ai · security · skills
← Registry

Maturity model · Identity Security

Preview Test Org

Assessed Jul 5, 2026 · run 1 of 1 · CSA AICM v1.0.3 · AI-CMM v1 (our model · calibrated to SAE J3016) · CSA AISMM · CSA AI-CAIQ v1.0.2

50%

Forming

Self-assessed

Held to the weakest of People, Process, Technology (L3). Autonomy sits within the gate. A self-assessment, never a measured or certified result.

The maturity radar

Self-assessed

Maturity · governance (AISMM · L1–L5) · this function

How well-governed Identity Security is across the 12 AISMM categories, L1 hub to L5 rim. Measures 2 of 12; dashed spokes are outside scope, not zeros.

12345Governance1Organization Management · not covered by this instrument2IAM3Security Monitoring · not covered by this instrument4Infrastructure Security and Resilience · not covered by this instrument5Model Security · not covered by this instrument6App Security · not covered by this instrument7Data Security · not covered by this instrument8Risk & Provider Assessment & Management · not covered by this instrument9AI Supported Development and Supply Chain Security · not covered by this instrument10Privacy and Compliance · not covered by this instrument11Incident Response · not covered by this instrument12FoundationalStructuralProcedural
This run
Levels1 Initial2 Repeatable3 Defined4 Capable5 Efficient

Foundational

1 Governance

2 Org Mgmt

3 IAM

4 Monitoring

Structural

5 Infrastructure

6 Model Sec

7 App Sec

8 Data Sec

Procedural

9 Provider Risk

10 Supply Chain

11 Privacy

12 Incident Resp

Autonomy · AI adoption (AI-CMM · L1–L4) · the org portfolio

How far AI adoption has advanced in each of the 8 security functions, Manual → Autonomous — the wider frame Identity Security sits in. our model · calibrated to SAE J3016.

1234Identity Security · Self-assessed1Network & Infrastructure Security · illustrative2Endpoint & Workload Security · illustrative3Application & DevSecAIOps Security · Self-assessed4Data Security · illustrative5Cloud & Container Security · illustrative6Security Operations · Self-assessed7Security Governance, Risk & Assurance · Self-assessed8
AI adoption (AI-CMM)
Levels1 Manual2 Assisted3 Augmented4 Autonomous

1 Identity Security

2 Network & Infrastructure Security

3 Endpoint & Workload Security

4 Application & DevSecAIOps Security

5 Data Security

6 Cloud & Container Security

7 Security Operations

8 Security Governance, Risk & Assurance

Two axes: governance maturity (AISMM, 5 levels) vs AI autonomy (AI-CMM, 4 levels, our authored ladder). Set targets below to see the dashed overlay. The autonomy lens is the org portfolio, self-assessed where a run exists, illustrative otherwise.

Govern · AISMM

L3.5

Capable · avg of 2 categories

Adopt · AI-CMM

L2.0

Assisted · our model · calibrated to SAE J3016, not a Cloud Security Alliance (CSA) standard

The gate

Within the gate

Coverage governs autonomy up to L3. Autonomy sits within what the controls can catch.

Govern reads the AI Security Maturity Model (AISMM); Adopt reads the AI Cyber Maturity Model (AI-CMM).

FoundationInformation security: Not yet profiledCloud: Not yet profiledPrivacy: Not yet profiled

Capability · People · Process · Technology

The same control answers, read on the three dimensions a program is actually managed by (our lens over Cloud Security Alliance (CSA) control text). Capability is bounded by the weakest dimension, tooling alone can’t carry it.

PeopleAdministrative · evidence by document L3 Defined2 asked
ProcessAdministrative · evidence by document L4 Capable3 asked
TechnologyTechnical · evidence by instrument → L4 Capable3 asked
Capability, bounded by PeopleL3 Defined

The lever names itself: weak People is fixed by training and champions; weak Process by runbooks and review cadences; weak Technology by vendor features, automation or fitted skills. The PPT grouping is our authored interpretation of the CSA control objectives.

