AI Governance Maturity Model: Assess Your Organisation

Governance frameworks — the EU AI Act, ISO 42001:2022, the NIST AI Risk Management Framework — define what good AI governance looks like. They do not help organisations understand where they are starting from, or how to sequence the work of getting to compliance.

A maturity model serves a different purpose: it provides an honest baseline. Without a realistic assessment of current governance state, organisations either underinvest (assuming more is in place than is), overinvest in the wrong areas (building sophisticated monitoring before basic inventory and accountability exist), or cannot credibly communicate governance status to boards, regulators, or auditors.

The five levels defined below are grounded in what is commonly observed across organisations deploying AI in regulated industries. Level 1 is the realistic starting point for the majority of organisations — including those that believe they have adequate governance in place. The gap between documented intent and operational reality is the defining characteristic of Level 1 and Level 2, and recognising that gap is the prerequisite for meaningful improvement.

The table below summarises all five levels. The following sections describe each level in detail.

At Level 1, AI governance is either absent or handled informally on a case-by-case basis. AI tools are deployed without systematic assessment of risk. There is no central AI inventory — individual teams or functions procure and use AI without central visibility. Accountability for AI-related decisions and outcomes is unclear or unassigned.

This is the realistic starting state for a majority of organisations. The AI tools deployed may be limited in scope — productivity tools, AI-assisted writing, basic automation — but the absence of governance infrastructure means that even limited AI use carries regulatory and reputational risk that is not being actively managed.

What Level 1 Looks Like in Practice

1. AI tools are used in individual teams without central awareness or approval processes.
2. No policy exists for acceptable AI use, data handling in AI systems, or prohibited AI applications.
3. There is no documented AI inventory — leadership cannot answer 'what AI systems do we use?'
4. When AI causes an incident or produces a harmful outcome, there is no clear owner and no process to investigate.
5. AI governance is not on the board or executive agenda as a standing item.

Common Gaps at Level 1

1. No AI inventory means regulatory scope cannot be assessed — firms cannot confirm whether EU AI Act obligations apply without knowing what AI they deploy.
2. No accountability structure means SM&CR obligations (for regulated firms) may not be met — AI governance responsibilities have not been allocated to named Senior Managers.
3. No policy means staff are making individual judgements about appropriate AI use without guidance, creating inconsistent and potentially harmful practices.

What Is Needed to Advance to Level 2

1. Conduct an AI inventory exercise — catalogue all AI systems in current use across the organisation, including third-party AI tools integrated into existing processes.
2. Assign AI ownership — designate accountable owners for each system; for regulated firms, map ownership to SM&CR responsibilities.
3. Draft and approve a basic AI governance policy covering acceptable use, prohibited use, data handling, and incident reporting.
4. Brief the board — AI governance should be on the agenda with an honest baseline assessment.

Level 2 organisations have begun building governance infrastructure — a policy may exist, an inventory may be partially complete, and some accountability has been assigned. The defining characteristic of Level 2 is the gap between what is documented and what is consistently applied. Governance is reactive: it responds to incidents or external pressure rather than actively managing risk.

This level is the most dangerous to misidentify. Organisations at Level 2 often believe they are at Level 3 because documentation exists. The question is whether that documentation represents operational reality — whether the policy is enforced, whether the inventory is complete and current, whether the accountability assignments are understood by the people they cover.

What Level 2 Looks Like in Practice

1. An AI governance policy exists but is not regularly reviewed or actively enforced.
2. An AI inventory exists but is incomplete — shadow AI use continues outside the official register.
3. Risk assessments happen for some AI systems but not systematically for all.
4. AI incidents are investigated retrospectively without a defined process.
5. Model validation exists for the highest-risk systems but not consistently across the AI portfolio.

Common Gaps at Level 2

1. Policy-practice gap: Policies are not enforced, and staff behaviour is not aligned with documented standards.
2. Incomplete inventory: Shadow AI — tools used without central awareness — is the most common source of governance failure. Procurement controls for AI are not in place.
3. Inconsistent impact assessment: Consumer Duty and EU AI Act both require impact assessment before deployment; at Level 2 this is ad hoc rather than systematic.
4. Third-party AI: Supplier governance is weak — firms at Level 2 rarely have AI-specific clauses in supplier contracts or structured assessments of supplier AI governance practices.

What Is Needed to Advance to Level 3

1. Close the inventory gap — implement AI procurement controls so new AI systems cannot be deployed without central registration and assessment.
2. Make impact assessment systematic — every new AI system deployment requires a documented impact assessment before go-live, covering risk, fairness, data quality, and customer impact.
3. Enforce the policy — build policy compliance into deployment gates and periodic review cycles.
4. Address third-party AI — audit supplier AI governance as part of vendor management, and add AI-specific clauses to new and renewing supplier contracts.
5. Begin validation for all material systems — not just the highest-risk tier.

Level 3 is the baseline for regulatory credibility in 2026. At this level, AI governance processes are documented, consistently applied, and auditable. An AI inventory is complete and maintained. Impact assessment is systematic. Material AI systems are validated. Third-party AI is governed. Accountability is clearly allocated and understood.

The majority of regulated organisations aspiring to EU AI Act or ISO 42001 compliance are targeting Level 3 as their immediate objective. This is an achievable standard with structured effort — it does not require sophisticated technology or large governance teams, but it does require organisational commitment and process discipline.

