The maturity engine
Measure where a security function stands, then move it.
AI is in every security function now. The board-accountable question isn't whether you have AI — it's whether, function by function, you can say how well it's governed and how far it's automated. This engine measures both, then prescribes the few skills that move the number.
Manual: Humans do the work end-to-end; AI plays no part in the loop.
Most maturity questions get answered org-wide, once, in a slide — which hides where the real gap is: a function running AI ahead of the controls that should catch it. We grade per function, per control category, against the standards your auditors already recognise — CSA AICM (247 control objectives), read through AI-CAIQ-style questions and rolled up to AISMM maturity levels. No new framework to buy into.
One door, three instruments
Pick by the time you have and the read you need.
The three instruments stack: the pulse frames the leadership conversation, the scan finds the first gaps, and the diagnostic sets the baseline you track against. Each card says what it asks, how long it takes, and what you walk away with.
Tier 1 · The leadership pulse
Readiness pulse
A leadership self-check shaped to the ISACA AI-governance checklist, mapped to the four functions of the NIST (National Institute of Standards and Technology) AI Risk Management Framework.
For a Chief Information Security Officer (CISO) answering solo, before a board conversation.
You walk away with: A self-attested posture read across Govern · Map · Measure · Manage.
Tier 2 · First contact
Quick scan
A scan of one function, vulnerability management, across five domains, the way a real review reads.
For a function head taking a first look. No setup, indicative only.
You walk away with: An indicative gap map. Every answer carries into the function diagnostic, so nothing gets re-asked.
Tier 3 · The full read
Function diagnostic
The full maturity read for one security function: governance and autonomy on two axes, connected by the gate.
For the function head and practitioner together, when you are ready to baseline and track.
You walk away with: A saved run: maturity dials, the gate reading, ranked gaps, a fitted-few prescription, and a baseline to re-assess against.
Why assess · the loop
You assess to earn the next rung of autonomy.
The diagnostic reads a function on two axes: how well its AI is governed, on the AI Security Maturity Model (AISMM, L1–L5), and how far its work is automated, on the AI Cyber Maturity Model (AI-CMM, L1 Manual→L4 Autonomous; our model · calibrated to SAE J3016, never a CSA or SAE rating). The gate connects them: autonomy must never outrun governance, because autonomy without measured governance is unpriced risk.
The industry frames it the same way. Forrester’s AEGIS (Agentic AI Guardrails for Information Security) framework argues for least agency, granting an agent only the autonomy your controls can catch: that is our gate. It argues for continuous assurance, re-verifying as systems change: that is our loop. External framing, cited not copied; the rubric underneath stays CSA (Cloud Security Alliance) AISMM and the AI Controls Matrix (AICM).
Cadence: re-assess when something material changes (a new model, a new data class, a rung-advance attempt), not on a calendar.
From self-assessed to evidenced
Two kinds of control, two kinds of proof.
An answer on its own is an attestation without artifacts (self-assessed). To make it evidenced, you attach proof, and the kind of proof follows the kind of control, the same split an auditor uses.
Administrative · People & Process
Validate by pointing to the document.
Policies, runbooks, registers, a DPIA. The proof is the artifact in your repository, so the answer links to where it lives.
Technical · Technology
Validate by running the instrument.
Guardrails, monitoring, detections. The proof is an instrument run, a tester or corpus producing a pass or a before-and-after. How an instrument runs →
Honesty holds: an attached document is not proof a control is effective, and one instrument run is not continuous assurance. Verified still needs a second pair of eyes.
Sample reports
See a finished report before you start.
Three complete diagnostics on fictional organisations: the maturity radar, the gate verdict, the gaps register, the prescription. Everything a real run produces, on sample data.
Northwind Retail
Security Operations · 2 runs · Jun 8, 2026
A re-assessed function: the radar overlays this run on the previous one, and the progress section shows the movement between them.
Globex
Application & DevSecAIOps Security · 1 run · Jun 5, 2026
A first run: a single polygon, with the categories the instrument does not cover left explicitly unmeasured, never plotted as zeros.
Initech
Security Governance, Risk & Assurance · 1 run · Jun 6, 2026
A first baseline for the governance, risk and assurance function, where most workflows are still human-run.
Assessment registry
+ New function diagnosticEvery assessment you run, any org, any function, lands here with its latest position. Open one to see its maturity model and prescription, or re-assess to track progress.