What is Velocity Governance?

Velocity Governance is the discipline of observing whether engineering practices keep pace with development velocity. As teams adopt AI and ship faster, Concordance monitors 50 protocols across 6 SDLC phases to ensure quality, security, and compliance don't degrade.

How does Concordance help with CRA compliance?

Concordance maps 50 engineering protocols to all 21 CRA Annex I essential requirements, generating continuous audit-ready evidence from your actual engineering toolchain — GitHub, GitLab, Jira, Linear, and more. No manual documentation required.

How does Concordance help with NIS2 compliance?

Concordance maps 50 engineering protocols to all 10 NIS2 Article 21(2) essential measures, providing continuous compliance evidence from your SDLC. It covers supply chain security, incident handling, risk assessment, and secure development practices.

The Foundation Scan is completely free — scan any public GitHub repository and get engineering practice scores across 50 protocols in under 60 seconds. No sign-up required. Pro plans start at $49/month for continuous monitoring.

How is Concordance different from DORA metrics?

DORA metrics measure deployment frequency, lead time, change failure rate, and recovery time — they tell you how fast you ship. Concordance measures 50 engineering practices across 6 SDLC phases — it tells you if your processes can keep up with that speed. They're complementary: DORA measures velocity, Concordance governs it.

What does Concordance access?

Concordance reads only metadata — PR configurations, CI pipeline configs, branch protection rules, dependency manifests, and workflow signals. It never accesses source code, secrets, or credentials.

Concordance Labs · April 2026

The Team at Concordance

April 2026 · 6 min read

3 AI Metrics Every Board Demands in 2026

Boards have moved past AI enthusiasm and into accountability mode. The question is no longer "are we using AI?" but "is it under control and delivering value without creating existential risk?" Three specific metrics have emerged as the standard for answering that question with hard data instead of narratives.

1. AI Model Reliability and Hallucination Rate

This is the primary metric for operational safety. It measures the frequency of inaccurate, biased, or nonsensical outputs from AI systems in production. Specifically, it tracks the percentage of AI outputs that require human correction or fail automated grounding checks — comparisons against a verified knowledge base.

The board doesn't just want the current number. They want a trend line showing that error rates are declining over time, demonstrating the system is becoming more trustworthy and reducing the risk of providing incorrect information to customers or employees. A flat or rising hallucination rate is a red flag that triggers deeper questions about whether the AI investment is mature enough for production use.

What engineering teams need: Automated evaluation pipelines that continuously measure output quality against golden datasets, human-in-the-loop override tracking, and grounding checks integrated into production systems. This isn't a quarterly audit — it's continuous monitoring that feeds board-level dashboards.

2. Shadow AI Discovery and Coverage

Boards are acutely aware that the biggest AI risks often come from tools nobody approved. Shadow AI — employees using free-tier AI services, running code through external models, or building internal agents without architecture review — represents unquantified exposure to data leakage, IP risk, and compliance violations.

The metric boards want is the ratio of sanctioned AI applications to detected unsanctioned applications — the "discovery-to-governance" ratio. A high ratio proves that the IT and security teams are successfully identifying shadow AI tools and either blocking them or bringing them into a secure, governed environment. A low ratio means the organisation is flying blind.

What engineering teams need: Network-level visibility into AI service usage, API call monitoring, and a process for evaluating and onboarding discovered tools rather than just blocking them. Practice-level data about how development teams interact with AI tools — code review practices, testing practices, security review practices — provides the evidence layer that shows whether AI adoption is governed or chaotic.

3. Mean Time to Triage (MTTT) for AI Vulnerabilities

With the EU Cyber Resilience Act and NIS2 mandating 24-hour reporting for actively exploited vulnerabilities, speed is the new compliance standard. The mean time to triage measures the average duration from detecting a potential AI-specific risk — prompt injection attacks, data leakage, model manipulation — to a human-led decision on mitigation.

If the MTTT exceeds 24 hours, the organisation is in legal breach of its reporting obligations. This is the metric that connects engineering operational capability directly to regulatory compliance and board-level risk exposure. It's not theoretical — a 48-hour MTTT means the CEO must explain to the board why the company cannot meet its legal obligations.

What engineering teams need: Automated detection of AI-specific vulnerability patterns, pre-built triage workflows with clear escalation paths, and incident response practices that have been tested and measured — not just documented. The practice maturity of your incident response directly determines whether this metric is achievable.

Why Practice Data Underpins All Three

Each of these metrics depends on engineering practice maturity. Hallucination rates require testing and evaluation practices. Shadow AI coverage requires security and governance practices. Triage speed requires incident response and operational practices. Without practice-level visibility, these metrics are either unmeasurable or unreliable. The organisations that can confidently report these numbers to their boards are the ones that have invested in measuring and improving their foundational engineering practices.

Read: Board AI Governance — From Narrative to Metrics-Driven Oversight →

Read: What Boards Are Asking CTOs About AI in 2026 →

Get board-ready practice metrics with a free Foundation Scan →