Domondon Dominium

Get started · Tool 3 of 3

The Canvas, item by item

All 24 items of the Department Configuration Canvas — what each one is, what good looks like, the red flag that means it's failing, and a maturity score. Score honestly; the rubric is designed to be hard to flatter.

The maturity rubric

Every item is scored on the same four-step ladder — the framework's own progression from folklore to governance:

0 · AbsentNobody could state it. It exists only as improvisation.
1 · FolkloreIt works — but it lives in people's heads and habits. It leaves when they do.
2 · WrittenDocumented, current, findable. A newcomer — or an AI — could follow it.
3 · GovernedWritten and enforced, measured, and reviewed on a cadence. It works at 3 a.m. without anyone remembering anything.

Scores save in this browser only. Tip: "Written" requires that the document is current — a 2019 charter nobody has read since is Folklore with a file name.

Purpose layer

1 · Team name & recursion level

Which system is this canvas for — a team, a department, a program, the enterprise? The canvas is recursive; each level gets its own.

Good: one canvas per level, and everyone agrees which level this one is.

Red flag: one canvas trying to govern three different altitudes at once.

2 · Mission / mandate — with the intent clause

Why the team exists, plus two or three sentences of intent: the outcome and the non-negotiables, written for the situation no rule covers.

Good: a newcomer or an AI agent could make a sane call from the intent clause alone.

Red flag: a mission statement that could belong to any team in the building.

3 · Scope — what the team owns

The work only this team may do, stated positively.

Good: the list matches what the team actually spends its time on.

Red flag: 40% of real workload appears nowhere in the stated scope.

4 · Boundaries — what the team does not own

Stated exclusions, so out-of-mandate work can be flagged instead of silently absorbed.

Good: the team can decline out-of-scope work by pointing at a sentence, not by fighting.

Red flag: "we do whatever comes in" — a team without boundaries is a queue, not a team.

Contract layer

5 · Stakeholders — served vs. governing, plus the harm registry

Who the mission exists for, who sets constraints — and who can be hurt by this team's output, and how.

Good: the harm registry names real people-categories, not "quality issues."

Red flag: the person the work can hurt appears nowhere in the stakeholder list.

6 · Services — each with four governance attributes

The published catalog. Every service born with a default risk tier, automation ceiling, evidence level, and gate.

Good: a request can inherit sane governance defaults just by being classified against the catalog.

Red flag: a catalog of services the team cannot actually deliver — a standing integrity failure.

7 · Core workflows — leveled per step

The repeatable processes, each step declaring who, automation level, evidence, and whether it's a gate. Review and approval never merged.

Good: the written workflow resembles what the night shift actually does.

Red flag: SOPs everyone signs annually and nobody follows — work-as-imagined divorced from work-as-done.

Flow layer

8 · Intake channels — by signal type and trust level

Structured, semi-structured, and ambient demand — with one declared front door.

Good: ambient demand (hallway, meetings) has a capture rule instead of a graveyard.

Red flag: the most important requests arrive by the least tracked channel.

9 · Request types

The classification scheme triage applies — including a "none of the above" lane that routes to a human.

Good: categories cover ~90% of real demand; the anomaly lane exists and is watched.

Red flag: everything is classified "other," or the anomalous request gets forced into the nearest box.

10 · Priority rules — protection override + slack rule

P0–P4 plus Reject as a logged outcome. Safety/PHI/license issues are P0 regardless of scoring; reserve capacity is defended.

Good: the team can say what it will NOT do this week, in writing, kindly.

Red flag: a backlog where yes goes to die — silent backlog death is a governance failure.

Control layer — people & decisions

11 · Roles & owners — the mixed roster

The eight role types on actual names. AI agents hold Operator/Contributor only; every chain of work terminates in a named human.

Good: for any piece of work, one question — "whose is this?" — has one answer.

Red flag: an AI listed (or de facto acting) as reviewer, approver, or owner.

