How Mature Is Your Enterprise AI Governance Program? A Self-Assessment Against the 20-Control Library

Answer box

A mature AI governance program in 2026 covers twenty operational controls — written acceptable use policy, named governance committee, continuous AI inventory, AI Bill of Materials, risk classification per system, inline prompt and response inspection, tool allowlisting, capability-scoped tokens, provenance logging, A2A signing, kill switches, AI incident response runbook, adversarial testing, bias and fairness evaluation, data governance, transparency disclosure, human oversight design, and continuous post-market monitoring. Together they satisfy roughly 80% of NIST AI RMF, ISO 42001, and EU AI Act requirements with a single evidence pipeline. Our self-assessment scores your program 0-100 across these controls in twelve minutes, produces a radar chart of your strengths and gaps, and delivers a 12-week remediation plan. This post explains the model and what we learned watching the first set of enterprises run their score.

Why a maturity model now

In 2024 the conversation was "do we need an AI governance program." In 2025 it became "what should our AI governance program cover." In 2026 it's "how do we know if ours is any good." That last question is what a maturity model answers.

Multiple frameworks now compete to be the canonical answer. The Cloud Security Alliance launched the AI Security Maturity Model in April 2026. NIST AI RMF includes its own implicit maturity through the GOVERN/MAP/MEASURE/MANAGE functions. ISO 42001 certification is a binary; you either have it or you don't, but the path to certification implies stages. Gartner's AI-TRiSM market guide includes maturity discussion.

Our self-assessment doesn't compete with those. It complements them. Where the framework-specific instruments score you against one body of work, this assessment scores you against the operational reality — the 20 controls that, in our customer experience, predict whether you'll pass an audit, weather an incident, or convince your board that the program is real.

The 20 controls the assessment measures

Drawn from our published unified compliance crosswalk, the 20 controls map to specific cells across NIST AI RMF, ISO 42001 Annex A, and EU AI Act articles. Below is the operational shorthand:

1. Written AI Acceptable Use Policy
2. Named AI Governance Committee with documented decision rights
3. AI literacy program tied to role
4. Continuous AI inventory across browser, SaaS, network, endpoint, MCP, and agent surfaces
5. AI Bill of Materials (AIBOM) per system, pinned and versioned
6. Risk classification per AI system
7. Inline prompt inspection at sub-50ms p99
8. Inline response inspection
9. Tool allowlisting at the runtime
10. Capability-scoped tokens per tool call (no long-lived credentials)
11. Provenance logging on every prompt, response, tool call, and policy decision
12. A2A signing and message inspection
13. Per-system and per-tool kill switches tested monthly
14. AI incident response runbook covering OWASP Agentic Top 10 risks
15. Adversarial red-team testing
16. Bias and fairness evaluation per high-risk use case
17. Data governance for training and operational data
18. Transparency disclosure to end users
19. Human oversight design with escalation thresholds
20. Continuous monitoring + post-market surveillance

The assessment asks 1-2 questions per control. Total: 30 questions, scored on a 5-point scale ("we have no process" through "we have continuous monitoring with audit-grade evidence"). Total possible score: 100.

What scoring patterns look like across the first runs

We ran the assessment with a sample of enterprise customers and prospects before public release. Three patterns stood out:

Controls 1-3 (policy, committee, literacy) are universally strong. Enterprises stood up policy artifacts in 2024-2025 — they generally score 3-4 of 5 on the foundational controls. This is the "we did the easy part" reality.

Controls 7-12 (runtime inspection, identity, A2A) are the weakest. Median score is 1-2 of 5. These controls require a platform layer most enterprises haven't yet deployed. The maturity gap shows up most starkly here.

Controls 13-15 (kill switch, IR runbook, red-team) predict audit posture. Enterprises that score 4-5 on these three controls have something to show auditors. Enterprises that score 0-2 will fail their first AI audit cycle regardless of how strong their policy artifacts look.

The output: what you actually get

The assessment produces four artifacts:

1. An overall maturity score 0-100, with a benchmark percentile against your industry vertical.
2. A radar chart showing your per-domain scores across the four NIST AI RMF functions (GOVERN, MAP, MEASURE, MANAGE). Easy to share with a board or audit committee.
3. A ranked list of your top 5 highest-leverage gaps — controls where moving from your current score to a stronger score would have the largest impact on overall maturity.
4. A 12-week remediation plan mapped to specific deliverables per gap. Not a generic template — a personalized plan based on your inputs.

The full 12-page report is gated behind a work email. The on-screen score and radar chart are immediate.

A common misuse to avoid

The assessment is a maturity snapshot. It is not a substitute for a formal audit. The 20 controls are the operational layer; ISO 42001 certification or EU AI Act conformity assessment evaluates the management system around them. Score this assessment to find your gaps. Then engage your auditor with confidence about which gaps you've closed.

Enterprises that try to use the assessment as proof of compliance will be disappointed. Enterprises that use it as a roadmap for the next two quarters will move quickly.

Run the assessment

Run the AI Governance Maturity Self-Assessment → — 30 questions, ~12 minutes, personalized PDF report delivered to your inbox.

FAQ

Who is the assessment for?

CISOs, Heads of AI Governance, Heads of GRC, AI risk committee members. Anyone responsible for explaining the state of AI governance to a board, an auditor, or a regulator.

Does the assessment replace ISO 42001 certification?

No. ISO 42001 is a formal management-system certification by an accredited body. The assessment is a self-scored maturity snapshot. They complement each other: the assessment shows you where to invest before you engage an ISO auditor.

How is this different from the CSA AI Security Maturity Model?

The CSA model is broader (covers AI security generally, including model-side concerns). This assessment is operationally specific — 20 named controls that predict audit and incident posture. Use both: CSA for the broader picture, this assessment for the operational gap map.

Can I share the score with my board?

Yes. The radar chart and the 0-100 score are designed for board consumption. The 12-page PDF report is structured for an audit committee briefing.

What's the maturity model behind the scoring?

A 5-stage scale per control: (0) no process; (1) ad hoc; (2) documented but inconsistent; (3) implemented across the org; (4) continuously monitored with metrics; (5) continuously monitored with audit-grade evidence. Each question maps to one stage anchor.

Will my answers be stored?

Aggregate anonymized scores are retained for benchmarking. Individual answers tied to your email are retained for 12 months so we can serve you the personalized PDF report. You can request deletion at any time.

How often should I re-run the assessment?

Quarterly. AI governance is the fastest-changing regulatory surface in enterprise security — quarterly re-assessments catch drift before it shows up in audits.

Related reading: One Map to Rule Them All: A Unified Crosswalk Between NIST AI RMF, ISO 42001, and the EU AI Act · Enterprise AI Governance Framework: The Complete Guide · Pillar Hub: AI Compliance Evidence.