Governance by category (AISMM)

IAM L4 Capable

6 implemented · 0 partial · 0 absent

What L4 looks like for IAM · the next rung

Where you are (L4 Capable): Distinct non-human identities established for AI agents across deployment types (enterprise-built, SaaS-embedded, developer tools). Delegation and consent flows implemented (users explicitly authorize agent actions). On-behalf-of authorization patterns with tokens reflecting both user and agent identity. Agent identity integrated with enterprise IdP for supported technologies. MCP tool authorization with fine-grained scopes. AI developer tools consistently tag their commits/actions with agent identity.

The next rung (L5 Efficient): Automated agent identity lifecycle management integrated with AI deployment pipelines. Just-in-time, ephemeral credentials for agent operations (tokens expire after task/session). Delegation chain validation for multi-agent workflows with transitive trust boundaries enforced. Full auditability from user intent through agent actions to resource access. Policy-as-code enforcement for agent authorization. Continuous validation of agent permissions against intent. Customer-facing AI identity flows secured with consent management and revocation.

Verbatim from CSA AISMM v3.7; your level stays a provisional self-assessment.

Governance L3 Defined

2 implemented · 0 partial · 0 absent

What L3 looks like for Governance · the next rung

Where you are (L3 Defined): AI team, AI Council, AI Center of Excellence, or equivalent in place to guide usage. Initial AI policies in use for AI-supported development, AI-powered applications, or both. Basic adoption of procedures, standards and benchmarks (e.g., AICM). Partial control objectives established for at least one provider. AI deployment/application registry in place. General AI safety guidelines established.

The next rung (L4 Capable): Central AI team has subject matter experts for current AI models/providers and responsibility and authority to set rules/baselines. Developer policies for AI usage in place with training. AI security control objectives for AI-supported development and applications in use, with initial automated tracking. AI safety policies established for different use cases. Cross-functional AI ethics/safety review process for high-risk use cases.

Verbatim from CSA AISMM v3.7; your level stays a provisional self-assessment.

Peer benchmark

Not enough peer data yet for Identity Security — need at least 5 other orgs’ runs, currently 1. No comparison is shown below that floor; this is a real count, not a placeholder.

Autonomy by workflow step (AI-CMM)

Joiner / mover / leaver L2 Assisted
Access provisioning L2 Assisted
Privileged-access break-glass L2 Assisted
Access review L2 Assisted
Identity recertification L2 Assisted

Plays. Can this function run them at its current autonomy?

Each play names the controls it requires before running at an autonomy level, and the key performance indicator (KPI) it moves. Judged here at your current adopt level (L2) from this run’s answers, a control the diagnostic didn’t ask about reads not yet assessed, never assumed. Browse the full catalog →

Access-review assistAI-secure the enterpriseKPI: Review completion time 3/3 controls evidenced✓ no gaps found

Use cases: each play plotted on the grid

Use cases are the third placeable unit, alongside functions on /board and AI Controls Matrix (AICM) domains on the per-run card. v1 seeds one canonical use case per play in this function; your own concrete instances replace these as the measurement layer ships. Ungoverned dots () signal the gate caught autonomy ahead of maturity.

Autonomy × Maturity — each play in this function plotted as a use case

Maturity (AISMM) →
Mature autonomyUngoverned ⚠Over-controlledNot started

Autonomy (AI-CMM) → Manual · Assisted · Augmented · Autonomous

Access-review assistAI-secure the enterpriseM4 · A2

Maturity from this run’s governance reading; autonomy capped at min(your function’s autonomy, the play’s catalog ceiling). All use cases are within the gate at the current reading. Real per-use-case grading arrives with the measurement layer.

Gaps register

The hard gaps to close, consolidated: every cell where autonomy outran the control’s maturity, the workflow steps running ahead of the gate, and the controls you marked absent. This is the diagnosis the action plan below is fitted to, not a coverage scoreboard.

No hard gaps found in what was assessed: no control marked absent, no cell where autonomy outran maturity, and autonomy within the gate. Maturity is still bounded by the weakest dimension above.

AI analysis

Identity Security operates at a Defined governance maturity (3.5/5), with IAM practices ahead at Level 4 while Governance lags at Level 3. The function shows strong process and technology foundations (both L4) but people capability trails at L3, creating a structural imbalance. AI autonomy sits at Level 2 with headroom to Level 3, indicating readiness for expanded machine decision-making once human-layer weaknesses close. The core pattern is mature tooling outpacing the team's ability to govern and operate it consistently.

