Reskill · GRA
Security Governance, Risk & Assurance
A team adopted an AI tool to move faster. No one asked you, and there is no record of who decided.
Governance that authorizes autonomy before it runs, not after the incident, is the skill.
Start with these skills
- Write continuity plans that include AI services
- Keep continuity documentation current as AI lands
- Run incident communications when AI is the outage
- Back up what an AI service needs to come back
- Plan disaster response with AI services in the map
The rung you have to reach
Governance
Overall governance of artificial intelligence, including use of AI tools, AI services, and creating AI powered or integrated applications. Includes AI safety and ethics policies.
L1 · Initial
No coordinated AI governance. Teams self-manage AI usage with self-selected tools and providers. No AI-specific policies, procedures, or safety/ethics guidance.
L2 · Repeatable
Initial AI usage policies established with basic guidance (e.g., "do not share sensitive enterprise or customer data with generative AI"). No AI-specific governance structures or designated management in place. Policies include high-level safety/ethics statements. Some AI-related procedures documented but not consistently followed across the organization.
L3 · Defined
AI team, AI Council, AI Center of Excellence, or equivalent in place to guide usage. Initial AI policies in use for AI-supported development, AI-powered applications, or both. Basic adoption of procedures, standards and benchmarks (e.g., AICM). Partial control objectives established for at least one provider. AI deployment/application registry in place. General AI safety guidelines established.
L4 · Capable
Central AI team has subject matter experts for current AI models/providers and responsibility and authority to set rules/baselines. Developer policies for AI usage in place with training. AI security control objectives for AI-supported development and applications in use, with initial automated tracking. AI safety policies established for different use cases. Cross-functional AI ethics/safety review process for high-risk use cases.
L5 · Efficient
Governance is monitored and managed using automated tooling (models/provider version compliance, guardrails coverage, agent/MCP registries). Defined process to update control objectives/specifications as AI providers and tools add/modify services and release new models. AI ethics review board in place with enforcement authority.
This function also touches: Infrastructure Security and Resilience, Risk & Provider Assessment & Management, Privacy and Compliance.
our model · calibrated to SAE J3016
Your syllabus
The plays that climb the rung.
Security-questionnaire & vendor-risk response
Answer inbound security questionnaires and assess vendors against the org’s control baseline.
Moves: Questionnaire turnaround ↓
Show the exact control IDs (for your security & GRC team)
L2 GRC-09, HRS-15, DSP-17 · L3 GRC-15, STA-13, LOG-16 · L4 LOG-12, IAM-18
Audit-evidence preparation
Collect, organise and narrate the evidence pack for internal and external audits.
Moves: Evidence-collection time per audit ↓
Show the exact control IDs (for your security & GRC team)
L2 A&A-05, A&A-01, DSP-17 · L3 A&A-06, GRC-15, LOG-16 · L4 A&A-03, LOG-12
Autonomy must not outrun maturity. The gate holds each rung until its controls are evidenced. The gate framework: eight gates, three lanes →