You Do Not Need More Dashboards – You Need an AI That Understands Your System – The GRAA Leadership Series Part 7

You Do Not Need More Dashboards – You Need an AI That Understands Your System – The GRAA Leadership Series Part 7

David Nichols – Co-Founder and Executive Director of the DVMS Institute

There comes a point in many organizations when nobody is genuinely excited about yet another dashboard. It’s not because leaders dislike data; they are immersed in it. They can cite uptime percentages, incident counts, patching rates, control coverage, audit scores, training completion, and risk ratings. GRC teams can produce heatmaps, indices, and maturity scores for nearly any domain or area of interest.

Yet even with all of that, the same questions keep surfacing in executive conversations.

• Where is our system actually fragile, not just on paper but in practice?
• Where is our culture quietly overriding our controls?
• Where is the next real surprise likely to come from, and why?

The reports are increasing, but the sense of uncertainty remains. Turning up the volume hasn’t made the music clearer. This article explores that gap. It explains why more dashboards aren’t the answer and why, at this point, you need something different. You need an AI that understands your system.

When Dashboards Stop Helping

Dashboards do some things very well. They can inform you whether a specific control has been implemented in a particular location. They can show whether a threshold has been breached. They can display trends over time and allow you to slice and dice by business unit, geography, or product line. They can provide you with quick visual cues about where a specific metric stands in relation to its target. They are valuable instruments. The problem arises when you attempt to use them as your primary means of understanding a complex, adaptive organization.

Dashboards do not inherently grasp context. They cannot perceive how leadership signals, structural choices, and human behavior interact in real situations. They lack the ability to identify which small weaknesses might combine to create a serious risk in one value stream but not in another. They also cannot tell you if a wall of green indicators conceals a pattern of cultural drift that is bringing you closer to a problem.

As the number of dashboards grows, executives experience a strange mix of visibility and uncertainty. The organization is producing more information, yet the questions that really matter still demand intuition.

• Are we becoming more resilient, or only better at reporting?
• Are our core capabilities actually strengthening, or are we just busier?
• Is our culture aligned with the story we are telling about governance and risk, or are there quiet contradictions?

At a certain point, the issue is not a lack of data. It is the absence of a model that can make sense of that data in terms of how the whole system behaves.

The Limits of Control Centric Analytics

Traditional GRC analytics tend to mirror the systems on which they are built. They compile control test results, risk ratings, incident data, loss events, and policy exceptions. They compare these against frameworks, regulations, and internal standards. They let you filter and sort by domain, business unit, region, and control family. When you have a specific question, this approach works perfectly. If you need to locate a particular control that is absent or identify which business units have overdue remediation actions, you can do so easily.

What these analytics do not do is think like your enterprise. They are not rooted in how value truly flows through your organization. They do not start with Create, Protect, Deliver. They do not ask which Minimum Viable Capabilities are being stretched as CPD accelerates in one area more than another. They do not view leadership, structure, and culture as interconnected components of a single system.

As a result, they are weak at identifying specific types of risks. They find it challenging to anticipate failures that result from interactions between different areas, such as technology risk and third-party behavior, or between incentive structures and control design. They also struggle to recognize slow shifts in behavior that move you away from your stated risk appetite, even when individual metrics remain within thresholds. Additionally, they rarely notice when a particular phase of CPD is consistently being squeezed, which may only become apparent as incidents months later.

You might try to fill these gaps by adding more metrics, commentary, and meetings. In practice, that often leads to more work for the same people without increasing insight. If you want a different perspective, you need to change who or what is doing the thinking.

What It Means For an AI To Understand Your System

When we discuss an AI that understands your system, we’re not referring to a generic chatbot attached to a GRC tool and tasked with summarizing dashboards. We’re talking about an AI that is deeply integrated into the architecture you’ve been developing throughout this series.

That architecture has three essential elements.

First, the organization operates based on CPD. You have chosen to describe your business in terms of how it creates, protects, and delivers digital value, and to treat GRAA as an emergent property of that process.

Second, you’ve identified your Minimum Viable Capabilities. You recognize that skills such as govern, assure, plan, design, execute, change, and innovate are essential. Without them, CPD remains fragile, regardless of how comprehensive your control catalog appears.

Third, you have adopted a 3D perspective. Leadership signals, structural design, and behavior under load are viewed as interconnected components of a single system, rather than separate topics managed by distinct functions.

This model incorporates an AI that understands your system, rather than being separate from it. It ingests signals from across the enterprise, but it interprets them by asking questions like these.