12 · Decision rights — the RAPID registry

The team's ten recurring decisions, each with one Decider and a door type (one-way/two-way). AI recommends anywhere; decides only at Level 1 under written rules.

Good: "who decided this?" is answered by a lookup, not an argument.

Red flag: decisions made by whoever was in the room, ratified by silence.

13 · Human review gates

Gates that are active (a task, not a glance), measured (rejection rate tracked), independent, empowered, placed by tier, role-separated.

Good: you can name what each reviewer does and when the gate last rejected something.

Red flag: 100% approval for a month and nobody has asked why.

Control layer — memory & machinery

14 · Knowledge sources — tiered and stewarded

Governed > working > ambient. Stewards named, review dates set, staleness tracked.

Good: the AI can cite which tier an answer came from; outdated policy gets caught before it's served.

Red flag: the team's best knowledge retires when its people do.

15 · Data sources & sensitivities

Where data lives, what each system is authoritative for, what is sensitive, what AI never touches.

Good: the No-PHI (or your equivalent) boundary is explicit, and everyone can recite it.

Red flag: sensitive data identified only after it has been pasted somewhere it shouldn't be.

16 · Tools / systems — the permission matrix

System × agent × read/write/execute. Boundaries enforced by access scoping, not by instructions.

Good: an agent's permissions match its tasks — least privilege, reviewed when tasks change.

Red flag: a rule that exists only in a prompt is a hope. Count how many of yours are hopes.

Flow layer — coordination

17 · Communication rhythm — SBAR + closed loops

Briefs and escalations SBAR-shaped; critical handoffs acknowledged and read back; meetings reserved for judgment.

Good: the weekly brief is readable in an elevator; no fire-and-forget handoffs, human or machine.

Red flag: coordination consumes a third of capacity and things still fall between people.

18 · Quality standards

The definition of good per output type, checked in-line (jidoka) rather than inspected at the door.

Good: pre-flight checks run before delivery; near-misses caught at gates are logged as data.

Red flag: quality defined as "the recipient didn't complain."

Control layer — risk & visibility

19 · Risk rules & the prohibited zone

Tier the task, not the tool. An enumerated list of what AI never does autonomously, regardless of tier.

Good: the prohibited zone is written, short, and absolute — and everyone can name two things on it.

Red flag: risk policy that lists everything and therefore governs nothing.

20 · Metrics — including governance health

Performance metrics plus the vital signs of governance: gate disagreement, override frequency, boundary blocks, escalation counts.

Good: governance-health numbers sit on the same dashboard as throughput, watched with the same seriousness.

Red flag: dashboards that can say "how fast?" but not "what high-risk work is currently ungated?"

21 · Escalation rules — andon, PACE, two-challenge

Anyone (including the AI) can halt; escalations are graded, SBAR-shaped, routed by expertise; unanswered escalations get louder.

Good: someone halted something recently and was praised by name.

Red flag: the last person who raised a concern got a form and a raised eyebrow.

22 · Automation permissions — L0–L5 per step

Levels assigned per workflow step; promotion earned with evidence and logged; demotion automatic on defect or boundary event.

Good: you can point at a workflow's promotion history in the ledger.

Red flag: autonomy that grew by drift — nobody decided it, it just stopped being reviewed.

Learning layer

23 · Audit requirements — the workflow header & ledger

What is logged, by whom, kept how long. Decisions with rationale; actions attributable to named identities, human or agent.

Good: the ledger recently changed a decision — it is read, not just written.

Red flag: write-only logging theater. A ledger nobody reads is ceremony.

24 · Improvement loop — four asset classes, one cadence

Monthly at minimum: SOPs, prompts/instructions, knowledge sources, and the governance rules themselves — lessons installed as changes, not reminders.

Good: you can name the last lesson that physically changed a checklist, field, or permission.

Red flag: retrospectives whose action items evaporate — the same incident booking its return appointment.

Your scorecard