ai · security · skills

The maturity engine

Measure where a security function stands, then move it.

AI is in every security function now. The board-accountable question isn't whether you have AI — it's whether, function by function, you can say how well it's governed and how far it's automated. This engine measures both, then prescribes the few skills that move the number.

Does your governance keep up?Gate open
No gate at this level — humans do the work end-to-end; AI plays no part in the loop.
Autonomy claimedL1 of 4
Governance in placeillustrative

Manual: Humans do the work end-to-end; AI plays no part in the loop.

Most maturity questions get answered org-wide, once, in a slide — which hides where the real gap is: a function running AI ahead of the controls that should catch it. We grade per function, per control category, against the standards your auditors already recognise — CSA AICM (247 control objectives), read through AI-CAIQ-style questions and rolled up to AISMM maturity levels. No new framework to buy into.

One door, three instruments

Pick by the time you have and the read you need.

The three instruments stack: the pulse frames the leadership conversation, the scan finds the first gaps, and the diagnostic sets the baseline you track against. Each card says what it asks, how long it takes, and what you walk away with.

Tier 1 · The leadership pulse

Readiness pulse

11 questions~5 minutesnothing saved server-side

A leadership self-check shaped to the ISACA AI-governance checklist, mapped to the four functions of the NIST (National Institute of Standards and Technology) AI Risk Management Framework.

For a Chief Information Security Officer (CISO) answering solo, before a board conversation.

You walk away with: A self-attested posture read across Govern · Map · Measure · Manage.

Tier 2 · First contact

Quick scan

40 questions~10–12 minutesanswers carry forward

A scan of one function, vulnerability management, across five domains, the way a real review reads.

For a function head taking a first look. No setup, indicative only.

You walk away with: An indicative gap map. Every answer carries into the function diagnostic, so nothing gets re-asked.

Tier 3 · The full read

Function diagnostic

~12 questions per function20–30 minutessaved · re-runnable

The full maturity read for one security function: governance and autonomy on two axes, connected by the gate.

For the function head and practitioner together, when you are ready to baseline and track.

You walk away with: A saved run: maturity dials, the gate reading, ranked gaps, a fitted-few prescription, and a baseline to re-assess against.

Not sure which? Answering for the whole organisation before a board conversation → the pulse. Taking a first look at one function → the quick scan. Baselining a function to track it run over run → the diagnostic. Want to see the output before you start? Open a sample report below.

Why assess · the loop

You assess to earn the next rung of autonomy.

The diagnostic reads a function on two axes: how well its AI is governed, on the AI Security Maturity Model (AISMM, L1–L5), and how far its work is automated, on the AI Cyber Maturity Model (AI-CMM, L1 Manual→L4 Autonomous; our model · calibrated to SAE J3016, never a CSA or SAE rating). The gate connects them: autonomy must never outrun governance, because autonomy without measured governance is unpriced risk.

The industry frames it the same way. Forrester’s AEGIS (Agentic AI Guardrails for Information Security) framework argues for least agency, granting an agent only the autonomy your controls can catch: that is our gate. It argues for continuous assurance, re-verifying as systems change: that is our loop. External framing, cited not copied; the rubric underneath stays CSA (Cloud Security Alliance) AISMM and the AI Controls Matrix (AICM).

1 · Assess2 · Fix the top gaps3 · Re-assess4 · Advance one rungone rung per loop

Cadence: re-assess when something material changes (a new model, a new data class, a rung-advance attempt), not on a calendar.

What each rung advance requires

ManualAssisted

Gate clear: governance at L2 (Repeatable) for the workflow being assisted.

A human still approves every action, so written, repeatable procedure is the floor.

AssistedAugmented

Gate clear, plus Security Monitoring ≥ L3 and Incident Response ≥ L2.

Running AI in the loop demands monitoring and incident response in place — you must see what it does and respond when it errs.

AugmentedAutonomous

Gate clear, plus Security Monitoring ≥ L4 and Incident Response ≥ L3 and Model Security ≥ L2.

Letting AI act autonomously additionally demands model-security controls — adversarial testing and artifact integrity — before per-action human approval is removed.

Each pass hands youThe maturity radarA ranked gaps registerA fitted-few prescriptionA saved baseline you re-run

From self-assessed to evidenced

Two kinds of control, two kinds of proof.

An answer on its own is an attestation without artifacts (self-assessed). To make it evidenced, you attach proof, and the kind of proof follows the kind of control, the same split an auditor uses.

Administrative · People & Process

Validate by pointing to the document.

Policies, runbooks, registers, a DPIA. The proof is the artifact in your repository, so the answer links to where it lives.

Technical · Technology

Validate by running the instrument.

Guardrails, monitoring, detections. The proof is an instrument run, a tester or corpus producing a pass or a before-and-after. How an instrument runs →

With proof attached, the answer climbs the ladder: Self-assessedMeasured (evidence attached) → Verified (reviewed by a second party).

Honesty holds: an attached document is not proof a control is effective, and one instrument run is not continuous assurance. Verified still needs a second pair of eyes.

Sample reports

See a finished report before you start.

Three complete diagnostics on fictional organisations: the maturity radar, the gate verdict, the gaps register, the prescription. Everything a real run produces, on sample data.

Northwind Retail

Security Operations · 2 runs · Jun 8, 2026

Govern L2.8Adopt L2.2

A re-assessed function: the radar overlays this run on the previous one, and the progress section shows the movement between them.

Globex

Application & DevSecAIOps Security · 1 run · Jun 5, 2026

Govern L2.2Adopt L1.0

A first run: a single polygon, with the categories the instrument does not cover left explicitly unmeasured, never plotted as zeros.

Initech

Security Governance, Risk & Assurance · 1 run · Jun 6, 2026

Govern L1.8Adopt L1.6

A first baseline for the governance, risk and assurance function, where most workflows are still human-run.

Fictional organisations, self-assessed sample data, never client results. Your own runs land in the registry below and stay separate.

Assessment registry

+ New function diagnostic

Every assessment you run, any org, any function, lands here with its latest position. Open one to see its maturity model and prescription, or re-assess to track progress.

Preview Test Org

Identity Security · 1 run · Jul 5, 2026

Govern L3.5 CapableAdopt L2.0 Assisted

Prod Test Org

Identity Security · 1 run · Jul 5, 2026

Govern L1.0 InitialAdopt L1.4 Manual
Method: governance from AICM control coverage (AISMM L1–L5); autonomy from the AI-CMM ladder (our model · calibrated to SAE J3016, Manual→Autonomous); the gate flags any function whose autonomy exceeds its governance. Self-assessed and indicative.