Maturity Level

most organisations say they’re at level 3. most organisations are at level 1 with a really nice slide deck.

"we did a maturity self-assessment. every team rated themselves level 3 or higher. then the auditor came and found zero evidence artifacts. turns out self-assessment without evidence is just self-esteem."
"our GRC team said we're at level 2. our board deck says level 3. the actual state of our controls suggests level 1. we have three different maturity scores for the same organisation and none of them are evidence-based."
"management asked when we'll reach level 4. we haven't reached level 2 yet. we're still arguing about who owns the bias testing control. that's level 1. that's the definition of level 1."
Share this one
Canonical Definition

The implementation progression per control: Level 1 Ad Hoc (undocumented), Level 2 Defined (documented with owner), Level 3 Managed (enforced with evidence), Level 4 Optimised (automated, measured, improving). Maturity is assessed per-control, not per-organisation. An organisation’s true maturity is its lowest-scoring critical control, not the average.

Why It Matters

Maturity models are one of the most frequently used and most frequently abused tools in governance. Used well, they provide a structured progression path that shows an organisation exactly where it stands and what it needs to do next. Used poorly, they become a mechanism for institutional self-deception — a way to report progress without demonstrating it.

The critical design decision in the AI Control Index maturity model is that maturity is assessed per control, not per organisation. This eliminates the most common failure mode: averaging. An organisation that is Level 4 on data governance and Level 1 on agent oversight does not have “Level 2.5 maturity.” It has an uncontrolled agent fleet. The average conceals the very gap that governance exists to expose.

The second critical design decision is that each maturity level has an evidence requirement. You do not self-declare Level 3. Level 3 means evidence exists, is current, and is stored in the Evidence Factory. If the evidence does not exist, the control is not at Level 3, regardless of what the self-assessment says. This is what separates a maturity model from an opinion survey.

The Stress Test

Your board receives a quarterly AI governance dashboard. It shows maturity scores for each governance domain: Ethics 3.2, Data Governance 2.8, Risk Management 3.0, Testing 2.5. The board is satisfied with progress. The numbers are trending upward. The CISO presents a roadmap to reach Level 4 by Q4.

An independent reviewer examines the underlying data. The scores are based on team self-assessments conducted via survey. No evidence was reviewed. The Ethics score of 3.2 includes a bias testing control that has never produced a test result. The Risk Management score of 3.0 includes a risk register that has not been updated since the initial assessment. The Testing score of 2.5 includes an evaluation plan that exists as a draft in a personal Google Doc.

The board was making decisions based on maturity scores that measured intention, not implementation. The dashboard was accurate about what people believed. It was not accurate about what was true.

In the Wild

CMMI — Capability Maturity Model, 1990–Present
The Lesson from Three Decades of Maturity Assessment

The Capability Maturity Model (CMM, later CMMI), developed at Carnegie Mellon’s Software Engineering Institute, is the most widely deployed maturity model in technology governance. Its three-decade history reveals a consistent pattern: organisations that used maturity assessment as a diagnostic tool improved. Organisations that used it as a reporting metric gamed it. The DoD found that self-assessed maturity levels frequently exceeded independently assessed levels by 1–2 full points.

CMMI eventually introduced the Standard CMMI Appraisal Method for Process Improvement (SCAMPI), which requires evidence review by certified assessors — precisely because self-assessment alone was unreliable.

It took CMMI twenty years to learn that maturity without evidence verification is fiction. AI governance can learn that lesson faster if it chooses to.

Cybersecurity — NIST CSF Maturity, 2018–2024
The Gap Between Reported and Actual Cybersecurity Maturity

Multiple studies examining NIST Cybersecurity Framework adoption have documented a persistent gap between self-reported maturity and independently assessed maturity. Organisations routinely rated themselves 1–2 levels higher than external assessors. The primary cause: organisations assessed maturity based on the existence of policies rather than the existence of evidence that policies were executed. A password policy rated as “managed” despite the absence of enforcement logging or compliance monitoring.

If your maturity assessment does not require evidence, it is measuring confidence, not capability.

