AI Maturity Stages Frameworks

No formal AI governance. AI projects in silos with little oversight. Decisions on ethics or risk left to individual teams. No leadership awareness of AI-specific risk.

Assessment: No dedicated AI policies or roles exist.

Challenge: Lack of coordination — ethical or compliance breaches go unnoticed.

Best practice: Begin awareness building — basic AI risk workshop, inventory existing AI projects.

The organisation has recognised the need for AI governance and is planning. Working groups form. Policies in draft. A champion may be advocating internally.

Assessment: Initial AI governance framework document; ethics committee formed (even without authority).

Challenge: Moving from talk to action.

Best practice: Roadmap with concrete milestones — publish AI ethics policy, assign roles, pilot procedures on one project.

Basic policies exist; adoption is spotty. Some teams comply, others don't. Reviews for high-profile projects; many projects slip through.

Assessment: Policies on paper; some training delivered.

Challenge: Enforcement and coverage; viewed as box-ticking.

Best practice: Integrate governance into project lifecycle (sign-off gates); communicate success stories.

Formal AI governance in place and functioning. Central committee or officer. Policies refined and communicated. Most projects follow required steps. AI governance is part of standard operating procedure.

Assessment: High percentage of AI initiatives follow the process; governance artefacts (risk assessments, model cards) exist per project. May target ISO/IEC 42001 alignment.

Challenge: Maintaining quality of execution; avoiding "compliance theatre."

Best practice: Internal audits; investment in tooling that enforces process; named accountable executive.

Governance is measured and managed with metrics. KPIs are tracked (e.g., percentage of high-risk systems with completed FRIA, number of incidents, audit findings closed). Process is refined based on data.

Assessment: Operational dashboards; regular reporting to executive leadership; tracked remediation pipelines.

Challenge: Avoiding metric overload; ensuring metrics reflect outcomes rather than activity.

Best practice: Tie incentives to governance outcomes; quarterly governance reviews with the board.

AI governance is integrated with quality, security, privacy, and risk management. The organisation operates an integrated management system (e.g., ISO 9001 + 27001 + 42001). External certification achieved. Practices continuously improved.

Assessment: Certifications; mature change-management process; cross-functional governance council with real authority.

Challenge: Sustaining maturity through organisational change.

Best practice: Share lessons learned externally; participate in standards bodies.

The organisation is a recognised industry leader on AI governance. Governance practice is a competitive advantage. The organisation shapes external standards and norms.

Assessment: Public thought leadership; participation in standards development; cited by regulators as a model.

Challenge: Avoiding complacency; staying ahead of evolving practice.

Best practice: Open-source governance tooling; publish a transparency report; mentor industry peers.

No deliberate safety practice. Models deployed without testing for adversarial inputs, drift, or failure modes.

Best practice: Establish minimum testing baseline; document known failure modes.

Safety issues addressed after they manifest. No proactive testing.

Best practice: Build incident response playbook; track recurring failure patterns.

Standardised validation tests for new models. Some adversarial testing. Documented evaluation suites.

Best practice: Adopt NIST AI 600-1 GenAI Profile threat categories where applicable.

Risk assessment is standard for every AI project. Mitigations documented and tracked. Operating-domain documentation produced.

Best practice: Align with ISO/IEC 23894; produce model cards per system.

Adversarial training, ensemble methods, guardian systems, formal verification of safety-critical modules.

Best practice: Red-teaming as a standing practice; published evaluation results.

Continuous monitoring in production; drift detection; automated rollback. Safety incidents trigger root-cause analysis and feedback loops.

Best practice: Integrate safety telemetry into engineering dashboards; quarterly safety reviews.

Best-in-class safety record. Safety case methodology operational. Recognised as a safety leader by regulators (EU AI Office, CAISI, sector regulators).

Best practice: Publish safety reports; participate in international AI Safety Institute network.

AI systems are black boxes; users have no information about how decisions are made.

Best practice: Begin publishing basic system descriptions; identify where transparency is legally required.

Some disclosures — users informed they're interacting with AI; minimal information provided.

Best practice: Comply with EU AI Act Article 50 transparency obligations; provide AI-generated content labels.

Engineering teams use interpretability tooling (SHAP, LIME, saliency maps). Internal reviews of model decisions.

Best practice: Produce model cards; document operating domains.