• What is happening in specific CPD flows, and what does that say about the capabilities we are depending on there?
• What patterns in incidents, changes, and decisions suggest that leadership messages, structures, and cultural behavior are out of alignment?
• Where are we seeing recurring mismatches between what our frameworks and dashboards say should be happening, and what appears to be happening in practice?

In other words, it uses your understanding of the enterprise as a complex, adaptive system as its frame of reference.

From Dashboards To a System Cartographer

One analogy can be helpful here. Think of dashboards as charts. A chart can show you where certain things are at a specific point in time. It can be detailed, accurate, and visually precise. However, a chart does not update itself, nor does it show how the terrain is changing or how people are actually moving through it.

Now think of a cartographer. A cartographer observes how people travel. They track routes that appear and disappear. They notice where traffic consistently forms, where paths intersect, and where people continually create informal shortcuts that were never planned. Over time, they develop an intuitive understanding of the landscape.

In the DVMS world, the Adaptive Edge Platform and Kaia are designed to function more like cartographers than chart makers. They are not there to replace your frameworks, controls, or metrics. They are there to monitor how the system behaves over time, in the context of CPD, capabilities, and culture, and to communicate that understanding back to leadership.

They can interpret signals from change records, incident logs, service performance data, customer feedback, survey results, third-party performance information, and even the language used in reports and communications. They then convert these signals into observations that sound less like “metric X is out of range,” and more like “this part of the system is drifting.”

For example, applied to a real value stream, they might say something like:

In this onboarding process, creation and delivery are speeding up, but essential protection activities are being casually skipped. We see indications that assure, and design capabilities are strained, and that cultural norms are accepting small deviations from the planned process.

Or:

In this region, leadership messages emphasize resilience and ethics; however, in time-pressured situations, a consistent pattern of decisions emerges that prioritizes short-term revenue over early escalation. This indicates a growing disconnect between stated risk appetite and actual behavior on the ground.

Or:

In this supplier ecosystem, performance variability is rising. Escalations are focused on a few key areas, and delays occur in the remediation process. Assurance coverage seems sufficient on paper, but behavior suggests that protection capabilities are weaker than we believe in this chain. Those are system-level statements. They do not replace human judgment, but they focus it.

What Changes When AI Plays This Role

If you see AI as just another reporting tool, it will only help you create more charts and write more text around the same data slices. It will speed up what you already do without expanding your perspective. But if you view AI as a system cartographer within the DVMS architecture, several new possibilities emerge.

You can direct leadership focus to where it truly matters. Instead of scanning through numerous dashboards, executives can focus on a few key areas where the AI has identified significant misalignment in CPD flows or signs of drift in capabilities and culture.

You can identify cross-domain patterns that would otherwise go unnoticed. The AI can link signals from technology, operations, third parties, incidents, and cultural indicators, showing where they overlap. For example, it can detect that increases in exception requests in one area are related to rising incident rates in another.

You can monitor the impact of interventions over time. Whether you modify a metric, make the right decision, enhance a capability, or reframe a leadership message, AI can help you see if the behavior in relevant CPD flows is truly changing as intended.

You can shift from a static view of risk to a more dynamic understanding of resilience. Instead of asking “What are our top risks?” as a periodic exercise, you can ask “Where is the system gaining resilience, and where is it losing it, as value, capabilities, and culture evolve?” None of this eliminates the need for human judgment. It provides a better perspective on that judgment.

Guardrails For Using AI in Governance

There are valid concerns about relying on AI in governance and risk management. Any serious approach must address these concerns directly. From the DVMS perspective, several guardrails are essential. AI functions as an advisor, not an authority. It can identify patterns, generate hypotheses, and suggest areas to investigate, but it does not make decisions. Accountability for decisions remains with human leaders.

The model it uses is explicit. Because AI is grounded in CPD, Minimum Viable Capabilities, and the 3D lens, its outputs can be discussed in terms that executives and GRC leaders already understand. It does not hand you a mysterious score. It offers a narrative about value flows and capabilities that you can challenge, refine, or reject.

Transparency and feedback are integral to the design. Leaders should be able to ask why a particular conclusion was made, and they should offer feedback when the AI’s interpretation doesn’t align with observed reality. Over time, this interaction enhances the system’s understanding of the organization.