What Level 3 Looks Like in Practice

1. Complete, current AI inventory with risk classification for all systems.
2. Documented AI governance policy that is enforced — AI procurement controls are in place.
3. Systematic impact assessment and risk assessment before all new AI deployments.
4. Independent validation for all material AI systems, with documented validation reports.
5. Ongoing monitoring of AI system performance against defined thresholds.
6. Supplier governance in place — AI clauses in contracts, periodic supplier assessments.
7. Board-level oversight established — AI governance is a standing agenda item.
8. SM&CR allocations updated (for regulated firms) to cover AI governance responsibilities.

Common Gaps at Level 3

1. Monitoring is often manual at this level — dashboards and alerts are not automated, creating risk of oversight gaps.
2. GRC integration is incomplete — AI governance sits in a separate team or system rather than being embedded in the wider governance, risk and compliance programme.
3. Regulatory change management for AI is reactive — teams respond to published guidance rather than anticipating regulatory direction.

What Is Needed to Advance to Level 4

1. Automate monitoring — move from manual review to automated monitoring with defined thresholds and real-time alerts for material AI systems.
2. Integrate AI governance into the wider GRC programme — AI risk registers, control frameworks, and audit trails should be part of the enterprise governance structure, not a separate track.
3. Develop quantitative metrics for AI governance effectiveness — define KPIs that allow the organisation to measure whether governance is working, not just whether processes exist.

At Level 4, AI governance is measured quantitatively and managed proactively. The organisation tracks defined KPIs for AI risk — false positive rates, model drift metrics, bias indicators, policy compliance rates — and uses this data to manage AI governance as an active programme rather than a compliance checklist.

Level 4 is achievable for larger organisations with mature GRC functions, but it requires investment in both tooling and capability. The defining characteristic is that governance data drives decisions — AI risk is reported to boards and senior management in the same quantitative terms as other operational and financial risks.

What Level 4 Looks Like in Practice

1. Continuous, automated monitoring of AI system performance, fairness indicators, and data quality.
2. Quantitative AI risk reporting to board and senior management — AI risks are measured, trended, and compared against risk appetite.
3. Third-party AI supplier governance is active — supplier performance is monitored, not just assessed at onboarding.
4. AI governance is embedded in enterprise GRC — AI risks sit alongside operational, credit, and compliance risks in the risk register.
5. Regulatory change management for AI is proactive — the governance team monitors regulatory developments and updates controls in advance of new obligations applying.

Common Gaps at Level 4

1. Predictive capability is limited — governance is well-managed but still primarily responding to identified risks rather than anticipating emerging ones.
2. Benchmarking is absent — organisations at Level 4 often have no view of how their AI governance compares to peers or regulatory expectations, making it difficult to calibrate investment.

What Is Needed to Advance to Level 5

1. Develop predictive AI risk capabilities — use monitoring data to anticipate model degradation, emerging risk patterns, or regulatory exposure before they materialise.
2. Benchmark against frameworks and peers — use ISO 42001 certification or external audit to validate governance quality against an independent standard.
3. Position AI governance as a strategic input to AI deployment decisions — governance data should inform which AI systems are deployed, scaled, or retired.

Level 5 AI governance is proactive, continuously improving, and ahead of regulatory expectations. The organisation's AI governance programme is not just a compliance function — it is a strategic input into AI investment and deployment decisions. Governance insights shape which AI systems are built, scaled, or retired. Regulatory developments are anticipated, not responded to.

Level 5 is genuinely rare. For most organisations, it represents a long-term aspiration rather than an immediate target. The distance between Level 3 and Level 5 should not be underestimated — it requires sustained organisational investment, board commitment, and governance capability that goes well beyond documentation and process.

What Level 5 Looks Like in Practice

1. AI governance is a board-level strategic competency, not just a compliance function.
2. Governance data drives AI investment decisions — AI systems that cannot be governed adequately are not deployed.
3. The organisation engages proactively with regulators on AI governance standards — contributing to consultation processes and industry forums.
4. External validation confirms governance quality — ISO 42001 certification or equivalent provides independent assurance.
5. Governance continuously improves — lessons from AI incidents, regulatory developments, and industry benchmarking feed into ongoing programme refinement.

Use the checklist below to assess your organisation's current AI governance state. Complete it honestly — the value of the exercise depends on accurate self-assessment, not aspirational scoring. For each item, mark Yes, No, Partial, or Not Applicable. The pattern of responses will indicate which maturity level most closely describes your organisation and where the most significant gaps are.

This checklist is designed for completion by AI governance leads, compliance directors, CROs, or equivalent — ideally with input from IT, legal, and business unit leads who are closest to AI deployment decisions.

If most items in Foundations, Policy and Standards are marked No or Partial, your organisation is at Level 1 or early Level 2. The priority is basic infrastructure: inventory, ownership, and policy.

If Foundations and Policy are largely in place but Risk Assessment, Model Validation, and Ongoing Monitoring have significant gaps, you are at Level 2. The priority is closing the policy-practice gap and systematising the assessment processes that currently happen inconsistently.

If the first five sections are largely complete but Governance and Accountability has gaps, you are at Level 2 to Level 3 transition. The priority is formalising board oversight and accountability allocation.

If all sections are largely complete but monitoring is manual and AI governance is not integrated with your broader GRC programme, you are at Level 3. The priority is automation, integration, and measurement.

A predominantly Yes checklist indicates Level 4 or 5 — at which point the priority is continuous improvement, predictive capability, and external validation through ISO 42001:2022 certification.