve/eng-intelligence/dashboards/dora-dashboard.md) and compare MTTR and change failure rate before and after your AI governance Scorecard launched. These metrics tell you whether governance standards are reducing incident impact and catching quality issues before they reach production. A downward trend in both, tracked over time, is the kind of evidence that satisfies auditors and gives leadership confidence to expand AI adoption. ### Watch for compliance regression New tool adoption, team restructuring, and ownership changes can quietly erode compliance posture. A team that was fully passing their Scorecard rules six months ago may have drifted as engineers turned over or new AI services were added without proper scaffolding. Review Scorecard pass rate trends in Eng Intelligence regularly as a decline often surfaces faster here than in incident data. When you spot a regression, investigate the pattern before creating work. If multiple teams are failing the same rule, a Workflow or Scaffolder update may be the right fix. If it's isolated to one team, an Initiative with a tight deadline is more appropriate. ### When metrics aren't moving If MTTR or change failure rate stays flat after your governance program has been running for several weeks, the issue is usually one of three things: * Low Scorecard pass rates mean teams haven't engaged with the rules yet. Tighten notification settings and consider an Initiative with a firm deadline to drive initial compliance. * High pass rates but flat metrics suggest the rules aren't targeting the right behaviors. Cross-reference your Scorecard rules against recent incidents involving AI services. If the incidents aren't related to anything your Scorecard tracks, the rules need updating. * Uneven results across teams point to inconsistent adoption. Use the team-level filter in [Metrics Explorer](/improve/eng-intelligence/metrics-explorer.md) to identify which teams are lagging and whether the cause is ownership gaps, missing integrations, or something else. ## Keeping the Scorecard current AI regulation moves quickly. A governance program that was comprehensive at launch can develop gaps as new tools are adopted, regulations change, or your organization takes on new risk. Revisit your AI governance Scorecard at least quarterly to: * Retire rules for tools or requirements your org has moved beyond * Add rules to reflect new regulatory obligations, updated security standards, or emerging risks * Raise the bar on existing tiers as your compliance baseline improves The Scorecard should reflect your current obligations and risk tolerance, not just where you started. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.cortex.io/solutions/ai-governance/in-action.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.