Ethical and privacy boundaries are clear. Data used to train and operate AI must be governed appropriately. It is not intended for covert surveillance of individuals. Instead, it supports system-level understanding and decision-making. The principle is simple: AI is invited into governance as a disciplined participant, not as an oracle. Kaia is not a one-size-fits-all, out-of-the-box AI agent. Kaia learns about your organization, how it works, where it falls short, and how leadership makes decisions, eventually joining the risk team as a trusted advisor.

What This Means For Executives and GRC Leaders

For executives, an AI that understands their system presents an opportunity to change how they allocate their time and attention. Instead of trying to reconcile every dashboard and report personally, you can request a synthesized view of where CPD flows, capabilities, and cultural behaviors are out of alignment with your stated intent and risk appetite. This allows you to focus your energy on decisions only you can make, such as changing strategy, adjusting priorities, or resetting expectations.

For GRC leaders and analysts, this kind of AI acts as an amplifier, not a threat. It can handle some of the heavy lifting in correlation and pattern recognition, allowing human experts to focus on interpretation, communication, and design. It also helps them frame their work in the language of CPD and capabilities rather than just frameworks and controls. This approach makes it easier to engage with the business.

Most importantly, it can help ensure that the overlay you have chosen and the cultural and structural changes you are implementing do not become static diagrams. AI can provide ongoing insights into how the system is actually functioning, so that GRAA remains connected to reality instead of drifting into ritual.

Looking Ahead – From Insight To Everyday Practice

Throughout this series, we have taken a journey. We began by identifying the issue that traditional GRC investments have not provided the resilience leaders expected. We recognized the overlay problem, which is the need for a unifying way to organize frameworks and tools. We highlighted culture as the most challenging control surface. We introduced a 3D perspective on leadership, structure, and behavior as a system. We defined a Minimum Viable Capability foundation and described the enterprise in terms of CPD, the cycle of creating, protecting, and delivering value.

In this article, we have integrated AI in its proper role, not as just another gadget, but as a system cartographer that can help you understand the organization you have designed at its current speed.

The final step is a practical one. How do you start this journey without creating yet another transformation program that people quietly resist? How do you introduce these ideas into everyday leadership and GRC practice in a way that is cumulative and credible?

That is the focus of the last article in this series: Starting the Journey Without Burning the House Down. Ultimately, the test of all this is simple. Does it change the conversations your leaders have, the decisions they make, and the behavior your system expresses when it is under pressure?

About the Author

Dave is the Executive Director of the DVMS Institute.

Dave spent his “formative years” on US Navy submarines. There, he learned complex systems, functioning in high-performance teams, and what it takes to be an exceptional leader. He took those skills into civilian life and built a successful career leading high-performance teams in software development and information service delivery.

Digital Value Management System® (DVMS)

Organizations don’t experience catastrophic digital breaches because they lack the frameworks and systems to create, protect, and deliver the value stakeholders and regulators expect.

They suffer breaches because those frameworks and systems operate in silos and fail at their boundaries when placed under real-world stress.

The Digital Value Management System® (DVMS) integrates fragmented frameworks and systems such as NISTCSF, GRC, ITSM, DevOps, and AI into a unified living overlay system that:

• Enables Adaptive Governance through risk-informed decision-making
• Sustains Operational Resilience through a proactive and adaptive culture
• Measures Performance Assurance through evidence-based outcomes
• Ensures Transparent Accountability by making intent, execution, and evidence inseparable

At its core, the DVMS is a simple but powerful integration of:

• Governance Intent – shared expectations and accountabilities
• Operational Capabilities – how the digital business actually performs
• Assured Evidence – proof that outcomes are achieved and accountable

Through its MVC, CPD, 3D Knowledge, and FastTrack Models, a DVMS turns this integration into three distinctive capabilities:

A Governance Overlay that replaces fragmentation with unity. The DVMS provides organizations with a structured way to connect strategy with day-to-day execution. Leaders gain a consistent mechanism to direct, measure, and validate performance—across every system responsible for digital value.

A Behavioral Engine that drives high-trust, high-velocity decision-making. The DVMS embeds decision models and behavioral patterns that help teams think clearly and act confidently, even in uncertain situations. It is engineered to reduce friction, prevent blame-based cultures, and strengthen organizational reliability.

A Learning System that makes culture measurable, adaptable, and scalable. Culture becomes a managed asset—not an abstract concept. The DVMS provides a repeatable way to observe behavior, collect evidence, learn from outcomes, and evolve faster than threats, disruptions, or market shifts.

DVMS Organizational Benefits

Instead of replacing existing operational frameworks, the DVMS elevates them—connecting and contextualizing their data into actionable intelligence that validates performance and exposes the reasons behind unmet outcomes.

