AI Governance Maturity Assessment: Where Does Your Organisation Actually Stand?

Most organisations believe their AI governance is more mature than it is. This structured self-assessment, used by governance advisors in enterprise engagements, reveals the gaps between perceived and actual AI governance maturity.

Key Takeaways

In our advisory experience, organisations that rate their own AI governance maturity at Level 3 (Defined) typically assess at Level 1-2 (Initial/Developing) under external evaluation — the gap between self-assessment and reality is consistent and large.
The five dimensions of AI governance maturity: strategy and policy, risk identification and classification, technical controls and documentation, human oversight and accountability, and monitoring and continuous improvement.
The single most reliable indicator of AI governance maturity is the quality of the AI system inventory — organisations with a complete, current, and accurate inventory consistently demonstrate more mature governance across all other dimensions.
Level 4 (Managed) and Level 5 (Optimising) governance — the levels that satisfy sophisticated enterprise buyers and regulators — require not just documentation but demonstrated evidence of governance operating in practice.
The minimum viable AI governance posture for a regulated enterprise in 2026: what it looks like, what it costs, and how long it takes to implement.

"情報提供のみを目的としています。この記事は法律、規制、財務または専門的なアドバイスを構成するものではありません。具体的なアドバイスについては、資格を持つ専門家にご相談ください。"

AI governance maturity — where does your organisation actually stand?

Most organisations overestimate their AI governance maturity. They have policies on intranets, frameworks in slide decks, and risk registers that were populated once but haven't been updated. The gap between "we have an AI governance programme" and "our AI governance programme is operational" is where most regulatory examination findings sit in 2026.

This article provides a practical maturity assessment framework — not the aspirational version that makes everything look good, but the honest version that identifies what's actually working and what isn't.

The five maturity levels

Level 1 — Ad hoc. No formal AI governance. Individual teams make AI decisions independently. No AI inventory. No AI policy. AI tools adopted based on individual employee or team preference. Shadow AI is pervasive. The organisation may not know what AI is in production. Most organisations were here 2-3 years ago; some still are.

Level 2 — Awareness. The organisation recognises AI governance as a need. An AI policy exists (possibly drafted by legal or compliance). Some AI systems are documented. No systematic inventory. Policy is on the intranet but not operationalised. Board has discussed AI at least once. This is where many organisations think they are further along than they are.

Level 3 — Defined. Formal AI governance framework established. AI inventory exists and is reasonably complete. Risk classification applied. Named accountability for AI governance (committee, individual, or both). Board receives AI governance reports. Vendor due diligence includes AI-specific questions. Staff training programme exists. This is the minimum defensible position for regulated organisations.

Level 4 — Managed. AI governance is operationalised and measured. KRIs are defined and monitored. Independent validation of material AI systems. Incident response tested. Vendor contracts include AI-specific provisions. Board provides effective challenge based on substantive reporting. AI governance integrates with broader ERM, operational risk, and compliance frameworks. This is where regulators expect regulated financial services firms to be.

Level 5 — Optimised. Continuous improvement based on measurement. AI governance drives competitive advantage. Governance evidence supports customer procurement, regulatory engagement, and investor due diligence. Emerging risk identification is proactive. International framework alignment is maintained as frameworks evolve. Few organisations are here; it's the aspiration.

The honest assessment questions

For each domain, ask whether the capability exists on paper, whether it's operationalised, and whether there's evidence it's working:

AI inventory: Do you have a complete inventory? When was it last updated? Does it include shadow AI? Are new AI deployments added before they go live? Can you produce the inventory in 24 hours if a regulator asks?

Risk classification: Are AI systems classified by risk tier? Is the classification rationale documented? Does classification drive control intensity? Would a regulator agree with your classifications?

Board governance: Does the board receive AI governance reports? Can directors ask substantive questions? Is there a board-approved AI risk appetite statement? Has board AI literacy been assessed?

Vendor management: Do AI vendor contracts include AI-specific provisions? Are material AI vendors assessed against CPS 230/DORA/AI Act requirements? Is vendor AI performance monitored?

Incident response: Has the AI incident response plan been tested? Can you detect AI-specific incidents (model drift, adversarial attack, bias emergence)? Are AI incidents captured in the incident management system?

Validation: Are material AI systems independently validated? Is validation ongoing or point-in-time? Are validation findings actioned?

Common maturity gaps

Paper vs practice gap. Policies exist but aren't followed. Framework is defined but not operationalised. Risk register was built once and is now stale. This is the most common gap and the one regulators are specifically looking for.

Governance theatre. AI governance activities that look good in presentations but don't influence actual decisions. Committee meetings that review status reports but never make substantive decisions. Board reports that inform but don't enable challenge.

Siloed ownership. AI governance owned by IT, legal, compliance, or risk in isolation. Effective AI governance requires cross-functional coordination — technology, legal, compliance, risk, business units, and board.

Missing the vendor layer. Internal AI governance may be reasonable, but vendor AI — which often represents the majority of AI risk — is governed through standard procurement processes that don't capture AI-specific risk.

Building maturity from your current level

From Level 1 to Level 2: appoint someone accountable for AI governance; draft an AI policy; begin an AI inventory; brief the board. From Level 2 to Level 3: complete the AI inventory; classify AI by risk tier; establish AI governance committee or function; implement AI-specific vendor due diligence; begin staff training; start board reporting. From Level 3 to Level 4: define and monitor KRIs; implement independent validation; test incident response; update vendor contracts; integrate AI governance with ERM. From Level 4 to Level 5: measure governance outcomes; use governance as commercial differentiator; maintain international framework alignment; build emerging risk identification capability.