Back to Insights
Real-Time Governance: What Your Dashboard Should Show
AI Governance Code Governance GuardSpine Observability Dashboard

Real-Time Governance: What Your Dashboard Should Show

The metrics that matter for AI governance: review velocity, evidence bundle rates, risk distribution, model agreement scores, and escalation frequency.

Your governance dashboard is a screenshot factory. Green checkmarks, pie charts, a compliance score that has read “94%” for six months straight. Your CISO shows it to the board. Nobody asks what the numbers mean because the slide looks professional.

I will ask what they mean: nothing. A dashboard that shows pass rates without evidence depth, risk distribution without trend lines, or review counts without council disagreement data is not governance visibility. It is theater. And theater is worse than having no dashboard at all, because it creates the illusion that someone is watching.

Most teams discover this when an auditor asks a question the dashboard cannot answer. “Show me the last time a high-risk change was escalated to a human.” If the answer takes more than ten seconds to find, your dashboard is decoration.

The Five Metrics That Matter

After running GuardSpine across multiple repositories and analyzing the evidence bundles, I have settled on five governance metrics that tell you whether your review process is functioning or just performing.

1. Risk Distribution

What percentage of your changes fall into each risk tier?

A healthy codebase has a pyramid distribution: lots of L0-L1 changes (formatting, docs, dependency bumps), a moderate number of L2 changes (feature work, refactors), and a small number of L3-L4 changes (auth, payment, crypto, infrastructure).

If your L3-L4 percentage is climbing, either your codebase is getting riskier (possible) or your classification rules need tuning (more likely). If L3-L4 is at zero, your trigger rules are probably too narrow — you are missing risk.

The dashboard shows this as a stacked bar chart over time. Weekly granularity is enough. You want trends, not noise.

2. Council Agreement Score

How often do the AI reviewers agree?

GuardSpine’s council agreement score is a number between 0 and 1 that measures how aligned the AI reviewers are on each change. A score of 1.0 means all models agreed on every aspect of the review. A score below 0.6 triggers escalation to a human reviewer.

The aggregate agreement score across all reviews tells you something important: how ambiguous your code changes are to AI reviewers. A team with consistently high agreement scores (above 0.85) is probably writing clear, well-structured code. A team with low agreement scores either has complex domain logic that the models struggle with, or has code quality issues that manifest differently to different models.

Track this weekly. If agreement scores drop, investigate what changed. New team member unfamiliar with conventions? New feature area the models have not seen before? Rushed code with unclear intent? The score is a proxy for code clarity.

3. Escalation Rate

What percentage of reviews escalate to a human?

The escalation rate is the ratio of human-reviewed changes to total changes. Too high means your automation is not trusted or your thresholds are too aggressive. Too low means you might be auto-approving changes that need human judgment.

There is no universal right number, but I target 15-25% as a starting range. This means roughly one in five changes gets human attention. The other four are handled by the AI council within the risk-tier policy.

The interesting metric is escalation reason distribution. Is the council disagreement trigger firing more than the risk tier trigger? Are PII-Shield findings driving most escalations? The reason breakdown tells you where to improve your policies or your code practices.

4. Evidence Bundle Completeness

What percentage of your evidence bundles have all required fields?

A complete evidence bundle contains the diff, risk classification, council votes, approval decision, and any required signatures. An incomplete bundle is missing one or more of these. This can happen when a review times out, when a model API returns an error, or when a policy requires a signature that was never applied.

Bundle completeness below 95% is a red flag. It means your governance pipeline has reliability issues. Incomplete bundles are weak audit evidence — they prove that a review started but not that it finished.

The dashboard should show completeness as a percentage with a trend line, and list any incomplete bundles so you can investigate and backfill.

5. Review Velocity

How long does the governance review take, from PR opened to review complete?

This is not the same as “time to merge.” Review velocity measures just the automated governance steps: diff extraction, risk classification, council review, evidence bundle generation. The human review time (for escalated changes) is tracked separately.

Automated review velocity should be under two minutes for typical PRs. If it is climbing, you have a performance problem — possibly model API latency, large diffs that need chunking, or policy rules that are computationally expensive.

Human review velocity matters more strategically. If escalated PRs sit for days waiting for human review, your escalation policy is creating a bottleneck. Either you need more authorized reviewers, your thresholds are too aggressive, or your team does not understand the escalation workflow.

CI Dashboard vs. Governance Dashboard

A CI dashboard answers: “Did the code pass its tests?” A governance dashboard answers: “Was the code change properly reviewed, classified, and approved through a documented process?”

These overlap but do not substitute. A change can pass all tests and have no governance review. A change can fail tests but have a perfectly documented review with a human override and rationale. The CI dashboard says nothing about whether the review process worked. The governance dashboard says nothing about whether the code works.

You need both. They should be separate views with separate alert thresholds.

The CI dashboard alerts on build failures. The governance dashboard alerts on:

  • Evidence bundle completeness dropping below threshold
  • Escalation rate spiking (indicates a process or policy problem)
  • Council agreement score dropping (indicates code quality or model issues)
  • Review velocity climbing (indicates performance or capacity problems)
  • Zero L3+ reviews in a period (indicates possible classification gaps)

What Auditors Want to See

When an auditor asks about your change management process, they want three things: policy, evidence that the policy was followed, and evidence that the policy was effective.

The governance dashboard gives them all three in one view.

Policy: The rubric files in your repository, version-controlled, showing exactly what rules were in effect during the audit period.

Compliance evidence: The evidence bundle statistics showing that every change was reviewed according to the rubric. Bundle completeness at 99.5%. Escalation rate within expected range. Every L3+ change has human approval.

Effectiveness evidence: Council agreement trends, risk distribution patterns, and escalation resolution data showing that the review process catches issues and routes them correctly.

Compare this to the typical audit preparation: two weeks of scrambling, pulling screenshots, reconstructing who reviewed what, and hoping nothing fell through a crack. The dashboard replaces all of that with a single view that updates in real time.

Building the Dashboard

GuardSpine stores evidence bundles as JSON files with structured metadata. Building a governance dashboard means aggregating that metadata. The data model is simple:

  • Each evidence bundle has a timestamp, risk tier, agreement score, completeness status, and review duration
  • Each escalation event has a trigger reason, response time, and resolution
  • Each policy evaluation has a rule name, result, and risk tier

You can build the dashboard with any tool that reads JSON and plots charts. Grafana with a JSON data source works. A custom React dashboard works. Even a Python script that generates a static HTML report works.

The key is not the tool. The key is the five metrics, updated at least daily, with trend lines that show whether your governance process is improving or degrading.

Governance Is Observable or It Is Theater

If you cannot measure your governance process, you cannot improve it. If you cannot show an auditor real-time metrics, you are asking them to trust your process on faith. If your dashboard only shows CI pass/fail, you are blind to whether your review process is actually running.

The metrics are not complicated. The data is already in your evidence bundles. The dashboard is the part that makes governance visible, and visibility is the difference between governance and compliance theater.

Want to see the governance dashboard running on real evidence bundles? Book a demo and I will walk through live metrics from an active repository.