ai · security · skills
← Registry

Maturity model · Identity Security

Prod Test Org

Assessed Jul 5, 2026 · run 1 of 1 · CSA AICM v1.0.3 · AI-CMM v1 (our model · calibrated to SAE J3016) · CSA AISMM · CSA AI-CAIQ v1.0.2

0%

Early

Self-assessed

Held to the weakest of People, Process, Technology (L1, tier 2 not yet evidenced). Autonomy is ahead of governance — the gate flags it below. A self-assessment, never a measured or certified result.

The maturity radar

Self-assessed

Maturity · governance (AISMM · L1–L5) · this function

How well-governed Identity Security is across the 12 AISMM categories, L1 hub to L5 rim. Measures 2 of 12; dashed spokes are outside scope, not zeros.

12345Governance1Organization Management · not covered by this instrument2IAM3Security Monitoring · not covered by this instrument4Infrastructure Security and Resilience · not covered by this instrument5Model Security · not covered by this instrument6App Security · not covered by this instrument7Data Security · not covered by this instrument8Risk & Provider Assessment & Management · not covered by this instrument9AI Supported Development and Supply Chain Security · not covered by this instrument10Privacy and Compliance · not covered by this instrument11Incident Response · not covered by this instrument12FoundationalStructuralProcedural
This run
Levels1 Initial2 Repeatable3 Defined4 Capable5 Efficient

Foundational

1 Governance

2 Org Mgmt

3 IAM

4 Monitoring

Structural

5 Infrastructure

6 Model Sec

7 App Sec

8 Data Sec

Procedural

9 Provider Risk

10 Supply Chain

11 Privacy

12 Incident Resp

Autonomy · AI adoption (AI-CMM · L1–L4) · the org portfolio

How far AI adoption has advanced in each of the 8 security functions, Manual → Autonomous — the wider frame Identity Security sits in. our model · calibrated to SAE J3016.

1234Identity Security · Self-assessed1Network & Infrastructure Security · illustrative2Endpoint & Workload Security · illustrative3Application & DevSecAIOps Security · Self-assessed4Data Security · illustrative5Cloud & Container Security · illustrative6Security Operations · Self-assessed7Security Governance, Risk & Assurance · Self-assessed8
AI adoption (AI-CMM)
Levels1 Manual2 Assisted3 Augmented4 Autonomous

1 Identity Security

2 Network & Infrastructure Security

3 Endpoint & Workload Security

4 Application & DevSecAIOps Security

5 Data Security

6 Cloud & Container Security

7 Security Operations

8 Security Governance, Risk & Assurance

Two axes: governance maturity (AISMM, 5 levels) vs AI autonomy (AI-CMM, 4 levels, our authored ladder). Set targets below to see the dashed overlay. The autonomy lens is the org portfolio, self-assessed where a run exists, illustrative otherwise.

Govern · AISMM

L1.0

Initial · avg of 2 categories

Adopt · AI-CMM

L1.4

Manual · our model · calibrated to SAE J3016, not a Cloud Security Alliance (CSA) standard

The gate

Autonomy ahead of governance

Coverage governs autonomy up to L1. Some steps run above that, close the govern gap or pull autonomy back.

Govern reads the AI Security Maturity Model (AISMM); Adopt reads the AI Cyber Maturity Model (AI-CMM).

FoundationInformation security: Not yet profiledCloud: Not yet profiledPrivacy: Not yet profiled

Capability · People · Process · Technology

The same control answers, read on the three dimensions a program is actually managed by (our lens over Cloud Security Alliance (CSA) control text). Capability is bounded by the weakest dimension, tooling alone can’t carry it.

PeopleAdministrative · evidence by document L1 Initial2 asked · capped: tier 2 not yet evidenced
ProcessAdministrative · evidence by document L1 Initial3 asked · capped: tier 2 not yet evidenced
TechnologyTechnical · evidence by instrument → L1 Initial3 asked · capped: tier 2 not yet evidenced
Capability, bounded by PeopleL1 Initial · tier 2 not yet evidenced

The lever names itself: weak People is fixed by training and champions; weak Process by runbooks and review cadences; weak Technology by vendor features, automation or fitted skills. The PPT grouping is our authored interpretation of the CSA control objectives.

