ai · security · skills

Reskill · GRA

Security Governance, Risk & Assurance

A team adopted an AI tool to move faster. No one asked you, and there is no record of who decided.

Governance that authorizes autonomy before it runs, not after the incident, is the skill.

Start with these skills

  1. Write continuity plans that include AI services
  2. Keep continuity documentation current as AI lands
  3. Run incident communications when AI is the outage
  4. Back up what an AI service needs to come back
  5. Plan disaster response with AI services in the map

The rung you have to reach

Governance

Overall governance of artificial intelligence, including use of AI tools, AI services, and creating AI powered or integrated applications. Includes AI safety and ethics policies.

L1 · Initial

No coordinated AI governance. Teams self-manage AI usage with self-selected tools and providers. No AI-specific policies, procedures, or safety/ethics guidance.

L2 · Repeatable

Initial AI usage policies established with basic guidance (e.g., "do not share sensitive enterprise or customer data with generative AI"). No AI-specific governance structures or designated management in place. Policies include high-level safety/ethics statements. Some AI-related procedures documented but not consistently followed across the organization.

L3 · Defined

AI team, AI Council, AI Center of Excellence, or equivalent in place to guide usage. Initial AI policies in use for AI-supported development, AI-powered applications, or both. Basic adoption of procedures, standards and benchmarks (e.g., AICM). Partial control objectives established for at least one provider. AI deployment/application registry in place. General AI safety guidelines established.

L4 · Capable

Central AI team has subject matter experts for current AI models/providers and responsibility and authority to set rules/baselines. Developer policies for AI usage in place with training. AI security control objectives for AI-supported development and applications in use, with initial automated tracking. AI safety policies established for different use cases. Cross-functional AI ethics/safety review process for high-risk use cases.

L5 · Efficient

Governance is monitored and managed using automated tooling (models/provider version compliance, guardrails coverage, agent/MCP registries). Defined process to update control objectives/specifications as AI providers and tools add/modify services and release new models. AI ethics review board in place with enforcement authority.

This function also touches: Infrastructure Security and Resilience, Risk & Provider Assessment & Management, Privacy and Compliance.

our model · calibrated to SAE J3016

Your syllabus

The plays that climb the rung.

Security-questionnaire & vendor-risk response

Answer inbound security questionnaires and assess vendors against the org’s control baseline.

Moves: Questionnaire turnaround

Show the exact control IDs (for your security & GRC team)

L2 GRC-09, HRS-15, DSP-17 · L3 GRC-15, STA-13, LOG-16 · L4 LOG-12, IAM-18

Audit-evidence preparation

Collect, organise and narrate the evidence pack for internal and external audits.

Moves: Evidence-collection time per audit

Show the exact control IDs (for your security & GRC team)

L2 A&A-05, A&A-01, DSP-17 · L3 A&A-06, GRC-15, LOG-16 · L4 A&A-03, LOG-12

Autonomy must not outrun maturity. The gate holds each rung until its controls are evidenced. The gate framework: eight gates, three lanes →

Baseline Security Governance, Risk & Assuranceopen to run · research access to saveBack to the maturity read