Our Scoring Methodology
How we evaluate AI tools for regulated industries
Why Governance Scoring Matters
Regulated industries face unique challenges when adopting AI tools. Compliance requirements, data privacy concerns, and the need for explainability demand a rigorous evaluation process. Traditional software reviews don't capture these critical dimensions.
GovernAtlas provides a standardized framework for evaluating AI governance. Our methodology is built on industry standards, regulatory requirements, and best practices from healthcare, financial services, legal, and government sectors.
Every tool in our directory is scored across five dimensions, providing buyers with comparable, objective data to inform their procurement decisions.
Governance Score Overview
Each tool receives a Governance Score from 0 to 100, calculated as a weighted average of five dimensions. Here's how to interpret the scores:
Five Scoring Dimensions
Security (25%)
Evaluates the security controls and certifications in place to protect data and systems.
What We Evaluate
- Industry certifications (SOC 2, ISO 27001)
- Encryption standards (at rest and in transit)
- Access controls and authentication
- Penetration testing frequency
- Incident response procedures
- Security audit history
How It's Scored
Points are awarded for each verified certification and documented security practice. SOC 2 Type II earns more points than Type I. Regular third-party audits increase the score.
Data Sources
Vendor trust pages, SOC 2 reports, public documentation, security certifications
Transparency (25%)
Measures how clearly the vendor communicates about their AI systems and practices.
What We Evaluate
- Model documentation (model cards)
- Decision explainability features
- Training data disclosure
- Limitation acknowledgment
- Update and changelog practices
- Public technical documentation
How It's Scored
Points for published model cards, explainability features, clear documentation about capabilities and limitations, and transparent communication about data usage.
Data Sources
Technical documentation, published papers, product features, public statements
Fairness (20%)
Assesses efforts to ensure AI systems treat all users equitably.
What We Evaluate
- Bias testing procedures
- Demographic parity measures
- Third-party fairness audits
- Remediation procedures
- Diverse training data practices
- Ongoing monitoring for bias
How It's Scored
Points for documented bias testing, third-party audits, published fairness metrics, and active bias mitigation programs.
Data Sources
Published audits, vendor disclosures, academic partnerships, fairness reports
Privacy (20%)
Evaluates data privacy practices and regulatory compliance.
What We Evaluate
- Privacy framework compliance (GDPR, CCPA, HIPAA)
- Data minimization practices
- Consent mechanisms
- Data retention policies
- User data rights support
- Data processing agreements
How It's Scored
Points for verified compliance with privacy regulations, clear privacy policies, documented data handling procedures, and available data processing agreements.
Data Sources
Privacy policies, compliance certifications, data processing agreements, regulatory filings
Accountability (10%)
Measures governance structures and oversight mechanisms.
What We Evaluate
- Audit trails and logging
- Human oversight mechanisms
- Error correction procedures
- Regulatory compliance history
- Governance committee/board
- Incident reporting processes
How It's Scored
Points for documented oversight mechanisms, clean compliance history, available audit logs, and clear accountability structures.
Data Sources
Product features, regulatory filings, news/press, governance documentation
Verification Process
Data Collection
We gather information from vendor trust pages, certification bodies, public documentation, and direct vendor submissions.
Verification
Analysts verify certifications with issuing bodies, review documentation, and cross-reference multiple sources.
Ongoing Monitoring
Scores are reviewed quarterly. We monitor for certification changes, security incidents, and significant updates.
Verified vs. Self-Reported
Frequently Asked Questions
How can vendors improve their score?
Vendors can improve their score by obtaining relevant certifications (SOC 2, ISO 27001, HIPAA), publishing clear documentation about their AI systems, conducting and publishing bias audits, implementing robust privacy practices, and establishing clear accountability mechanisms. We recommend starting with the dimension where you score lowest.
How often are scores updated?
Scores are reviewed quarterly. We also update scores when vendors notify us of new certifications, when we discover significant changes through our monitoring, or when users report inaccuracies. Major changes (like new certifications or security incidents) trigger immediate reviews.
Can vendors dispute their score?
Yes. Vendors can submit a dispute through their vendor dashboard or by contacting us directly. Disputes should include documentation supporting the requested change. We review all disputes within 10 business days and will update scores if the evidence supports a change.
Is the scoring automated or manual?
Scoring is a combination of both. We use automated tools to gather publicly available information and verify certifications. Human analysts review the data, assess qualitative factors, and make final scoring decisions. All scores are reviewed by at least two analysts before publication.
What's the difference between verified and self-reported data?
Verified data has been confirmed through official certification bodies, public records, or direct vendor documentation we've reviewed. Self-reported data comes from vendor submissions that we haven't independently verified. Verified data carries more weight in scoring calculations.
Do you accept payment for higher scores?
No. Our scoring is completely independent of any commercial relationship. Paid listings may receive enhanced visibility or features, but they have no impact on governance scores. Our methodology is applied consistently regardless of vendor relationship status.
Questions about our methodology?
We're happy to discuss our scoring approach with buyers and vendors.
Contact Us