What is an AI governance maturity assessment?

An AI governance maturity assessment evaluates how systematically an organisation manages AI-related risks, policies, and accountability structures across key domains. It produces a maturity score for each domain on a 1-4 scale (Initial, Developing, Defined, Optimised) and identifies the specific gaps that need to be addressed to reach the next maturity level. The output is used to prioritise AI governance investments and demonstrate governance progress to boards, auditors, and regulators.

How does AI governance maturity relate to ISO 42001?

ISO 42001 is an international standard for AI Management Systems that defines requirements across governance, risk management, and responsible AI practice. An AI governance maturity assessment maps directly to the ISO 42001 clause structure: Pillar 1 (Policy & Strategy) maps to Clauses 4-6, Pillar 2 (Risk Management) maps to Clause 6, Pillar 3 (Security & Technology) maps to Clause 8, Pillar 4 (Compliance) maps to Clauses 9-10, and Pillar 5 (People & Culture) maps to Clause 7. Organisations targeting ISO 42001 certification typically need to reach at least Level 3 (Defined) across all pillars.

What is a good AI governance maturity score?

On a total score of 100 (5 pillars × 5 questions × 4 max points): scores below 40 indicate Initial maturity with significant governance gaps; 40-60 indicates Developing maturity with some controls in place; 60-80 indicates Defined maturity with documented and implemented controls — sufficient for most regulatory baseline requirements; above 80 indicates Optimised maturity with continuous improvement and advanced monitoring. For EU AI Act compliance with high-risk AI systems, organisations should target at least 65. For ISO 42001 certification, all pillar scores should reach Level 3 (Defined).

How often should we repeat the AI governance maturity assessment?

Conduct a full maturity assessment annually as part of your governance programme review cycle. Run a lighter-touch mid-year check-in (covering only the lowest-scoring pillars from the annual assessment) to track progress against the improvement roadmap. Trigger an out-of-cycle assessment if there is a material change in your AI use — for example, deploying a new high-risk AI system, a significant regulatory development, or an AI-related security incident that reveals a systematic governance weakness.

Get your Free 90 Days Gen AI Risk Discovery Trial -90 Days Gen AI Risk Trial -Start Now

Book a demo

Free TemplateMaturity Assessment

AI Governance Maturity Assessment

Score your organisation across 5 pillars and 25 questions. Identify your governance gaps and build a prioritised improvement roadmap. ISO 42001 and EU AI Act aligned.

Updated March 2026 · 5 pillars · 25 questions · 100-point scoring scale

Download Assessment Book Demo

5 pillars

policy, risk, security, compliance, people

25 questions

4 maturity levels each

100 points

total scoring scale

Free

to use and customise

The 4-Level AI Governance Maturity Scale

Each of the 25 assessment questions is scored on a 1–4 scale. Use these level definitions as anchors when scoring. The key test for Level 3 (Defined) is: is this process documented, approved, consistently followed, and can you produce evidence to prove it to an auditor?

1 point

Level 1 — Initial

Ad-hoc or absent. No documented process, policy, or control exists. Activity happens reactively or not at all.

2 points

Level 2 — Developing

Partially implemented. Some effort has been made but coverage is incomplete, inconsistent across teams, or not formally approved.

3 points

Level 3 — Defined

Documented, approved, and consistently followed across the organisation. Evidence is available. This is the target level for regulatory baseline compliance.

4 points

Level 4 — Optimised

Continuously improved with metrics, automation, and feedback loops. Best practice. Controls are proactive rather than reactive.

The Assessment

Click each pillar to expand. Score each question 1–4 and record the evidence supporting your score.

This pillar assesses the maturity of your AI policy framework, governance strategy, and leadership commitment. Score each question 1–4 using the maturity level definitions above. Maximum pillar score: 20 points.

1.1 AI Acceptable Use Policy

Level 1No AI policy exists. Employees use AI tools without formal guidance.

Level 2An informal AI policy or set of guidelines exists but has not been formally approved or distributed to all staff.

Level 3A formal AI Acceptable Use Policy is approved, distributed to all staff, and reviewed annually. Employees sign an acknowledgment.

