In a 2025 IBM survey of 2,000 CEOs, only 28% said their AI initiatives were governed by a formal, enterprise-wide framework. The other 72% were running production AI systems on goodwill, scattered policies, and the assumption that nothing would break publicly. That gap is what an AI governance maturity model is built to close.
US enterprises are now operating in a regulatory environment that did not exist 18 months ago. The Colorado AI Act takes effect February 2026, Texas passed TRAIGA in 2025, the EU AI Act applies extraterritorially to any US company serving European users, and customer security questionnaires now routinely include 30+ AI-specific controls. Knowing where your organization sits on a maturity curve is no longer an academic exercise. It is how you answer the next board question, the next auditor, and the next enterprise buyer.
This guide gives you a five-level model, the dimensions to score yourself against, how each level maps to NIST AI RMF and ISO/IEC 42001, and a 90-day plan to move up.
What an AI Governance Maturity Model Actually Does
An AI governance maturity model is a structured way to measure how reliably your organization can develop, deploy, and oversee AI systems against a defined set of dimensions: policy, risk management, roles, tooling, training, and monitoring. It scores capability on a five-point scale from ad-hoc to optimized, then tells you what is missing to advance.
The point is not to score well. The point is to make invisible problems visible. Most enterprises discover three things during their first honest assessment: they have more AI systems in production than the AI inventory shows (Shadow AI), no one owns post-deployment monitoring, and the policy document the legal team wrote two years ago has never been operationalized.
A good maturity model surfaces those gaps in an hour. It also gives the CIO, CISO, and Chief AI Officer a shared vocabulary, which is usually the first real bottleneck. When risk says “high-risk system” and engineering says “production model,” they are often discussing the same thing with different stakes attached. The model forces a single language.
How it differs from an AI risk assessment
An AI risk assessment looks at one system. A maturity model looks at the organization’s ability to do AI risk assessments at all, consistently, across every system, including the ones procurement bought last quarter. One is tactical. The other is structural.
Why This Matters Right Now in the US
Three forces have collapsed the timeline for getting AI governance right.
The first is the state regulatory patchwork. With federal AI rulemaking in flux after the rescission of Executive Order 14110, states have moved. The Colorado AI Act imposes duties on developers and deployers of “high-risk” AI systems starting February 2026. Texas TRAIGA covers government use and consumer transparency. NYC Local Law 144 already requires bias audits for automated employment decision tools. California’s SB 53 targets frontier model transparency. A multi-state operator now has to comply with the most stringent rule in the union, not the friendliest one.
The second is enterprise procurement. Fortune 500 buyers are sending AI-specific security questionnaires that ask, in plain language, “Do you have an AI governance program aligned with NIST AI RMF or ISO/IEC 42001?” A “no” or “in progress” answer kills deals. According to a 2025 Gartner survey, 61% of enterprise buyers now treat documented AI governance as a procurement gate for any vendor whose product touches their data.
The third is generative AI sprawl. The average US enterprise has 67 SaaS tools that have quietly added LLM features in the last 18 months, according to Productiv’s 2025 SaaS Management Index. Most security teams cannot name half of them. Shadow AI is no longer a future risk. It is the current state.
Pull-out fact: 80% of enterprises will use generative AI by the end of 2026, but only 20% will have governance frameworks mature enough to manage the risks (Gartner, 2025).
The Five Levels of AI Governance Maturity
The model below borrows its scaffolding from CMMI but is built specifically for AI. Each level has observable behaviors. If you cannot point to evidence, you are not at that level.
Level 1: Ad-Hoc
Governance happens by accident. There is no AI inventory, no written policy, and no single owner. Individual teams use AI tools as they see fit. Risk reviews, when they happen, are triggered by a panicked email rather than a process.
You are here if: Your most recent AI project was approved by a Slack thread. No one can produce a list of the AI vendors your company uses. The legal team learned about your customer-facing chatbot from a customer.