End-users receive plain-language explanations of consequential AI decisions; appeals process available.

Best practice: Comply with GDPR Article 22; provide actionable reason codes.

Users can query AI decisions, provide feedback, and influence outcomes. Public transparency reports published.

Best practice: Adopt content provenance standards (C2PA); publish training-data summaries.

The organisation's AI is trusted by users, partners, and regulators. Third-party audits regularly published. ISO/IEC 42001 certified.

Best practice: Engage with downstream stakeholders; publish responsible AI use cases.

The organisation defines the transparency standard for the industry. Practices are adopted by peers and codified by regulators.

Best practice: Contribute to international standards (ISO, IEEE, C2PA); open-source tooling.

No articulated ethics or responsibility principles. AI deployed without consideration of societal impact.

Best practice: Begin articulating principles; appoint ethics owner.

Ethics principles published; not yet operationalised. Risk of "ethics washing" without enforcement.

Best practice: Move from principles to processes; assign accountability.

Ethics training rolled out; review procedures established; ethics escalation path defined.

Best practice: Make ethics review a default gate for AI projects.

Responsible AI practices integrated into product development. Bias mitigation, fairness checks, FRIA-style assessments standard.

Best practice: Conduct FRIAs under EU AI Act Article 27; align with ISO/IEC 42005.

External audits of ethics and responsibility. Independent ethics board with real authority. Public ethics commitments.

Best practice: Engage civil society; respond to external concerns.

Responsible AI is part of organisational culture. Employees feel empowered to raise concerns. Whistleblower protections in place (cf. California SB 53).

Best practice: Reward responsible decisions; protect whistleblowers; act on internal escalations.

The organisation actively advocates for responsible AI in the broader ecosystem. Funds research; supports public-interest initiatives (e.g., Current AI, ROOST).

Best practice: Sponsor open-source safety work; contribute to multilateral processes.

AI risks not distinguished from general enterprise risks. No AI risk register.

Best practice: Create an AI risk register; inventory AI systems.

AI risks identified at a high level. Documented but not quantified or mitigated systematically.

Best practice: Adopt NIST AI RMF as a starting framework.

Standard process for risk assessment per AI project. NIST RMF Map and Measure functions implemented.

Best practice: Use NIST trustworthiness characteristics (privacy, accuracy, safety, fairness, etc.) as risk categories.

Risks have documented controls. NIST RMF Manage function implemented. Aligned with ISO/IEC 23894.

Best practice: Map controls to ISO/IEC 23894 risk treatment options.

AI risk integrated with enterprise risk management. Real-time monitoring of risk indicators. Cross-functional risk reviews.

Best practice: Quarterly AI risk reviews at executive level; aggregate dashboards.

Quantitative risk models for AI — scenario analysis, sensitivity testing, financial risk modelling for AI-related losses.

Best practice: Apply techniques from financial-services model-risk management (SR 11-7 lineage) to AI broadly.

Continuous improvement of risk practice. Resilience tested via tabletop exercises and red-team scenarios. Risk posture adapts to new threats (e.g., novel attacks against frontier models).

Best practice: Industry-leading incident-response drills; contribute to threat-intelligence sharing.

Not aware of or not complying with applicable regulations.

Best practice: Audit current AI footprint against applicable regulations (EU AI Act, US state laws, sector rules).

Aware of applicable rules but not yet implementing controls.

Best practice: Map regulations to AI systems; prioritise high-risk gaps.

Policies and controls being implemented. Some AI systems compliant; gaps remain.

Best practice: Use ISO/IEC 42001 as architecture; close gaps systematically.

End-to-end compliance management. ISO/IEC 42001 aligned. Documented evidence per regulation.

Best practice: Integrate compliance evidence collection into engineering workflow.

Ready for external audit. ISO/IEC 42001 certification pursued under 42006-accredited bodies. GPAI Code of Practice signed where applicable.

Best practice: Maintain audit evidence continuously; engage external auditors annually.

Compliance posture is a competitive advantage. Certifications and signatures used in procurement. Customers and regulators trust the organisation.

Best practice: Market compliance credentials; use them to enter regulated markets faster.

The organisation shapes compliance norms. Engages with regulators on rule development. Practices cited as exemplary in regulatory guidance.

Best practice: Participate in standards development; contribute to regulator working groups.