AI governance maturity assessment
Knowing whether your organization governs AI responsibly is hard without a yardstick. This AI governance maturity assessment gives you one: 30 questions across six domains — accountability, transparency, fairness, security, privacy, and oversight — that produce an overall maturity level, a per-domain breakdown, and recommendations aimed at your weakest areas first.
What the six domains measure
Accountability — whether your organisation has assigned ownership of AI systems, documented who makes deployment decisions, and created processes for investigating harms.
Transparency — whether people affected by AI decisions know they are, can understand why, and can access information about the system’s behaviour.
Fairness — whether your systems are tested for disparate impact across protected groups before and after deployment, and whether you have a process for investigating fairness complaints.
Security — whether your AI systems are hardened against adversarial inputs, prompt injection, training-data poisoning, and model theft — and whether you monitor for these in production.
Privacy — whether personal data used in training and inference is handled with appropriate controls, consent mechanisms, and data-minimisation practices.
Oversight — whether there is a meaningful human in the loop for high-stakes decisions, whether AI outputs are audited periodically, and whether there are kill-switch and rollback mechanisms.
The four maturity levels
| Level | What it means |
|---|---|
| Initial | Ad hoc. Governance exists per-project or per-team at best; no consistent org-wide practice. |
| Developing | Some formal policies exist but are inconsistently applied and not systematically monitored. |
| Defined | Documented, consistently applied processes across the organisation, with clear ownership. |
| Managed | Systematic measurement, improvement loops, external benchmarking, and board-level visibility. |
The gap between Initial and Developing is usually the most impactful step for small organisations. The gap between Defined and Managed is where larger companies focus once they face regulatory scrutiny under frameworks like the EU AI Act or NIST AI RMF.
How it works
Each of the six domains has five questions, and each answer maps to a maturity score from ad hoc to fully managed. The tool averages your answers within each domain and overall, then places you on a four-level scale — Initial, Developing, Defined, Managed. Because risk concentrates in your weakest domains, the recommendations are sorted to surface the lowest-scoring areas first. Everything is computed locally in the browser; your answers never leave the page.
Tips and notes
- Answer honestly. An optimistic self-assessment hides exactly the gaps you need to find.
- Chase balance. A single weak domain can outweigh several strong ones in real-world risk. A perfect security score does not protect you if your transparency practices are Initial-level and a regulator asks for evidence of disclosure.
- Make recommendations owned. Turn each into an action with a name and a date attached.
- Re-run over time. Maturity is a trajectory; periodic reassessment shows whether you are improving. Running the assessment quarterly is enough for most organisations; monthly is useful if you are actively building out governance in response to regulatory pressure.