Maturity model · Identity Security
Preview Test Org
Assessed Jul 5, 2026 · run 1 of 1 · CSA AICM v1.0.3 · AI-CMM v1 (our model · calibrated to SAE J3016) · CSA AISMM · CSA AI-CAIQ v1.0.2
Forming
Self-assessed
Held to the weakest of People, Process, Technology (L3). Autonomy sits within the gate. A self-assessment, never a measured or certified result.
The maturity radar
Self-assessedMaturity · governance (AISMM · L1–L5) · this function
How well-governed Identity Security is across the 12 AISMM categories, L1 hub to L5 rim. Measures 2 of 12; dashed spokes are outside scope, not zeros.
Foundational
1 Governance
2 Org Mgmt
3 IAM
4 Monitoring
Structural
5 Infrastructure
6 Model Sec
7 App Sec
8 Data Sec
Procedural
9 Provider Risk
10 Supply Chain
11 Privacy
12 Incident Resp
Autonomy · AI adoption (AI-CMM · L1–L4) · the org portfolio
How far AI adoption has advanced in each of the 8 security functions, Manual → Autonomous — the wider frame Identity Security sits in. our model · calibrated to SAE J3016.
Two axes: governance maturity (AISMM, 5 levels) vs AI autonomy (AI-CMM, 4 levels, our authored ladder). Set targets below to see the dashed overlay. The autonomy lens is the org portfolio, self-assessed where a run exists, illustrative otherwise.
Govern · AISMM
L3.5
Capable · avg of 2 categories
Adopt · AI-CMM
L2.0
Assisted · our model · calibrated to SAE J3016, not a Cloud Security Alliance (CSA) standard
The gate
Within the gate
Coverage governs autonomy up to L3. Autonomy sits within what the controls can catch.
Govern reads the AI Security Maturity Model (AISMM); Adopt reads the AI Cyber Maturity Model (AI-CMM).
Capability · People · Process · Technology
The same control answers, read on the three dimensions a program is actually managed by (our lens over Cloud Security Alliance (CSA) control text). Capability is bounded by the weakest dimension, tooling alone can’t carry it.
The lever names itself: weak People is fixed by training and champions; weak Process by runbooks and review cadences; weak Technology by vendor features, automation or fitted skills. The PPT grouping is our authored interpretation of the CSA control objectives.
Governance by category (AISMM)
Peer benchmark
Not enough peer data yet for Identity Security — need at least 5 other orgs’ runs, currently 1. No comparison is shown below that floor; this is a real count, not a placeholder.
Autonomy by workflow step (AI-CMM)
Plays. Can this function run them at its current autonomy?
Each play names the controls it requires before running at an autonomy level, and the key performance indicator (KPI) it moves. Judged here at your current adopt level (L2) from this run’s answers, a control the diagnostic didn’t ask about reads not yet assessed, never assumed. Browse the full catalog →
Use cases: each play plotted on the grid
Use cases are the third placeable unit, alongside functions on /board and AI Controls Matrix (AICM) domains on the per-run card. v1 seeds one canonical use case per play in this function; your own concrete instances replace these as the measurement layer ships. Ungoverned dots (⚠) signal the gate caught autonomy ahead of maturity.
Autonomy × Maturity — each play in this function plotted as a use case
Autonomy (AI-CMM) → Manual · Assisted · Augmented · Autonomous
Maturity from this run’s governance reading; autonomy capped at min(your function’s autonomy, the play’s catalog ceiling). All use cases are within the gate at the current reading. Real per-use-case grading arrives with the measurement layer.
Gaps register
The hard gaps to close, consolidated: every cell where autonomy outran the control’s maturity, the workflow steps running ahead of the gate, and the controls you marked absent. This is the diagnosis the action plan below is fitted to, not a coverage scoreboard.
No hard gaps found in what was assessed: no control marked absent, no cell where autonomy outran maturity, and autonomy within the gate. Maturity is still bounded by the weakest dimension above.