Governance by category (AISMM)

IAM L1 Initial

0 implemented · 6 partial · 0 absent · capped: tier 2 not yet evidenced

What L1 looks like for IAM · the next rung

Where you are (L1 Initial): AI services and developer tools accessed using personal credentials, shared credentials or user impersonation. Agents inherit full user permissions without scoping. No distinction between human and non-human identities. API keys manually managed with broad access. No MCP or tool authorization in place.

The next rung (L2 Repeatable): Initial use of service accounts or managed identities for AI workloads. SSO for enterprise AI chatbots. Basic OAuth integration for AI application access. Agent permissions defined but not scoped to tasks, agents typically receive user's full authorization. MCP servers, if used, rely on static API keys. Initial documentation of which agents access which resources.

Verbatim from CSA AISMM v3.7; your level stays a provisional self-assessment.

Governance L1 Initial

0 implemented · 2 partial · 0 absent · capped: tier 2 not yet evidenced

What L1 looks like for Governance · the next rung

Where you are (L1 Initial): No coordinated AI governance. Teams self-manage AI usage with self-selected tools and providers. No AI-specific policies, procedures, or safety/ethics guidance.

The next rung (L2 Repeatable): Initial AI usage policies established with basic guidance (e.g., "do not share sensitive enterprise or customer data with generative AI"). No AI-specific governance structures or designated management in place. Policies include high-level safety/ethics statements. Some AI-related procedures documented but not consistently followed across the organization.

Verbatim from CSA AISMM v3.7; your level stays a provisional self-assessment.

Peer benchmark

Not enough peer data yet for Identity Security — need at least 5 other orgs’ runs, currently 1. No comparison is shown below that floor; this is a real count, not a placeholder.

Autonomy by workflow step (AI-CMM)

Joiner / mover / leaver L1 Manual
Access provisioning L2 Assisted
Privileged-access break-glass L1 Manual
Access review L2 Assisted
Identity recertification L1 Manual

Plays. Can this function run them at its current autonomy?

Each play names the controls it requires before running at an autonomy level, and the key performance indicator (KPI) it moves. Judged here at your current adopt level (L1) from this run’s answers, a control the diagnostic didn’t ask about reads not yet assessed, never assumed. Browse the full catalog →

Access-review assistAI-secure the enterpriseKPI: Review completion time 0/3 controls evidenced✓ no gaps found

Use cases: each play plotted on the grid

Use cases are the third placeable unit, alongside functions on /board and AI Controls Matrix (AICM) domains on the per-run card. v1 seeds one canonical use case per play in this function; your own concrete instances replace these as the measurement layer ships. Ungoverned dots () signal the gate caught autonomy ahead of maturity.

Autonomy × Maturity — each play in this function plotted as a use case

Maturity (AISMM) →
Mature autonomyUngoverned ⚠Over-controlledNot started

Autonomy (AI-CMM) → Manual · Assisted · Augmented · Autonomous

Access-review assistAI-secure the enterpriseM1 · A1

Maturity from this run’s governance reading; autonomy capped at min(your function’s autonomy, the play’s catalog ceiling). All use cases are within the gate at the current reading. Real per-use-case grading arrives with the measurement layer.

Gaps register

The hard gaps to close, consolidated: every cell where autonomy outran the control’s maturity, the workflow steps running ahead of the gate, and the controls you marked absent. This is the diagnosis the action plan below is fitted to, not a coverage scoreboard.

cellIAM-01Is there a written rule for who and what can reach your AI systems, and how access is granted and removed?autonomy L2 · governed to L1
cellIAM-13Does signing in to anything that controls the AI require more than a password?autonomy L2 · governed to L1
cellIAM-05Does each person and service get only the access they actually need to the models, training data, and pipelines?autonomy L2 · governed to L1
cellIAM-07When someone changes role or leaves, is their access to the AI systems changed or removed quickly?autonomy L2 · governed to L1
cellIAM-08Is who-can-reach-what reviewed on a regular schedule, with the odd exceptions chased down?autonomy L2 · governed to L1
cellIAM-18Are AI agents that act on their own held to tighter access limits than a normal user?autonomy L2 · governed to L1
stepAccess provisioningruns at L2 · governed only to L1
stepAccess reviewruns at L2 · governed only to L1

AI analysis

Identity Security operates at the foundation tier across all dimensions. Both IAM and Governance categories score L1, capped by missing evidence for tier 2 coverage. The function granted AI systems autonomy level 1.4 while maturity stands at L1, creating a gate violation where automated decision-making outpaces control maturity. People, process, and technology all remain at L1, indicating no dimension has advanced beyond initial capabilities.

