AI governance maturity is the degree to which an organisation can reliably align its AI to the right problems, control how those systems behave in production, and evidence that control, consistently, across its whole AI estate, rather than case by case. It runs along a curve from ad hoc, where AI is used without inventory or ownership, through documentary and operational stages, to a run-time stage where governance operates continuously in production, and finally to a stage where governance is a durable source of competitive advantage. Knowing where you actually sit on that curve is the prerequisite for moving along it, and the most common mistake is assuming you are further along than an honest assessment would place you.

This article sets out a five-stage maturity model, what each stage looks like in practice, and how to locate your real starting point. It draws on the lineage of capability-maturity thinking, the plan-do-check-act discipline embedded in ISO/IEC 42001, and McKinsey's 2026 AI trust work, which now grades organisations across dimensions including strategy, risk management, data and technology, governance, and, newly, agentic AI governance and controls. The framing here is our own, built around the distinction that matters most in 2026: whether governance actually operates where AI risk is realised, which is at run-time.

Why measure maturity at all?

A checklist tells you whether something exists. A maturity model tells you how well it works, how consistently, and whether it holds under pressure. That distinction is the whole point. A policy can exist and govern nothing. A control can be written and never run. Maturity measures the gap between what your governance claims and what it does.

The reason this matters commercially is that the gap between AI adoption and AI governance is now where cost accumulates. As systems become more autonomous and more consequential, organisations without clear accountability, robust controls, and effective monitoring face slower adoption, higher impact when something goes wrong, and eroding trust from the stakeholders they depend on. McKinsey's framing is direct: firms that treat AI trust as a core business capability, rather than a compliance requirement, are the ones positioned to scale AI to its full potential. Maturity is not a virtue badge. It is what lets you go faster safely.

The five stages of AI governance maturity

Stage 1: Ad hoc

Governance is absent or accidental. AI is being used, often far more widely than anyone realises through shadow tools, but there is no inventory, no agreed ownership, and no consistent way decisions get made. Risk is being taken; it is simply not being seen. Most organisations that believe they are further along are honestly here, because the unmeasured shadow usage outweighs the governed usage they can point to. The defining feature of Stage 1 is that the organisation cannot answer a basic question: what AI are we actually running, and who owns it.

Stage 2: Documentary

Governance exists on paper. There is an AI policy, often a good one, written and then largely shelved. It is produced for audits and procurement questionnaires but does not change how systems are built or how they behave in production. This is the governance theatre stage, and it is dangerous precisely because it feels like progress. The paperwork creates a confidence the controls have not earned. Stage 2 organisations can show you a policy. They cannot show you that any system is actually behaving according to it.

Stage 3: Operational

Governance starts to bite at design time. The organisation has a real inventory of its AI systems, each consequential one has a named owner, controls are matched to the risk of the system rather than applied uniformly, and decisions about what to deploy and what to restrain go through a known process rather than being re-litigated each time. This is where governance begins to pay for itself, because the path to scaling a new use case is now fast and clear. Stage 3 is a substantial achievement, and it is where many genuinely well-run organisations top out. But it has a blind spot: its controls largely operate before deployment. Once a system is live, the governance goes quiet.

Stage 4: Run-time

Governance operates continuously in production, where AI risk is actually realised. The organisation observes what its systems do in production, evaluates that behaviour against thresholds as it happens, enforces in real time, blocking, redacting, routing, or halting, and maintains a continuous evidence trail of what occurred and why. For generative systems this means monitoring outputs for safety, drift, and hallucination; for agents it means tracking decisions and actions across their full chain and intervening when they exceed scope. Stage 4 is the stage most organisations skip, because it requires capability the documentary and operational stages do not, and it is the stage that distinguishes governance that describes intended behaviour from governance that controls actual behaviour. It is also, not coincidentally, where the regulatory expectations of 2026 are heading, from the EU AI Act's logging and oversight requirements to UK regulators' demand for ongoing outcome monitoring.

Stage 5: Advantage

Governance is a durable capability and a source of competitive advantage. It is embedded early in design and operates continuously in production. It adapts as regulation and technology shift, satisfying the EU AI Act, ISO 42001, and UK sector regulators as a by-product of doing the work well rather than as separate projects. It is proactive about emerging risks, agentic AI being the current frontier, before incidents force the issue. And it is visible to customers and boards as evidence that the organisation can be trusted with AI, which shortens sales cycles and survives scrutiny. At Stage 5, governance is no longer a cost the business tolerates. It is a capability the business competes on.