AI analysis
Identity Security operates at a Defined governance maturity (3.5/5), with IAM practices ahead at Level 4 while Governance lags at Level 3. The function shows strong process and technology foundations (both L4) but people capability trails at L3, creating a structural imbalance. AI autonomy sits at Level 2 with headroom to Level 3, indicating readiness for expanded machine decision-making once human-layer weaknesses close. The core pattern is mature tooling outpacing the team's ability to govern and operate it consistently.
Strengths
- IAM capabilities reach Level 4, providing robust technical controls for authentication, authorization, and access lifecycle management
- Process maturity at Level 4 indicates well-documented, repeatable workflows with measurement and feedback loops in place
- Technology maturity at Level 4 ensures modern tooling and automation support identity operations at scale
Gaps, by priority
- Governance at Level 3 creates oversight risk—policies exist but lack the rigor, integration, or enforcement mechanisms seen in IAM execution
- People capability at Level 3 limits the function—skills, training, or organizational clarity insufficient to match the sophistication of process and technology layers
- AI autonomy restricted to Level 2 despite gate allowance of Level 3, leaving efficiency gains and faster threat response on the table
Recommended next step
Invest in people capability to close the L3 gap: formalize role definitions, competency frameworks, and training paths that align identity security staff with the maturity of existing processes and tools. This single lift will stabilize governance execution and unlock the approved autonomy increase.
AI-assisted reading of your self-reported answers — not certified.
Ranked action plan: the fitted few
Targeted at your weakest capability dimensions. Each gets interventions of its own kind: weak People means training, never another tool; weak Process means runbooks and policies; weak Technology draws from vendor features, automation, and the curated core skill set, never the full library. Candidates from the play catalog; fit happens per ecosystem.
People · L3 → L4
Weakest dimension at Defined.
Process · L4 → L5
Weakest dimension at Capable.
Technology · L4 → L5
Weakest dimension at Capable.
Core skills (curated set, the inventory is raw material)
- Performing Access Review And Certification · Access-review assist
- Performing Privileged Account Access Review · Access-review assist
Rollout: phased from your reading
Each AISMM category for Identity Security is sequenced by its current level. Weakest categories land in Start now; the rest follow as Next and Later. Targets are capped at L5. This phasing is derived; re-assess to see it shift.
Set your own targets
Pick where each category should land. The roadmap below sequences the gaps Foundational first, then Structural, then Procedural — CSA’s own domain ordering, not an invented dependency graph — and by gap size within a domain.
Independent assessment
A second, independent read of the same run — an auditor or a peer team answering the same controls. Saved separately; it never overwrites the self-reported track above.
Implement
Tick the prescribed skills as you fit and operate them. Re-assess to see the categories move.
Implemented 0/2
Progress
This is the first run for Preview Test Org · Identity Security. Re-assess later to track movement here.
Roll-up to the board
This function owns these AICM domains on the board. Each board number is this reading’s evidence, nothing modelled — re-assess any function and its row moves. This is the second altitude: see the portfolio →
Light read now, deeper read next
What you have here is the light, self-assessed read: fast, honest, and enough to see where autonomy has outrun governance. The deeper read is what turns it into proof.
This read (light)
- Self-assessed against real control objectives
- A headline posture and the gate verdict
- The gaps register and the fitted few to close them
The next read (deep)
- Each control verified against evidence, not self-report
- Task-level before/after measured on the few skills adopted
- The same motion run across functions to stand up the practice
Only the deep read earns the word measured; everything on this page is self-assessed until then.
Self-assessed and indicative, governance from AICM control coverage (AISMM), autonomy from the AI-CMM ladder (our model · calibrated to SAE J3016). Skill-to-objective fit is illustrative at this stage. Framework pins: CSA AICM v1.0.3, AI-CMM v1 (our model · calibrated to SAE J3016), CSA AISMM, CSA AI-CAIQ v1.0.2.