Strengths

  • Foundation-level controls exist in both IAM and Governance, establishing a starting baseline for identity management.

Gaps, by priority

  • Autonomy granted to AI systems exceeds maturity gates by 0.4 levels, allowing automated decisions without adequate oversight or rollback mechanisms.
  • All three capability dimensions lack tier 2 evidence, blocking any category from advancing beyond L1 regardless of individual improvements.
  • No documented levers are available to address people or process gaps, suggesting unclear pathways for capability advancement.

Recommended next step

Immediately reduce AI system autonomy from 1.4 to 1.0 to close the gate violation, then focus on building tier 2 evidence in one dimension—likely process through documented procedures for identity lifecycle management—to unblock the L1 ceiling across both categories.

AI-assisted reading of your self-reported answers — not certified.

Generated Jul 5, 2026

Ranked action plan: the fitted few

Targeted at your weakest capability dimensions. Each gets interventions of its own kind: weak People means training, never another tool; weak Process means runbooks and policies; weak Technology draws from vendor features, automation, and the curated core skill set, never the full library. Candidates from the play catalog; fit happens per ecosystem.

People · L1 → L2

Capped: tier 2 not yet evidenced.

Process · L1 → L2

Capped: tier 2 not yet evidenced.

Technology · L1 → L2

Capped: tier 2 not yet evidenced.

Vendor AI featureIGA platform’s AI access-insight features, scoped to review campaigns · Access-review assist
Deterministic automationDeterministic revocation playbook for non-responses past the deadline · Access-review assist

Core skills (curated set, the inventory is raw material)

  • Performing Access Review And Certification · Access-review assist
  • Performing Privileged Account Access Review · Access-review assist

Rollout: phased from your reading

Each AISMM category for Identity Security is sequenced by its current level. Weakest categories land in Start now; the rest follow as Next and Later. Targets are capped at L5. This phasing is derived; re-assess to see it shift.

L1
L2
L3
L4
L5
Governance
Move from L1 → L3. Blocker: tier 2 not yet evidenced.
IAM
Move from L1 → L3. Blocker: tier 2 not yet evidenced.
Start now
Next
Later
Current
Target

Set your own targets

Pick where each category should land. The roadmap below sequences the gaps Foundational first, then Structural, then Procedural — CSA’s own domain ordering, not an invented dependency graph — and by gap size within a domain.

IAM
L1 nowL1
Governance
L1 nowL1

Independent assessment

A second, independent read of the same run — an auditor or a peer team answering the same controls. Saved separately; it never overwrites the self-reported track above.

Implement

Tick the prescribed skills as you fit and operate them. Re-assess to see the categories move.

Implemented 0/2

Progress

This is the first run for Prod Test Org · Identity Security. Re-assess later to track movement here.

Roll-up to the board

This function owns these AICM domains on the board. Each board number is this reading’s evidence, nothing modelled — re-assess any function and its row moves. This is the second altitude: see the portfolio →

IAM L1 Initial

Light read now, deeper read next

What you have here is the light, self-assessed read: fast, honest, and enough to see where autonomy has outrun governance. The deeper read is what turns it into proof.

This read (light)

  • Self-assessed against real control objectives
  • A headline posture and the gate verdict
  • The gaps register and the fitted few to close them

The next read (deep)

  • Each control verified against evidence, not self-report
  • Task-level before/after measured on the few skills adopted
  • The same motion run across functions to stand up the practice

Only the deep read earns the word measured; everything on this page is self-assessed until then.

Re-assess this function →See it on the board →

Self-assessed and indicative, governance from AICM control coverage (AISMM), autonomy from the AI-CMM ladder (our model · calibrated to SAE J3016). Skill-to-objective fit is illustrative at this stage. Framework pins: CSA AICM v1.0.3, AI-CMM v1 (our model · calibrated to SAE J3016), CSA AISMM, CSA AI-CAIQ v1.0.2.