Typical org profile: Companies under 500 employees, or larger orgs that have not yet had an AI incident or audit. About 40% of US mid-market firms sit here as of late 2025.
Level 2: Reactive
Governance exists on paper. A policy document was written, usually after an incident, an auditor visit, or a customer questionnaire that could not be answered. The policy is not consistently enforced and few employees know it exists.
You are here if: You have an AI policy PDF, but no one can tell you the last time it was reviewed or who approved the GenAI tool the marketing team rolled out last month. Risk assessments happen for high-profile projects only.
What to build next: A live AI inventory and a single accountable owner, typically a Chief AI Officer, AI Governance Lead, or expanded CISO mandate. Without these two things, every higher level is impossible to reach.
Level 3: Defined
Governance is a program. There is a documented framework (typically aligned to NIST AI RMF or ISO/IEC 42001), a governance committee that meets on a calendar, and standardized processes for risk assessment, model approval, and monitoring. Roles are written down. The AI inventory is maintained.
You are here if: Every new AI use case goes through an intake form, a tiered risk assessment, and a documented approval. You can produce evidence of your AI governance committee’s last three meetings.
Mapping to standards: This is the level at which an ISO/IEC 42001 certification audit becomes realistic. NIST AI RMF’s “Govern” function is substantially in place.
Level 4: Managed
Governance is measured. The program runs on KPIs: percentage of AI systems with completed impact assessments, mean time to detect model drift, percentage of high-risk systems with active monitoring, training completion rates by role. Decisions about AI investment, retirement, and risk acceptance are made with data, not anecdote.
You are here if: Your board sees an AI governance dashboard quarterly. Model performance and fairness metrics are tracked over time, not at deployment only. Third-party AI vendors are assessed against a documented control set, not a one-page questionnaire.
Typical org profile: Large regulated enterprises (financial services, healthcare, insurance) and Big Tech. Less than 8% of US enterprises currently operate at this level.
Level 5: Optimized
Governance is a competitive advantage. The organization actively contributes to standards development, runs continuous improvement loops on its own framework, and uses governance maturity as a sales asset. Algorithmic impact assessments are integrated into product development at the design stage, not bolted on at the end. AI literacy is enterprise-wide, not concentrated in a central team.
You are here if: Your AI governance posture appears on customer-facing trust pages. You publish model cards. You have retired AI systems based on monitoring data showing they no longer meet thresholds. Your governance team is consulted by peer organizations.
Reality check: Fewer than 50 US companies meet this bar today. If you think you are here, get an external assessment to check.
The Six Dimensions You Score Against
A maturity level is not a single number. It is a composite of six dimensions, and most organizations are uneven across them. A bank might be Level 4 on policy and Level 2 on monitoring. That gap is the signal.
| Dimension | What it covers | Level 3 evidence |
|---|---|---|
| Policy & Strategy | Written policies, risk appetite, strategic alignment | Approved AI policy, reviewed annually, signed off by exec sponsor |
| Risk Management | Impact assessments, risk register, mitigation tracking | Documented methodology applied to every new AI system |
| Roles & Accountability | Defined ownership across business, IT, risk, legal | RACI matrix, named CAIO, governance committee charter |
| Tooling & Inventory | AI system inventory, model registry, controls platform | Live inventory updated within 30 days of changes |
| People & Training | Role-based AI literacy, ethics training, upskilling | Mandatory training for relevant roles with completion tracking |
| Monitoring & Assurance | Drift detection, fairness monitoring, audit trails | Continuous monitoring on production high-risk systems |
Score each dimension 1–5. Your overall maturity is the lowest of the six, not the average. A program is only as strong as its weakest dimension because a single failure in monitoring exposes everything the policy work tried to prevent.