Level 4Policy is dynamically updated in response to regulatory changes, new AI risks, and employee feedback. Compliance is monitored automatically.

Score: _____ / 4

1.2 AI Governance Strategy

Level 1No defined AI governance strategy. Governance happens reactively.

Level 2An AI governance initiative exists but lacks executive sponsorship, defined objectives, or a roadmap.

Level 3A documented AI governance strategy with defined objectives, executive sponsorship, and a 12-month roadmap is in place.

Level 4AI governance strategy is integrated with corporate risk strategy, reviewed quarterly, and linked to measurable business outcomes.

Score: _____ / 4

1.3 AI Governance Committee

Level 1No AI governance committee or equivalent body exists.

Level 2An informal group discusses AI risk but has no formal charter, authority, or regular cadence.

Level 3A formally chartered AI Governance Committee with defined membership, decision authority, and monthly meetings is operational.

Level 4Committee reports to the Board, has defined KPIs, and its decisions are systematically tracked for implementation.

Score: _____ / 4

1.4 AI Tool Inventory

Level 1No inventory of AI tools in use. Shadow AI is undetected.

Level 2A partial inventory exists for IT-sanctioned tools but shadow AI is not monitored.

Level 3A complete, maintained AI tool inventory covers all approved tools. Shadow AI detection is in place.

Level 4AI tool inventory is real-time, automated, includes usage data, and drives the risk register and policy updates.

Score: _____ / 4

1.5 AI Procurement & Vendor Standards

Level 1No AI-specific requirements in procurement or vendor management processes.

Level 2Some AI-related questions appear in vendor due diligence but are not standardised.

Level 3A standardised AI vendor security questionnaire is required for all AI tool procurement. Vendor AI policies are assessed.

Level 4AI vendor risk is continuously monitored. Vendor contracts include AI governance SLAs, audit rights, and data processing terms.

Score: _____ / 4

Pillar 1 Total Score: _____ / 20 | ISO 42001 Clauses 4–6 | 16–20 = Optimised, 11–15 = Defined, 6–10 = Developing, 1–5 = Initial

Download Full Assessment as PDF

How to Complete the Maturity Assessment

Follow these five steps to get a credible, actionable maturity score and a governance improvement roadmap you can present to your executive team.

Assemble your assessment team

Identify one owner for each pillar from the relevant function: IT Security (Pillars 1 & 2), Engineering/CTO (Pillar 3), Legal/Compliance (Pillar 4), HR/People (Pillar 5). Include a neutral facilitator to drive the group session.

Score each pillar independently before the group session

Ask each pillar owner to score their domain privately to avoid anchoring. They should document evidence for each score — meeting minutes, policies, tool screenshots — not just assertions.

Run a facilitated group session to agree consensus scores

Hold a 2-hour session to reconcile individual scores. Focus debate on borderline areas (especially anything scored at Level 2). The goal is an honest, evidence-backed baseline, not an optimistic one.

Identify your top 3 gaps and build a 90-day roadmap

The lowest-scoring questions represent your highest governance risk. Map each gap to a specific remediation action, owner, and deadline. Quick wins (Level 1 to Level 2 improvements) should feature prominently in the 90-day plan.

Present to the AI Governance Committee and repeat annually

Share the maturity profile and roadmap with your AI Governance Committee and executive sponsor for resourcing approval. Schedule the next assessment 12 months out and a mid-year check-in on the top 3 gaps.

Frequently Asked Questions

Aona Drives Your Governance Maturity

Aona is the platform that turns your maturity assessment gaps into implemented controls. Tool approval workflows, risk registers, DLP, AI monitoring, and policy management — everything you need to move from Level 1 to Level 3 and beyond.

Book a Demo

Related Resources

Aona AI Platform AI Governance Framework All Templates

AI Governance Maturity Assessment

The 4-Level AI Governance Maturity Scale

The Assessment

How to Complete the Maturity Assessment

Frequently Asked Questions

Aona Drives Your Governance Maturity

Product

Solutions

Resources

Compare

Compliance

Company

Contact