Maturity model · Identity Security
Prod Test Org
Assessed Jul 5, 2026 · run 1 of 1 · CSA AICM v1.0.3 · AI-CMM v1 (our model · calibrated to SAE J3016) · CSA AISMM · CSA AI-CAIQ v1.0.2
Early
Self-assessed
Held to the weakest of People, Process, Technology (L1, tier 2 not yet evidenced). Autonomy is ahead of governance — the gate flags it below. A self-assessment, never a measured or certified result.
The maturity radar
Self-assessedMaturity · governance (AISMM · L1–L5) · this function
How well-governed Identity Security is across the 12 AISMM categories, L1 hub to L5 rim. Measures 2 of 12; dashed spokes are outside scope, not zeros.
Foundational
1 Governance
2 Org Mgmt
3 IAM
4 Monitoring
Structural
5 Infrastructure
6 Model Sec
7 App Sec
8 Data Sec
Procedural
9 Provider Risk
10 Supply Chain
11 Privacy
12 Incident Resp
Autonomy · AI adoption (AI-CMM · L1–L4) · the org portfolio
How far AI adoption has advanced in each of the 8 security functions, Manual → Autonomous — the wider frame Identity Security sits in. our model · calibrated to SAE J3016.
Two axes: governance maturity (AISMM, 5 levels) vs AI autonomy (AI-CMM, 4 levels, our authored ladder). Set targets below to see the dashed overlay. The autonomy lens is the org portfolio, self-assessed where a run exists, illustrative otherwise.
Govern · AISMM
L1.0
Initial · avg of 2 categories
Adopt · AI-CMM
L1.4
Manual · our model · calibrated to SAE J3016, not a Cloud Security Alliance (CSA) standard
The gate
Autonomy ahead of governance
Coverage governs autonomy up to L1. Some steps run above that, close the govern gap or pull autonomy back.
Govern reads the AI Security Maturity Model (AISMM); Adopt reads the AI Cyber Maturity Model (AI-CMM).
Capability · People · Process · Technology
The same control answers, read on the three dimensions a program is actually managed by (our lens over Cloud Security Alliance (CSA) control text). Capability is bounded by the weakest dimension, tooling alone can’t carry it.
The lever names itself: weak People is fixed by training and champions; weak Process by runbooks and review cadences; weak Technology by vendor features, automation or fitted skills. The PPT grouping is our authored interpretation of the CSA control objectives.
Governance by category (AISMM)
Peer benchmark
Not enough peer data yet for Identity Security — need at least 5 other orgs’ runs, currently 1. No comparison is shown below that floor; this is a real count, not a placeholder.
Autonomy by workflow step (AI-CMM)
Plays. Can this function run them at its current autonomy?
Each play names the controls it requires before running at an autonomy level, and the key performance indicator (KPI) it moves. Judged here at your current adopt level (L1) from this run’s answers, a control the diagnostic didn’t ask about reads not yet assessed, never assumed. Browse the full catalog →
Use cases: each play plotted on the grid
Use cases are the third placeable unit, alongside functions on /board and AI Controls Matrix (AICM) domains on the per-run card. v1 seeds one canonical use case per play in this function; your own concrete instances replace these as the measurement layer ships. Ungoverned dots (⚠) signal the gate caught autonomy ahead of maturity.
Autonomy × Maturity — each play in this function plotted as a use case
Autonomy (AI-CMM) → Manual · Assisted · Augmented · Autonomous
Maturity from this run’s governance reading; autonomy capped at min(your function’s autonomy, the play’s catalog ceiling). All use cases are within the gate at the current reading. Real per-use-case grading arrives with the measurement layer.
Gaps register
The hard gaps to close, consolidated: every cell where autonomy outran the control’s maturity, the workflow steps running ahead of the gate, and the controls you marked absent. This is the diagnosis the action plan below is fitted to, not a coverage scoreboard.
AI analysis
Identity Security operates at the foundation tier across all dimensions. Both IAM and Governance categories score L1, capped by missing evidence for tier 2 coverage. The function granted AI systems autonomy level 1.4 while maturity stands at L1, creating a gate violation where automated decision-making outpaces control maturity. People, process, and technology all remain at L1, indicating no dimension has advanced beyond initial capabilities.
Strengths
- Foundation-level controls exist in both IAM and Governance, establishing a starting baseline for identity management.
Gaps, by priority
- Autonomy granted to AI systems exceeds maturity gates by 0.4 levels, allowing automated decisions without adequate oversight or rollback mechanisms.
- All three capability dimensions lack tier 2 evidence, blocking any category from advancing beyond L1 regardless of individual improvements.
- No documented levers are available to address people or process gaps, suggesting unclear pathways for capability advancement.
Recommended next step
Immediately reduce AI system autonomy from 1.4 to 1.0 to close the gate violation, then focus on building tier 2 evidence in one dimension—likely process through documented procedures for identity lifecycle management—to unblock the L1 ceiling across both categories.
AI-assisted reading of your self-reported answers — not certified.
Ranked action plan: the fitted few
Targeted at your weakest capability dimensions. Each gets interventions of its own kind: weak People means training, never another tool; weak Process means runbooks and policies; weak Technology draws from vendor features, automation, and the curated core skill set, never the full library. Candidates from the play catalog; fit happens per ecosystem.
People · L1 → L2
Capped: tier 2 not yet evidenced.
Process · L1 → L2
Capped: tier 2 not yet evidenced.
Technology · L1 → L2
Capped: tier 2 not yet evidenced.
Core skills (curated set, the inventory is raw material)
- Performing Access Review And Certification · Access-review assist
- Performing Privileged Account Access Review · Access-review assist
Rollout: phased from your reading
Each AISMM category for Identity Security is sequenced by its current level. Weakest categories land in Start now; the rest follow as Next and Later. Targets are capped at L5. This phasing is derived; re-assess to see it shift.
Set your own targets
Pick where each category should land. The roadmap below sequences the gaps Foundational first, then Structural, then Procedural — CSA’s own domain ordering, not an invented dependency graph — and by gap size within a domain.
Independent assessment
A second, independent read of the same run — an auditor or a peer team answering the same controls. Saved separately; it never overwrites the self-reported track above.
Implement
Tick the prescribed skills as you fit and operate them. Re-assess to see the categories move.
Implemented 0/2
Progress
This is the first run for Prod Test Org · Identity Security. Re-assess later to track movement here.
Roll-up to the board
This function owns these AICM domains on the board. Each board number is this reading’s evidence, nothing modelled — re-assess any function and its row moves. This is the second altitude: see the portfolio →
Light read now, deeper read next
What you have here is the light, self-assessed read: fast, honest, and enough to see where autonomy has outrun governance. The deeper read is what turns it into proof.
This read (light)
- Self-assessed against real control objectives
- A headline posture and the gate verdict
- The gaps register and the fitted few to close them
The next read (deep)
- Each control verified against evidence, not self-report
- Task-level before/after measured on the few skills adopted
- The same motion run across functions to stand up the practice
Only the deep read earns the word measured; everything on this page is self-assessed until then.
Self-assessed and indicative, governance from AICM control coverage (AISMM), autonomy from the AI-CMM ladder (our model · calibrated to SAE J3016). Skill-to-objective fit is illustrative at this stage. Framework pins: CSA AICM v1.0.3, AI-CMM v1 (our model · calibrated to SAE J3016), CSA AISMM, CSA AI-CAIQ v1.0.2.