What a governance report actually contains
Most "AI governance" documents are legal insulation. A working governance report is stranger and more useful: a monthly account of what your system did, refused to do, and learned. Here is the table of contents.
Read the dispatch
Ask a vendor for their AI governance documentation and you will typically receive a policy: principles, commitments, a diagram with the word “oversight” in it. Policies describe intentions. A governance report describes events. Owners need the second one, and almost nobody writes it.
Ours runs a few pages, monthly, in plain English. First, volumes: what the system handled this month — runs completed, documents processed, decisions drafted — against the previous month, so drift in workload is visible before it becomes drift in behavior.
Second, and most telling, refusals: what the system declined to do. A healthy governed system says “I am not sure” regularly, and each refusal is listed with its reason. A report with zero refusals does not mean a perfect system; it usually means an overconfident one. This section is where owners learn to read their automation’s character.
Third, escalations: every case handed to a human, how long the human took, and what they decided — because escalation paths that are never exercised are decorative, and ones that are exercised constantly are a design flaw wearing a safety costume.
Fourth, incidents and lessons: what surprised the system, what it cost, and what changed as a result — ideally a new gate, so the same surprise can never arrive twice. Fifth, the gate record itself: how many checks ran, how many stayed green, and what any red one meant.
The test of the document is simple. Hand it to a board member with no technical background and ask them two questions: do you understand what this system did last month, and do you know who answers for it? If both answers are yes, the system is governed. Everything else is stationery.