By adopting a DVMS, organizations are positioned to:

• Maintain Operational Stability Amidst Constant Digital Disruption
• Deliver Digital Value and Trust Across A Digital Ecosystem
• Satisfy Critical Regulatory and Certification Requirements
• Leverage Cyber Resilience as a Competitive Advantage

DVMS Leadership Benefits

The Digital Value Management System (DVMS) provides leaders with a unified, evidence-based approach to governing and enhancing their digital enterprise, aligning with regulatory requirements and stakeholder expectations.

For the CEO, the DVMS provides a clear line of sight between digital operations, business performance, and strategic outcomes—turning governance and resilience into enablers of growth and innovation rather than cost centers.

For the Board of Directors, the DVMS provides ongoing assurance that the organization’s digital assets, operations, and ecosystem are governed, protected, and resilient—supported by evidence-based reporting that directly links operational integrity to enterprise value and stakeholder trust.

For the CIO, CRO, CISO, and Auditors: an integrated, adaptive, and culture-driven governance and assurance management system that enhances digital business performance, resilience, trust, and accountability

DVMS White Papers

The whitepapers below present a coherent progression that shifts organizations from compliance-driven thinking to a modern system of Governance, Resilience, Assurance, and Accountability (GRAA). Collectively, the three papers define a comprehensive system for building and governing resilient digital enterprises, grounded in evidence rather than assumptions.

The Assurance Mandate Paper sets the stage by showing why traditional GRC artifacts provide only reassurance—not evidence—and calls boards to demand forward-looking proof that their organizations can continue to create, protect, and deliver value under stress.

The Assurance in Action Paper elevates the conversation from leadership intent to managerial execution, demonstrating how the DVMS operationalizes resilience by translating outcomes into Minimum Viable Capabilities, connecting frameworks through the Create–Protect–Deliver model, and generating measurable assurance evidence that managers can use to demonstrate real performance rather than activity.

The Governing by Assurance Paper elevates the approach to the policy and regulatory level, showing how DVMS functions as a learning overlay system that links governance intent, operational capability, and verifiable evidence into a continuous loop—enabling regulators, agencies, and enterprises to govern by outcomes rather than checklists and to prove capability with measurable, auditable performance data.

DVMS Cyber Resilience Certified Training Programs

DVMS Cyber Resilience Awareness Training

The DVMS Cyber Resilience Awareness course and its accompanying body of knowledge publication educate all employees on the fundamentals of digital business, its associated risks, the NIST Cybersecurity Framework, and their role within a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters a culture that is prepared to operate within a system capable of transforming systemic cyber risks into operational resilience.

DVMS NISTCSF Foundation Certification Training

The DVMS NISTCSF Foundation certification training course and its accompanying body of knowledge publications provide ITSM, GRC, Cybersecurity, and Business professionals with a detailed understanding of the NIST Cybersecurity Framework and its role in a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

This investment fosters IT, GRC, Cybersecurity, and Business professionals with the skills to operate within a system capable of transforming systemic cyber risks into operational resilience.

DVMS Cyber Resilience Practitioner Certification Training

The DVMS Practitioner certification training course and its accompanying body of knowledge publications teach ITSM, GRC, Cybersecurity, and Business practitioners how to elevate investments in ITSM, GRC, Cybersecurity, and AI business systems by integrating them into a unified governance, resilience, assurance, and accountability system designed to proactively identify and mitigate the cyber risks that could disrupt operations, erode resilience, or diminish client trust.

This investment fosters IT, GRC, Cybersecurity, and Business practitioners with the skills to assess, design, implement, operationalize, and continually innovate a Digital Value Management System® program that operationalizes a shared model of governance, resilience, assurance, and accountability for creating, protecting, and delivering digital value.

Company Brochures and Presentation

• DVMS Company Brochure
• DVMS Product Brochure
• DVMS Company Presentation

Explainer Videos

• DVMS Architecture Video: David Moskowitz explains the DVMS System
• DVMS Case Study Video: Dr. Joseph Baugh Shares His DVMS Story.
• DVMS Overlay Model – What is an Overlay Model
• DVMS MVC ZX Model – Powers the CPD
• DVMS CPD Model – Powers  DVMS Operations
• DVMS 3D Knowledge Model – Powers the DVMS Culture
• DVMS FastTrack Model – Enables A Phased DVMS Adoption

Digital Value Management System® is a registered trademark of the DVMS Institute LLC.

® DVMS Institute 2025 All Rights Reserved