ai · security · skills

Essay

The AICM Coverage Assessment

Step-one deliverable: a YES / NO / NA answer for every control objective — each one earned with evidence, never self-asserted.

3 June 2026 · 5 min read · Binu Chacko

Situation

“Are we covered?” is the board’s favorite AI question.

Complication

Coverage gets claimed by tool inventory, not by control evidence — and the two diverge quietly.

The question

What does honest coverage measurement look like?

The answer

Per-objective evidence states with tiered scoring: no credit above a hollow floor, no coverage without a named artifact.


Every engagement starts with the same artefact: a YES / NO / NA answer for each of the 247 control objectives in the Cloud Security Alliance (CSA) AI Controls Matrix (AICM), across all 18 domains — each answer grounded in an evidence artefact, never a self-assertion. This document explains what that assessment contains, how an answer is earned, and how to read the result.

Why coverage comes before maturity

A maturity grade without a control inventory is an opinion. The coverage assessment fixes the territory first: what exactly is this function doing, control by control? Only once the YES/NO/NA map exists does an AI Security Maturity Model (AISMM) placement mean anything — the scorecard grades the checklist, not the other way round.

How an answer is earned

  • YES — the objective is met and a named evidence artefact proves it: a config export, a pipeline log, a policy with an owner and a review date. No artefact, no YES.
  • NO — the gap is recorded explicitly, with what exists today (partial implementations are written down, not rounded up).
  • NA — out of scope with a written justification (for example, a control owned upstream by your model provider — see the SSRM ownership map).

The discipline is the artefact rule: every YES costs evidence. That is what makes the baseline defensible in front of a board or an auditor.

What the finished assessment looks like

One row per control objective: the objective id and title, the answer, the evidence reference, the owner, and a note where the implementation is partial. Rolled up, it gives per-domain coverage — and the explicit gap list that feeds the remediation roadmap.

Where the working material lives

Every objective in the assessment exists in this app: open a domain in the library drill to see each objective’s specification, its authoritative crosswalk (ISO/IEC 42001 · EU AI Act · NIST AI 600-1 · BSI AIC4), and the per-provider auditing steps — the same steps an assessor walks when deciding whether your evidence earns a YES.

Honesty note: coverage is a baseline, not value. A function can be fully covered and still slow; the value claim only arrives later, as a measured task-level before/after on the few skills actually fitted. Source: Cloud Security Alliance (CSA) AI Controls Matrix (AICM) v1.1.0 and AI Consensus Assessments Initiative Questionnaire (AI-CAIQ) v1.1.0, used with attribution per CSA terms.

← Newer essay

How a Skill Is Built and Fitted to Your Function

Older essay →

Placing a Function on the AISMM Scale

← Back to Insights

Subscribe for the next essay.