We open-sourced gitfence — deterministic guardrails for AI coding agents→ GitHub
Where Does Your AI Governance Actually Stand? A 5-Level Maturity Model
Blog

Where Does Your AI Governance Actually Stand? A 5-Level Maturity Model

Froda AI Team·

Your board asks: "How mature is our AI governance?"

You pause. You have policies — somewhere. You have an agent inventory — partially. You ran a risk assessment last quarter. But you don't have a score. You don't have a level. You have a feeling.

That's the problem. AI governance isn't binary — "we have it" or "we don't." It's a spectrum, and most teams can't point to where they sit on it.

According to KPMG's 2025 global AI study, only 40% of workplaces even have a policy on generative-AI use (source). That means 60% are effectively at Level 0 — no governance at all. But even the 40% who have policies often can't say whether those policies are actually enforced, whether their agents operate under least privilege, or whether they could prove compliance to an auditor tomorrow.

Why a maturity model

Maturity models aren't new. Carnegie Mellon's Software Engineering Institute created CMMI in the late 1980s — a 5-level framework for assessing process maturity that became the gold standard across software, security, and IT operations. The same leveled-assessment pattern shows up in ITIL, CIS, and COBIT. More recently, Microsoft applied the concept specifically to AI governance and security readiness.

We took that proven structure and built our own version — tailored to what actually matters when you're governing AI agents in production, and aligned with our RESPO framework: Register, Establish, Standardize, Protect, Organize.

Here's what each level looks like.

Level 1 — Awareness (ad-hoc)

"We know we have AI agents, but governance is informal."

You've started deploying agents. There's no centralized inventory, no enforced policies, no spend visibility. Individual developers make their own decisions.

The anti-pattern here is shadow AI proliferation — agents deployed without oversight, and nobody knows how many exist or what they can do. This maps to the earliest stage of RESPO: Register. You've started writing things down.

Level 2 — Foundational (documented)

"We have policies on paper and know what AI we run."

You have an agent inventory and written governance policies — but enforcement is inconsistent. The policies exist in documents; the agents never see them. Spend is visible but not capped.

The anti-pattern: governance theater — the PDF nobody reads. Policies that exist on paper but aren't technically enforced at runtime. You know your agents and have stated your rules, but enforcement is passive.

Level 3 — Enforced (operational)

"Policies are enforced at runtime. Agents can't exceed their grants."

This is the inflection point. Policies aren't just written — they're active in the policy engine. Agents operate under least-privilege tool access. Spend is capped. High-risk actions require human approval. Audit evidence is accumulating.

The anti-pattern you've left behind: manual governance — reviewing tool calls in a spreadsheet, relying on people to enforce rules the platform should enforce automatically. At this level, your rules are executable, your agents are bounded, and your spend is capped.

Level 4 — Governed (compliance-ready)

"We can prove it to an auditor."

You've adopted a compliance framework pack (ISO 42001, the OWASP Agentic Top 10) and are actively attesting controls. Multi-agent delegation is governed. The kill switch has been tested. The audit trail is comprehensive.

The anti-pattern: governance silos — each team governing their own agents differently, with no unified framework or evidence trail. This is full RESPO — Register, Establish, Standardize, Protect, Organize — with audit evidence operational.

Level 5 — Optimized (continuous)

"Governance accelerates us."

Multiple framework packs are adopted with high attestation. Cross-framework coverage is leveraged — attest once, satisfy many. Governance spans heterogeneous agent stacks, and your posture improves continuously, not just at audit time.

The anti-pattern to avoid at this stage: innovation stagnation — governance that's solid but static, with no adaptation to new risks, frameworks, or agent capabilities. At Level 5, all five RESPO pillars are operational and continuously improving.

The honest observation

Most organizations today sit between Level 1 and Level 2. They have some agents, maybe some policies — but nothing enforced at runtime.

The jump from Level 2 to Level 3 is where the real value unlocks, because that's where governance moves from documentation to enforcement. It's the difference between "we have a policy" and "the dangerous action literally cannot happen."

Progress is uneven — and that's the point

Real organizations don't advance uniformly across every dimension. You might be Level 4 on policy enforcement but Level 2 on attestation readiness. A single overall number hides that, so we break maturity down into five governance pillars:

PillarWhat it measures
Inventory & OwnershipAgent count, assigned ownership, systems registered
Policy EnforcementPolicies drafted and enforcing, enforce-mode coverage, HITL rules
Access & Spend ControlLeast-privilege tool grants, budgets, spend visibility, egress redaction
Compliance & AttestationFramework packs adopted, attestation progress, vendor assessments
Operational ReadinessKill switch tested, collision prevention, audit activity, delegation governance

Surfacing the unevenness makes the recommendation targeted: your overall level might be 3, but if Compliance & Attestation is still at Level 1, that's where to focus next.

We built this into Terminus — auto-scored

The difference between our model and a slide-deck maturity chart is that ours is auto-scored from real platform data, not a self-assessment questionnaire.

Your level updates as you enable capabilities — register agents, activate policies, configure budgets, adopt frameworks. The maturity roadmap shows exactly where you are, which pillar is weakest, and what to do next, with each recommended action linking straight to the page where you can take it. Governance guidance becomes a roadmap you can actually follow, rather than a score you file away.

Where would you land?

If you had to place your organization on this scale right now, where would it be? And what would it take to get to the next level?

That second question is the one that matters. A maturity model isn't about the grade — it's about making the next step concrete.


Froda AI provides runtime governance infrastructure for autonomous AI systems, helping teams discover, govern, enforce, and audit AI activity in real time. To see your organization's maturity level scored automatically from real data, request a demo.

Written by

Froda AI Team
Froda AI Team

Runtime Governance for AI Systems

Froda AI

The Froda AI team builds runtime governance infrastructure for autonomous AI systems — helping teams discover, govern, enforce, and audit AI activity in real time.