The Formula Sheet Is Right. The Input Layer Is Missing.

A footnote to Jose Luis Flores' AI Governance Profit and Loss Formula Sheet.

Jose Luis Flores recently published a handwritten formula sheet that translates AI governance into the only language every CFO already speaks: profit and loss.

His sheet defines the variables:

• R.C. = Regulatory Cost: the cost of building and maintaining a compliant AI system
• I.C. = Incident Cost: the cost of a governance failure -- fines, remediation, reputational damage
• G.V. = Governance Value: the risk-adjusted value of a governed AI system

And the formulas:

The frame is exactly right. Every CFO understands profit and loss; very few have seen the AI governance version laid out in the same notation. Flores has done the work of making the economic argument legible at the executive layer where the budget decision actually gets made.

There is one footnote worth adding.

Every variable in his sheet depends on a contemporaneous record that most organizations do not have.

The Computable and the Estimated

Regulatory Cost is straightforward to compute. You can sum your tooling spend, your compliance headcount, your audit fees, your external consulting. The line items are visible because they cleared accounts payable.

Incident Cost, when it arrives, lands as a number you cannot ignore -- fines, settlements, remediation projects, the reputational damage that shows up in next quarter's customer-acquisition cost. Computable after the fact.

But Governance Value -- the variable that determines whether you are at a compliance profit or a compliance loss in any given quarter -- is the one most organizations have no way to measure.

Governance Value is the risk-adjusted value of a governed AI system. To compute it, you have to know what your AI-deployed system actually did across the reporting period, under whose authority, against what standing -- and you have to be able to produce that record at the moment your auditor, your regulator, or your board asks. Not summary statistics. Not derived metrics. The contemporaneous record of operation.

That record either exists or it does not.

Why It Does Not Exist in Most Organizations

The reason is architectural. Logs were built for debugging, not for evidentiary review. SIEM was built for security operations, not for compliance reconstruction. Audit trails were built for the human user signing into the dashboard, not for the AI agent acting on behalf of the system. The substrate that records, at the time of action, what the entity did and under what authority -- across humans, contractors, AI agents, and service accounts -- is the layer the industry has not built yet.

So when a CFO uses Flores' formula sheet to compute Governance ROI for the quarter, the G.V. number that goes into the numerator is almost always an estimate. And the estimate degrades exactly when it matters most -- during an incident, when the question is no longer "what does our governance program look like on average" but "what did this specific AI-deployed system do during this specific window."

Where Risk Exposure Goes Unbounded

Incident Cost is a function of how cleanly you can answer that question.

If the record exists, the incident is bounded, the regulatory exposure is contained, and the remediation cost is the actual cost of the actual failure. If the record does not exist, the incident cost expands to include forensic reconstruction, extended audit windows, legal exposure for what you cannot prove did not happen, and the operational drag of having to halt AI-deployed systems while the reconstruction is in progress.

The True Cost of Ungoverned AI formula at the bottom of Flores' sheet captures the principle: as your risk exposure approaches your governance value, your true cost approaches infinity. The unspoken corollary is that without a substrate to bound the incident, your risk exposure is not actually known -- which means the denominator in that formula is itself an estimate.

The Frame Is Right; The Input Layer Is the Work

This is not a critique of Flores' frame. The frame is what makes the argument legible at the C-suite. The footnote is that the frame assumes a measurement infrastructure most organizations have not built.

The variable that is hardest to fix retroactively is Governance Value. You cannot rebuild a contemporaneous record of operation for a window that has already passed. You can document what your governance program looked like; you cannot document what your AI-deployed system actually did during a period for which no record was kept.

This is the architectural inheritance every enterprise deploying AI is signing for, often without naming it. The model card, the AUP, the ISO 42001 management system, the SOC 2 documentation -- these describe intent. They describe what the controls are supposed to do. They do not describe, on their own, what happened in any specific window.

The substrate that records what happened -- continuously, contemporaneously, in a form an auditor can read independently of the producing system's continued cooperation -- is the input layer the formula sheet quietly assumes.

The Board Question

When the next AI incident lands -- and it will, in some organization, before the year is out -- the question the board will ask the CFO is not "did we have a governance program." Every organization has a governance program. The question will be:

"Can we show, in contemporaneous record, what this system did across the period in question, and the basis on which it was authorized to do so?"

The answer to that question is the substrate or it is reconstruction under pressure. Reconstruction takes weeks, depends on the producing system's continued cooperation, and frequently fails the cross-examination test even when it passes the audit test.

Flores' formula sheet is the right way to frame the conversation at the CFO layer. The work that remains, before the formulas can be operationalized in any specific organization, is building the input layer the formulas depend on.

There is no retroactive option.

Citing: "The AI Governance Profit and Loss Formula Sheet," by Jose Luis Flores, 2026.