Four signal layers, scored monthly per service, produce a fragility register that names your next outage weeks before it happens. Size is not risk. Neglect is risk. The heat map measures neglect.
Compliance is not the brake. The single review queue is. Risk-tier the routing, codify the patterns, automate the checks — and 70% of AI requests stop touching a human. The bottleneck is architectural, not regulatory.
Single-metric attrition dashboards die in two weeks because their false-positive rate is too high to trust. The signal that holds is four independent metrics drifting together, on one person, across the same fortnight. Architecture, scoring, and the surveillance line.
Forty entries scored 1-5 in a SharePoint folder is not governance. It is theater. A risk register the board acts on has five entries, dollar ranges, named owners, and a regulatory deadline next to each one.