Methodology
Most governance assessments measure compliance at a moment in time. That's a snapshot. The structural question is how long the snapshot stays accurate before something material moves — a model update, a regulatory shift, a vendor pivot, a staff turnover.
The thesis
Governance is a stock, not a flow. It depreciates continuously, but failures are discrete events at the weakest structural point.
Three implications follow. Your governance never gets better just because you wrote it once — it ages from the moment of approval. Most frameworks measure adherence, not durability, so the part you'd want to manage is the part you can't see. And when failure arrives it doesn't arrive as a slow degradation — it arrives at the weakest structural point, all at once.
Three axes of decay
What your AI system can do changes when the model is updated. The capabilities you governed last quarter are not the capabilities you have today. Ask anyone whose policy was written against GPT-4 and is now being applied to a 2026 frontier model.
The legal landscape changes faster than internal policies. Colorado AI Act, Illinois HB 3773, the EU AI Act phase-ins, sector-specific regulators all moving on independent calendars. The policy you wrote last year against NYC LL144 is not the policy you need this year.
How your people use the system today is not how they used it last quarter. Scope creep is the quiet governance failure. The gap between what's audited and what's deployed is the dominant risk surface for mid-sized organizations.
The eight structural causes
Twenty-one documented governance failures trace back to eight recurring structural causes. The diagnostic asks about each one. Your overall shelf-life is set by the worst-scoring cause, not the average — governance lasts as long as its weakest structural link.
The frequencies below count the cases in which each cause was a primary or material driver. They are sector-agnostic, and they stay stable while the frameworks built on top of them churn every 6 to 18 months.
Cause 01 · 13 of 21 cases
How much of your governance is borrowed from a regulator, a vendor roadmap, a specific model, or outside counsel — and what happens when that reference moves. The single most common failure mode, and the one that voids governance without any policy ever being broken.
Cause 02 · 10 of 21 cases
Whether the policy has a definition-shaped hole — a case inside its spirit but outside its operational scope. "We haven't had any weird cases" almost always means you don't yet know about the ones you've had.
Cause 03 · 10 of 21 cases
Whether a metric would actually move if this governance were failing — and whether anyone reviews it. A dashboard that tracks activity (audits run) rather than outcome (audits catching things) is worse than none: it manufactures confidence and guarantees no alarm.
Cause 04 · 9 of 21 cases
Whether one person has both the authority to pause the system and the knowledge to know when pausing is right — or whether, in a crisis, you get different answers to "who decides" from different people.
Cause 05 · 7 of 21 cases
Whether the people the system acts on — the subjects, not employees — have a real channel that has changed an outcome, or only a form, a ticket, and a stakeholder list that maps to documents instead of people with standing to object.
Cause 06 · 7 of 21 cases
Whether the governance written for a pilot is still in force at full rollout; written for the US, running in the EU; written for decision-support, used as the decision-maker. Scope creep is the quiet failure.
Cause 07 · 5 of 21 cases
The gap between the fastest your governance can make a binding change and the fastest a regulator, the press, or an adversary can force one. That delta is your exposure window.
Cause 08 · 5 of 21 cases
Whether authority and knowledge sit together, joined by a protocol — or whether the people who can see the problem cannot act and the people who can act cannot see it. What keeps this unlocked is the reasoning behind past decisions surviving staff turnover — governance legibility, the distinctive question no mainstream framework asks.
Two tripwires
Tripwire 1
We treat "no dissent raised" as a diagnostic signal rather than a score-positive. In our case-study base, silent consensus precedes the largest governance failures more often than documented disagreement does.
Tripwire 2
Any AI system in active use is changing behavior — that's what "active use" means. Organizations that believe their system isn't changing behavior are the most exposed to endogenous drift, because they've ruled out the category of risk that theory predicts they'll encounter first.
How it's scored
The free check answers two different questions, and they use two different scales. They are not the same measurement and they do not compete.
A durability band — Brittle, Aging, or Durable-ish.
How well your governance can notice when it stops being valid. A program can be fully compliant today and still land in Brittle if it has no mechanism to catch its own drift. The band is set by your weakest structural cause, not an average — every point of it traces back to a specific answer you gave.
A shelf-life horizon — in months.
Roughly how long until something material is likely to move: tied to a model version (shorter), a regulation, a decision process, or a stable principle with a live feedback loop (longer). This is a duration estimate, read alongside the band — not a restatement of it.
Because the free check is self-reported, it is an honest estimate, not a verified audit — the score is capped accordingly, and we say so on the result. The paid Shelf-Life Assessment is where each control gets a dated horizon, its exogenous triggers, and a re-examination calendar.
What this is not
This methodology does not replace NIST AI RMF, ISO 42001, the EU AI Act, or any other compliance framework. It measures something they don't ask: how long the answers will still be true.
If your auditor needs an artifact that reads as compliance evidence, this isn't it. The shelf-life work sits underneath compliance work and tells you when the compliance work will stop being accurate.
Worked example
For the methodology applied to its own institution — a 501(c)(3) whose governance is designed to fold itself into community leadership, with documented hand-off triggers and interim commitments — read the IDEP case study .
Want to see this applied to your governance?