How the Model Maps to NIST AI RMF, ISO/IEC 42001, and the EU AI Act
The maturity model is not a competing framework. It is the operational layer underneath the standards your auditors and regulators will actually ask about.
| Maturity Level | NIST AI RMF | ISO/IEC 42001 | EU AI Act readiness |
|---|---|---|---|
| 1 — Ad-hoc | None of the four functions implemented | Not certifiable | Non-compliant; high-risk would breach |
| 2 — Reactive | Govern partial; Map and Measure reactive | Gap analysis possible; certification not feasible | Compliant for minimal-risk only |
| 3 — Defined | All four functions implemented | Certification realistic with focused remediation | Compliant for high-risk with effort |
| 4 — Managed | Functions running on metrics; CI loop active | Certified, with surveillance audits passing cleanly | Compliant; Annex IV docs maintained |
| 5 — Optimized | Contributing to NIST profiles | Certified; influencing standard updates | Exceeds; reference implementation |
A practical way to read this table: most US enterprises that complete an honest ISO/IEC 42001 implementation land at Level 3 by certification day, not Level 4. Reaching Level 4 takes 12 to 18 months of post-certification operation, because “managed” requires historical data the program does not yet have on day one.
What Most Maturity Models Get Wrong
Three failure patterns show up in self-assessments often enough that they deserve naming.
Confusing policy with capability. A 40-page AI policy signed by the General Counsel does not move you past Level 2. A policy is a Level 2 artifact. Operationalizing it, with workflows, trained people, and evidence of enforcement, is Level 3.
Scoring on intent, not evidence. The right test for any level is: “Can I produce documentary evidence that would survive an external auditor?” Not: “Do we generally do this?” If the auditor question is met with a story instead of a document, the score drops.
Treating GenAI as a separate program. Some organizations have a mature traditional ML governance program and a chaotic GenAI policy bolted on the side. That is a Level 2 program in aggregate, not a Level 4 program with an exception. Foundation models, RAG systems, and AI agents have to live inside the same framework as predictive models.
A 90-Day Plan to Move Up One Level
Most enterprises sit at Level 2 and need to reach Level 3 within a year to pass procurement and prepare for ISO 42001 certification or Colorado AI Act compliance. Here is what a credible 90-day push looks like.
Days 1–30: Inventory and ownership. Run a full AI inventory across business units, including SaaS-embedded AI and shadow tools. Use procurement records, SSO logs, and a structured survey. Name a single accountable owner. If that role is not yet funded, get an interim Chief AI Officer or assign it to the CISO with a charter.
Days 31–60: Framework selection and gap analysis. Pick one anchor framework. For most US enterprises serving regulated industries or international customers, ISO/IEC 42001 is the right anchor because it is certifiable. NIST AI RMF is non-certifiable but excellent as a complementary risk lens. Run a documented gap analysis against the chosen framework’s controls.
Days 61–90: Governance committee and intake process. Stand up a cross-functional AI governance committee with risk, legal, security, IT, data, and at least one business representative. Build and pilot the AI use-case intake process with a tiered impact assessment. Process at least three real cases through it, including one rejection.
By day 90, you will not yet be Level 3 in a fully measurable sense, but you will have built every artifact a Level 3 audit looks for. Months four through nine are about consistency and evidence accumulation.
Roles That Make or Break the Program
Maturity does not advance because of frameworks. It advances because of named people with budget, authority, and time.
The Chief AI Officer or AI Governance Lead owns the program end to end. In US enterprises, this role is increasingly reporting to the CEO or COO rather than the CIO, because it spans risk, legal, product, and engineering equally. Average total compensation in US metros runs $280K to $450K for the CAIO role per Russell Reynolds 2025 data.
The AI Governance Committee is the decision-making body. It meets monthly at Level 3 and is chaired by the CAIO. Membership includes the CISO, Chief Risk Officer, General Counsel, Chief Data Officer, and senior business representatives.
The AI Risk Manager runs the day-to-day risk assessment process and maintains the AI risk register. This role often sits within the existing GRC function but with specialized AI training such as ISO/IEC 42001 Lead Implementer certification.
Model owners are the engineering leads accountable for the lifecycle of specific AI systems. They are not optional, and the model registry is incomplete without them.