How to find your real starting point

The value of a maturity model is not the score. It is the honesty it forces. The most expensive mistake is an organisation that believes it is operational, Stage 3, building its strategy on that assumption, when an honest look would place it at Stage 2, with a good policy sitting on top of ungoverned reality.

A genuine assessment works by testing claims against evidence across a few dimensions. On visibility, can you produce a current inventory of every AI system you run, including shadow usage, or only the ones that went through a formal process? On ownership, does each consequential system have a named owner who could be held accountable today, or does responsibility dissolve when you ask? On control, are your controls matched to risk and, crucially, do any of them operate in production, or do they all stop at sign-off? On evidence, could you reconstruct what a given system did and why, this afternoon, if a regulator asked? And on readiness, is your governance keeping pace with where your AI is heading, particularly as systems become autonomous?

The answers are usually less comfortable than the policy suggests, and that discomfort is the point. The gap between the stage an organisation claims and the stage its evidence supports is, almost always, the gap between design-time and run-time. Plenty of organisations have reached Stage 3 on paper. Far fewer have reached Stage 4 in production, which is exactly why it is the stage worth aiming for.

Moving along the curve

Each stage is reachable from the one before it, and none is reachable from a story you are telling yourself about where you already are. Stage 1 to Stage 2 is the policy work most organisations have done. Stage 2 to Stage 3 is operationalising it: inventory, ownership, risk-tiered controls, a real approval process. Stage 3 to Stage 4 is the leap most never make: extending governance into production with monitoring, real-time enforcement, and continuous evidence, which is where the run-time governance discipline and the platforms that support it come in. Stage 4 to Stage 5 is making the whole capability adaptive and treating it as an asset to compete on rather than an obligation to discharge.

Maturity is not built by pretending you are further along than you are. It is built by finding your real starting line and moving deliberately from there. The organisations that will be trusted with AI, by regulators, boards, and customers, are not the ones with the best policy. They are the ones whose governance actually operates where their AI actually runs.

Frequently asked questions

What is an AI governance maturity model?It is a framework that describes stages of capability, from ad hoc and undocumented through to advanced and adaptive, allowing an organisation to assess how reliably and consistently it governs its AI rather than simply whether governance documents exist.

How do I assess my organisation's AI governance maturity?Test claims against evidence across visibility (can you inventory all AI in use), ownership (does each system have an accountable owner), control (are controls risk-matched and do any operate in production), evidence (could you reconstruct a system's behaviour on demand), and readiness (is governance keeping pace with autonomy). The honest answers locate your stage.

What is the difference between operational and run-time governance maturity?Operational maturity (Stage 3) means governance works at design time: inventory, ownership, risk-tiered controls, approval processes. Run-time maturity (Stage 4) means governance also operates continuously in production, monitoring, enforcing, and evidencing actual behaviour. Most organisations reach Stage 3 and stop short of Stage 4, where AI risk is actually realised.

Why is run-time governance the stage most organisations skip?Because it requires capability the earlier stages do not: production monitoring, real-time enforcement, and continuous evidence, rather than documents and pre-deployment approvals. It is harder, which is why it is also where competitive separation happens.

Our AI Governance Maturity Assessment is built to give you your real starting line, the one your evidence supports rather than the one your policy claims, and a clear path to the next stage. Aligne is an AI governance advisory and implementation partner for UK enterprises and an IBM Gold partner.

Blog

Our latest news

Stay Informed: Engage with our Blog for Expert Analysis, Industry Updates, and Insider Perspectives

All Posts
Services Image
ISO 42001 and the Evidence Problem: Why Good Intentions Don't Survive an Audit
ISO/IEC 42001 is the first international standard for AI management systems, and its real value is that it forces an organisation to turn good intentions about AI governance into evidence that can survive an audit, a regulator's query, or an enterprise buyer's due diligence.
Read Details
Services Image
The EU AI Act and UK Enterprises: What Actually Applies, and When
UK enterprises are caught by the EU AI Act whenever they place an AI system on the EU market, or where the output of their AI system is used in the EU, regardless of the UK's departure from the bloc.
Read Details
Services Image
Who Is Accountable When the Software Decides? AI, Automated Decisions and the Ownership Gap
When an AI system decides something about a person, a loan declined, an application screened out, a claim flagged, a price set, the organisation deploying that system is accountable for the decision, not the software.
Read Details

Ready to Take the First Step?

let’s design the governance framework your AI strategy deserves

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
bg elementbg elementLet's Talk