Essay
Step-one deliverable: a YES / NO / NA answer for every control objective — each one earned with evidence, never self-asserted.
3 June 2026 · 5 min read · Binu Chacko
Situation
“Are we covered?” is the board’s favorite AI question.
Complication
Coverage gets claimed by tool inventory, not by control evidence — and the two diverge quietly.
The question
“What does honest coverage measurement look like?”
The answer
Per-objective evidence states with tiered scoring: no credit above a hollow floor, no coverage without a named artifact.
Every engagement starts with the same artefact: a YES / NO / NA answer for each of the 247 control objectives in the Cloud Security Alliance (CSA) AI Controls Matrix (AICM), across all 18 domains — each answer grounded in an evidence artefact, never a self-assertion. This document explains what that assessment contains, how an answer is earned, and how to read the result.
A maturity grade without a control inventory is an opinion. The coverage assessment fixes the territory first: what exactly is this function doing, control by control? Only once the YES/NO/NA map exists does an AI Security Maturity Model (AISMM) placement mean anything — the scorecard grades the checklist, not the other way round.
The discipline is the artefact rule: every YES costs evidence. That is what makes the baseline defensible in front of a board or an auditor.
One row per control objective: the objective id and title, the answer, the evidence reference, the owner, and a note where the implementation is partial. Rolled up, it gives per-domain coverage — and the explicit gap list that feeds the remediation roadmap.
Every objective in the assessment exists in this app: open a domain in the library drill to see each objective’s specification, its authoritative crosswalk (ISO/IEC 42001 · EU AI Act · NIST AI 600-1 · BSI AIC4), and the per-provider auditing steps — the same steps an assessor walks when deciding whether your evidence earns a YES.
Honesty note: coverage is a baseline, not value. A function can be fully covered and still slow; the value claim only arrives later, as a measured task-level before/after on the few skills actually fitted. Source: Cloud Security Alliance (CSA) AI Controls Matrix (AICM) v1.1.0 and AI Consensus Assessments Initiative Questionnaire (AI-CAIQ) v1.1.0, used with attribution per CSA terms.
← Newer essay
How a Skill Is Built and Fitted to Your Function
Older essay →
Placing a Function on the AISMM Scale
Subscribe for the next essay.