Common Pitfalls When Implementing the Model
The maturity model is a diagnostic tool, not a project. Treating it as a one-time exercise produces a binder no one reads. Re-score quarterly at minimum, monthly during active program build-out.
Letting the highest-scoring dimension define your level is the most common form of self-deception. The lowest score is the real maturity. Address that dimension first.
Buying a tool before defining the process makes the tool the bottleneck. AI governance platforms (Credo AI, Holistic AI, Fairly AI, ModelOp) are valuable from Level 3 onward. Buying one at Level 1 typically results in a partially configured platform that no one uses.
Skipping the inventory is the single most predictable failure mode. Every program that stalls did so because no one knew what they were governing.
FAQs
1. What is the difference between AI governance and AI risk management?
AI governance is the system of policies, roles, and processes that determines how an organization develops and uses AI. AI risk management is one function within governance, focused specifically on identifying and mitigating AI-related risks. Governance is the program. Risk management is one of its core activities, alongside policy, monitoring, and accountability.
2. Is the AI governance maturity model the same as NIST AI RMF?
No. NIST AI RMF is a risk management framework with four functions (Govern, Map, Measure, Manage) but does not assign maturity levels. A maturity model layers on top of NIST AI RMF and tells you how consistently and effectively you are executing those functions across the organization, on a 1-to-5 scale.
3. How long does it take to move from Level 2 to Level 3?
For a focused enterprise with executive sponsorship and a named owner, six to nine months is realistic. The first 90 days build the artifacts (inventory, framework, committee, intake process). The next three to six months produce the evidence of consistent operation that an auditor or maturity assessor will require.
4. Which is better for US companies, NIST AI RMF or ISO/IEC 42001?
They serve different purposes. ISO/IEC 42001 is certifiable, which matters for procurement and global market access. NIST AI RMF is non-certifiable but provides a deeper risk methodology and is becoming the de facto reference in US federal and state regulation. Most mature programs use ISO/IEC 42001 as the management system anchor and NIST AI RMF as the risk methodology inside it.
5. How do we assess our AI governance maturity?
Score each of the six dimensions (policy, risk management, roles, tooling, training, monitoring) on a 1-to-5 scale using documentary evidence as the test. Your overall maturity is the lowest dimension score. Use a structured tool such as a published self-assessment scorecard, or commission an external assessment for credibility with the board or external stakeholders.
6. Does the AI governance maturity model apply to small companies?
Yes, but the artifacts scale down. A 50-person company at Level 3 will not have a governance committee with eight roles; it might have one weekly 30-minute meeting between the CTO, founder, and outside counsel. The principle (named owner, written policy, documented process, evidence of execution) holds at any size.
Conclusion
The honest reason to assess your AI governance maturity is not the framework, the certificate, or the dashboard. It is that the cost of getting AI wrong has shifted from a research paper footnote to a board-level liability in under three years. State laws are now in effect, customers are auditing, and the systems themselves are getting harder to control.
Your next move depends on where you actually are. If you are at Level 1 or 2, start the 90-day plan above this quarter. If you are at Level 3, find your weakest dimension and invest there before pursuing certification. If you think you are at Level 4 or 5, get an external assessment to confirm.
If you want a faster path, the GAICC ISO/IEC 42001 Lead Implementer certification gives your program owner the practical training and credentials to anchor a credible Level 3 program in six months or less.
References
- IBM CEO Study 2025 — https://www.ibm.com/thought-leadership/institute-business-value/c-suite-study/ceo
- NIST AI Risk Management Framework — https://www.nist.gov/itl/ai-risk-management-framework
- ISO/IEC 42001:2023 — https://www.iso.org/standard/81230.html
- Colorado AI Act (SB 24-205) — https://leg.colorado.gov/bills/sb24-205
- EU AI Act — https://artificialintelligenceact.eu/
- Gartner AI Governance Predictions 2025 — https://www.gartner.com/en/topics/artificial-intelligence
