Governance Readiness Diagnostic

Get Your Governance Score

Enter your details. Your diagnostic report lands in your inbox immediately.

See where accountability and authority split apart
Find the governance gaps creating real risk exposure
Receive a written assessment with findings specific to your stack

Full Name*

Work Email*

Company Name*

Your results are emailed instantly. No spam. Unsubscribe anytime.

Step 1 of 5

Accountability Architecture

Question 1 of 15

Last time a security incident hit, who was held accountable? The person who approved the decision or the person who executed it?

The approver. Ownership follows authority. Unclear. It depended on the outcome. The executor. Regardless of who approved.

Question 2 of 15

Does your board receive a cybersecurity report separate from the IT budget?

Yes. Separate governance report, reviewed quarterly or more. Sometimes. It gets bundled into IT or ops updates. No. Cybersecurity lives inside the IT budget conversation.

Question 3 of 15

If your most senior security person resigned tomorrow, would your board know what they owned?

Yes. Documented and understood at board level. Partially. The role exists but accountability is not formally documented. No. It would need to be rebuilt from scratch.

Step 2 of 5

AI Governance

Question 4 of 15

Who approved the last AI tool your team adopted?

Defined approval process. Documented and traceable. A senior person approved it informally. Not sure. Someone just started using it.

Question 5 of 15

Do you know which AI tools currently have access to your organisation's data?

Yes. Audited, documented, reviewed regularly. The main ones. Not all of them. No. It would take an investigation to find out.

Question 6 of 15

Is there a documented policy for what data can and cannot be shared with AI tools?

Yes. Written, communicated, and monitored. Informal guidelines. Nothing formally documented. No policy. People use their own judgment.

Step 3 of 5

Decision Sovereignty

Question 7 of 15

In your last three leadership meetings, was cybersecurity governance a standing agenda item?

Yes. Every meeting, with a named owner. Occasionally. Only when something went wrong. No. It comes up reactively.

Question 8 of 15

Can you name the exact moment in your last security incident where accountability broke down?

Yes. Documented with corrective action on record. Discussed internally. Nothing documented. We moved on without a formal review.

Question 9 of 15

When a vendor requests access to your critical systems, who approves it?

Defined process. Named, accountable owner. Usually IT. No formal process. Whoever is available at the time.

Step 4 of 5

Compliance Integrity

Question 10 of 15

Does your compliance programme reflect the actual state of your controls or the state you want them to be in?

Actual state. We test, verify, and document gaps honestly. Somewhere in between. Some controls are aspirational. Aspirational. The documentation leads the reality.

Question 11 of 15

When did someone last test whether your incident response plan actually works?

Within 12 months. Tested, reviewed, updated. We have a plan. It has not been tested recently. We have documentation. No test has ever been run.

Question 12 of 15

If a regulator asked for evidence of your AI governance controls today, could you produce it within 24 hours?

Yes. Documented, organised, accessible. Partially. Some documentation exists but incomplete. No. It would take significant effort to compile.

Step 5 of 5

Operator Readiness

Question 13 of 15

Can your security team stop a project on security grounds without escalating?

Yes. Documented authority. No escalation required. Technically yes. But it requires board or CEO sign-off. No. They can flag it but cannot halt it.

Question 14 of 15

Who has final say on security architecture? The security lead or the product/engineering team?

Security lead. Documented authority, clear escalation path. Shared. Security has a formal veto. Product or engineering. Security reviews but does not decide.

Question 15 of 15

If your most senior security person left tomorrow, would your governance architecture survive them?

Yes. It lives in the system, not the person. Partially. Some institutional knowledge would walk out the door. No. They are the governance architecture.

Is Your Governance Architecture Actually Governed?

Get Your Governance Score