AI Governance Maturity: The Five Levels and How to Progress

Why maturity models matter for AI governance

AI governance improvement programs frequently stall because organisations lack a clear picture of where they currently are and what the next meaningful step looks like. Maturity models provide this structure: a defined progression from initial, ad hoc practice to systematic, optimised governance, with clear characteristics at each level that enable honest self-assessment and purposeful improvement.

The AI governance maturity model described here draws on established capability maturity frameworks, adapted to the specific requirements of AI governance and aligned with regulatory expectations: particularly the EU AI Act's requirements for high-risk AI systems.

Level 1: Ad Hoc

At Level 1, AI governance does not exist in any systematic form. AI tools are adopted by individual teams or departments without centralised visibility, approval, or oversight. There is no AI system inventory. Governance decisions, about data use, deployment scope, risk acceptance, are made informally and inconsistently. When something goes wrong with an AI system, the response is reactive and uncoordinated.

Level 1 characteristics: no documented AI policy; no AI system inventory; no named accountability for AI decisions; no bias testing; no systematic monitoring of AI performance; incidents handled case by case without learning or process improvement.

Most small businesses and many medium-sized organisations are at Level 1. Being at Level 1 does not mean an organisation is irresponsible, it means AI governance has not yet been addressed systematically. The risk at Level 1 is not knowing what AI systems are in use, which means governance problems cannot be identified until they become incidents.

Level 2: Defined

At Level 2, AI governance policies and processes have been defined, documented and approved, but their implementation is inconsistent. There is an AI system inventory, but it may be incomplete and not maintained. There is an AI policy, but employees may not know about it or may not follow it consistently. Accountability has been assigned on paper, but may not be actively exercised.

Level 2 characteristics: documented AI policy; a maintained (if incomplete) AI system inventory; assigned accountability owners; a bias testing process that is applied to some AI systems; some monitoring of AI performance; an incident reporting process that exists but may not be used consistently.

Many medium-sized organisations that have made deliberate AI governance investments are at Level 2. The defining characteristic of Level 2 is the gap between what governance documents say should happen and what actually happens. This gap is the primary target for Level 2 to Level 3 progression.

Level 3: Implemented

At Level 3, governance policies and processes are consistently implemented across the organisation. The AI system inventory is complete and current. Accountability is genuinely exercised, named owners actively monitor system performance and escalate when standards are not met. Bias testing is systematically applied before deployment. Performance monitoring is in place and acted upon. Incidents are reported, investigated, and used to improve governance practices.

Level 3 characteristics: complete, current AI system inventory; consistently applied governance processes; accountability that is actively exercised; systematic pre-deployment bias testing; operational performance monitoring with defined response thresholds; functioning incident reporting and learning processes.

Level 3 broadly aligns with the EU AI Act's minimum requirements for high-risk AI deployers. Organisations with AI systems in high-risk categories that are not at Level 3 are likely non-compliant with their regulatory obligations.

Level 4: Measured

At Level 4, AI governance is measured, quantitative metrics are defined, collected, and used to assess governance effectiveness and drive continuous improvement. Board-level reporting on AI governance is substantive, not ceremonial: the board receives meaningful data, asks challenging questions, and actively directs governance priorities. External stakeholders, regulators, investors, enterprise customers, are proactively engaged on AI governance.

Level 4 characteristics: defined governance metrics with regular reporting; board-level engagement that is genuinely substantive; proactive regulatory engagement; external audit or assurance of AI governance practices; integration of AI governance into enterprise risk management and strategic planning.

Level 4 is where AI governance begins to function as a competitive asset rather than a compliance burden. Organisations at Level 4 can demonstrate governance effectiveness to enterprise procurement teams, regulatory supervisors, and institutional investors in ways that Level 2 and Level 3 organisations cannot.

Level 5: Optimised

At Level 5, AI governance is continuously improving, systematically learning from incidents, near-misses, regulatory developments, and industry practice, and incorporating those learnings into governance processes. AI governance is deeply integrated into product development, vendor management, and strategic planning. The organisation contributes to industry governance standards and regulatory development.

Level 5 characteristics: systematic governance improvement processes; AI governance integrated into product development lifecycle; active participation in industry standards and regulatory development; governance practices that are recognised as leading by regulators, customers, and peers.

Very few organisations are genuinely at Level 5. For most, Level 4 is the practical target, and reaching it represents a significant and meaningful governance achievement.

How to move up the maturity levels

The progression from Level 1 to Level 2 is primarily a documentation exercise: building the AI system inventory, drafting and approving the AI policy, assigning accountability. This is achievable in one to three months with focused effort.

The progression from Level 2 to Level 3 is an implementation exercise: ensuring that what is documented is actually practiced. This typically requires more sustained effort, process embedding, training, monitoring, and the cultural change needed to make governance a genuine operating practice rather than a paper exercise.

The progression from Level 3 to Level 4 requires measurement infrastructure and board engagement. This is an organisational change as much as a governance change, it requires senior leadership commitment and investment in reporting and assurance capabilities.

The most important practical advice for any maturity progression: assess your actual current state honestly before planning improvement. Most organisations overestimate their maturity level. An organisation that has a policy document and believes it is at Level 2 may actually be at Level 1, because the policy is unknown to most employees and inconsistently applied. Starting from an accurate baseline is more valuable than starting from an optimistic one.