AI Governance — Enterprise Self-Assessments, 2024–2025
The Self-Reported AI Maturity Inflation

A 2024 survey of enterprise AI governance leaders by a major consultancy found that 68% of respondents rated their organisation’s AI governance maturity as “established” or “advanced.” When the same survey asked whether organisations could produce evidence of bias testing, model validation, incident response procedures, and ongoing monitoring, fewer than 20% could demonstrate all four. The gap between self-reported maturity and evidence-based maturity was three to four levels in many cases.

Two-thirds of organisations believe they have established AI governance. Fewer than one in five can prove it. That gap is the maturity problem in one statistic.

How to Govern It

Maturity is not a score. It is an evidence-based assessment of how reliably each control operates.

Within the AI Control Index, maturity levels are governed as follows:

  • Level 1 — Ad Hoc — The control exists in concept but is undocumented and inconsistently applied. No owner. No process. No evidence. Governance happens by accident when the right person is in the room.
  • Level 2 — Defined — The control is documented with an assigned owner. A process exists on paper. Evidence definitions are specified but collection may be manual or inconsistent. The organisation knows what it should be doing.
  • Level 3 — Managed — The control is enforced with systematic evidence collection. Execution is measurable and auditable. Evidence exists in the Evidence Factory. Gates are enforced. This is the minimum level that satisfies most regulatory requirements.
  • Level 4 — Optimised — The control is automated, measured against KPIs, and continuously improving through feedback loops. Evidence generation is automated. Performance trends are monitored. The control improves itself based on data.
  • Per-control assessment — Maturity is assessed for each control individually. The organisation’s governance posture is the profile of control maturities, not the average. Critical controls at Level 1 are flagged regardless of the average score.

When It's Relevant

Every organisation implementing AI governance. Maturity assessment provides the honest answer to “where are we?” and the structured answer to “what do we do next?” Without maturity assessment, governance investment is undirected — resources flow to whichever domain has the loudest advocate rather than the weakest control.

Maturity assessment is most critical when:

  • The organisation is reporting governance posture to a board or supervisory authority
  • Governance budgets are being allocated and prioritisation requires understanding of current gaps
  • Regulatory requirements (EU AI Act, ISO/IEC 42001) demand demonstration of a functioning management system
  • The organisation is preparing for external audit and needs an honest pre-assessment
  • Multiple AI systems are under governance and maturity varies significantly across the portfolio

See maturity levels in the framework. Per-control maturity assessment is a core mechanism of the AI Control Index v6.0, governed through S1 (GRC).

Open Framework →

Related Terms

References

  1. [1] Paulk, M.C., Curtis, B., Chrissis, M.B. and Weber, C.V. (1993) ‘Capability Maturity Model, Version 1.1’, IEEE Software, 10(4), pp. 18–27. Software Engineering Institute, Carnegie Mellon University.
  2. [2] CMMI Institute (2018) CMMI V2.0 Model. ISACA. Performance and capability maturity levels.
  3. [3] European Parliament and Council (2024) Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (AI Act). Official Journal of the European Union, L series. Articles 9 (Risk Management), 17 (Quality Management System).
  4. [4] ISO/IEC (2023) ISO/IEC 42001:2023 — Artificial intelligence — Management system. International Organization for Standardization.
  5. [5] NIST (2018) Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1. National Institute of Standards and Technology. Implementation Tiers.
  6. [6] De Bruin, T., Rosemann, M., Freeze, R. and Kulkarni, U. (2005) ‘Understanding the Main Phases of Developing a Maturity Assessment Model’, Proceedings of the Australasian Conference on Information Systems (ACIS), pp. 8–19.
  7. [7] Raji, I.D., Smart, A., White, R.N., Mitchell, M., Gebru, T., Hutchinson, B., Smith-Loud, J., Theron, D. and Barnes, P. (2020) ‘Closing the AI Accountability Gap: Defining an End-to-End Framework for Internal Algorithmic Auditing’, Proceedings of the 2020 Conference on Fairness, Accountability, and Transparency (FAT*), pp. 33–44.

AI Control Index v6.0 · Glossary · June 2026 · i-DEPOT 158508 (BOIP) · CC BY-NC-ND 4.0

By Jeroen Janssen, Apparens