Strengths

  • IAM capabilities reach Level 4, providing robust technical controls for authentication, authorization, and access lifecycle management
  • Process maturity at Level 4 indicates well-documented, repeatable workflows with measurement and feedback loops in place
  • Technology maturity at Level 4 ensures modern tooling and automation support identity operations at scale

Gaps, by priority

  • Governance at Level 3 creates oversight risk—policies exist but lack the rigor, integration, or enforcement mechanisms seen in IAM execution
  • People capability at Level 3 limits the function—skills, training, or organizational clarity insufficient to match the sophistication of process and technology layers
  • AI autonomy restricted to Level 2 despite gate allowance of Level 3, leaving efficiency gains and faster threat response on the table

Recommended next step

Invest in people capability to close the L3 gap: formalize role definitions, competency frameworks, and training paths that align identity security staff with the maturity of existing processes and tools. This single lift will stabilize governance execution and unlock the approved autonomy increase.

AI-assisted reading of your self-reported answers — not certified.

Generated Jul 5, 2026

Ranked action plan: the fitted few

Targeted at your weakest capability dimensions. Each gets interventions of its own kind: weak People means training, never another tool; weak Process means runbooks and policies; weak Technology draws from vendor features, automation, and the curated core skill set, never the full library. Candidates from the play catalog; fit happens per ecosystem.

People · L3 → L4

Weakest dimension at Defined.

Process · L4 → L5

Weakest dimension at Capable.

Technology · L4 → L5

Weakest dimension at Capable.

Vendor AI featureIGA platform’s AI access-insight features, scoped to review campaigns · Access-review assist
Deterministic automationDeterministic revocation playbook for non-responses past the deadline · Access-review assist

Core skills (curated set, the inventory is raw material)

  • Performing Access Review And Certification · Access-review assist
  • Performing Privileged Account Access Review · Access-review assist

Rollout: phased from your reading

Each AISMM category for Identity Security is sequenced by its current level. Weakest categories land in Start now; the rest follow as Next and Later. Targets are capped at L5. This phasing is derived; re-assess to see it shift.

L1
L2
L3
L4
L5
Governance
Move from L3 → L5.
IAM
Plan for L4 → L5 once Phase 1 controls land.
Start now
Next
Later
Current
Target

Set your own targets

Pick where each category should land. The roadmap below sequences the gaps Foundational first, then Structural, then Procedural — CSA’s own domain ordering, not an invented dependency graph — and by gap size within a domain.

IAM
L4 nowL4
Governance
L3 nowL3

Independent assessment

A second, independent read of the same run — an auditor or a peer team answering the same controls. Saved separately; it never overwrites the self-reported track above.

Implement

Tick the prescribed skills as you fit and operate them. Re-assess to see the categories move.

Implemented 0/2

Progress

This is the first run for Preview Test Org · Identity Security. Re-assess later to track movement here.

Roll-up to the board

This function owns these AICM domains on the board. Each board number is this reading’s evidence, nothing modelled — re-assess any function and its row moves. This is the second altitude: see the portfolio →

IAM L4 Capable

Light read now, deeper read next

What you have here is the light, self-assessed read: fast, honest, and enough to see where autonomy has outrun governance. The deeper read is what turns it into proof.

This read (light)

  • Self-assessed against real control objectives
  • A headline posture and the gate verdict
  • The gaps register and the fitted few to close them

The next read (deep)

  • Each control verified against evidence, not self-report
  • Task-level before/after measured on the few skills adopted
  • The same motion run across functions to stand up the practice

Only the deep read earns the word measured; everything on this page is self-assessed until then.

Re-assess this function →See it on the board →

Self-assessed and indicative, governance from AICM control coverage (AISMM), autonomy from the AI-CMM ladder (our model · calibrated to SAE J3016). Skill-to-objective fit is illustrative at this stage. Framework pins: CSA AICM v1.0.3, AI-CMM v1 (our model · calibrated to SAE J3016), CSA AISMM, CSA AI-CAIQ v1.0.2.