An AI Governance Maturity Model

Key takeaways

AI governance has five recognizable stages: ad-hoc, repeatable, defined, managed, and optimized — each with concrete, testable indicators.
The most common mistake is deploying a comprehensive platform at stage 1 before the operational practices exist to use it; tooling amplifies practices, it cannot substitute for them.
Stage 3 (defined) is where controls move from documented-and-hoped-for to enforced at the platform level — the most impactful single transition for most teams.
Each stage transition is blocked by a specific organizational gap, not a technology gap: ownership, enforcement integration, metrics cadence, or feedback loop design.
Governance coverage — the percentage of agents under active, enforced policy — should be tracked as a metric, especially during periods of rapid growth or reorganization.

AI governance maturity describes how systematically an organization controls, audits, and improves the behavior of its AI agents. Programs move through five recognizable stages — ad-hoc, repeatable, defined, managed, and optimized — and each stage has concrete indicators that tell you where you are and what it takes to advance. The model gives teams a shared vocabulary and a sequenced path rather than an abstract mandate to "govern AI better."

Why Agent Governance Needs Its Own Maturity Model

General IT governance frameworks were not designed with autonomous agents in mind. An agent can chain tool calls across systems, process and emit data without a human in the loop, and accumulate permissions over time through the actions it takes. The threat classes are different: prompt injection, autonomous escalation, cross-system data chaining, and runaway spend do not appear in traditional ITSM or even cloud security maturity models.

An AI-specific maturity model focuses on the controls that matter for agents: identity and credentials scoped to the agent itself, per-connection policies that govern what an agent may call and how much it may spend, content guardrails that inspect what flows in and out, and audit trails detailed enough to reconstruct any agent action after the fact. Each stage below is defined in those terms.

Stage 1: Ad-Hoc

At this stage, agents are deployed case by case with no consistent pattern. Each team manages its own integrations. Credentials are shared service accounts or personal API keys embedded in configuration files. There is no central record of what agents exist, what data they can reach, or who is responsible for them.

Incidents are discovered when users report them or when an invoice arrives that is larger than expected. Audit trails, if they exist, are whatever the underlying service logs — not queryable, not attributed to the specific agent that triggered an event.

The defining characteristic of ad-hoc is invisibility. Governance cannot start until you can see what you are governing.

The work at this stage is not to build controls but to build an inventory. Register every agent in a central system. Capture owner, purpose, and the external services it touches. A proper registry that can serve as the source of truth for policy enforcement is the right target, but even a maintained list is better than none. See building an AI agent inventory for a practical starting point.

Stage 2: Repeatable

Repeatable organizations have documented their expectations and apply them consistently, even though enforcement is still largely manual. An agent inventory exists. Written policies describe who may create an agent, what data it may access, and how credentials must be stored. Access reviews happen on a schedule, though they are labor-intensive.

Credentials are nominally per-agent rather than shared, though rotation is infrequent. Access control is role-based at the human level but not yet extended to agents themselves — agents often carry overly broad permissions because least-privilege has not been formally expressed in agent terms.

Monitoring is reactive. You learn about problems when users report them, not from alerts.

The work at this stage is to make the documented checklist enforceable rather than advisory. Attach a defined set of permissions and connection constraints to each agent at registration time. Introduce at least one proactive signal — spend anomaly detection or an error rate threshold — so you are not entirely dependent on user reports to discover problems.

Stage 3: Defined

Defined organizations treat agent governance as a first-class engineering discipline with automated enforcement and a repeatable audit process. This is the stage at which controls move from "documented and hoped-for" to "enforced at the platform level."

Agents authenticate with their own credentials and carry scoped permissions. Every connection from an agent to an external service carries an explicit policy: allowed operations, rate limits, and a spend ceiling that stops requests rather than merely alerting after the fact. Content guardrails inspect what flows in and out — blocking or redacting PII and credentials before they cross sensitive boundaries.

Audit logs capture every authentication event, policy decision, and guardrail trigger. Logs are queryable. When an incident occurs, you can reconstruct what happened from the record rather than from memory or interviews. For guidance on making those records hold up under scrutiny, see audit trails that hold up: cryptographic integrity.

Offboarding is systematic: when a team member leaves, agents they owned have credentials rotated or revoked as part of the same workflow that removes their human access.

A trust model exists at this stage, even if simple. Agents with a clean history receive appropriate latitude; agents recently flagged for violations face tighter constraints.

Stage 4: Managed

Managed organizations measure their governance program quantitatively and use those measurements to drive decisions. Controls are not just in place — their effectiveness is tracked over time.

Key metrics are defined and reviewed regularly: mean time to detect a policy violation, rate of guardrail triggers per agent, percentage of agents with current trust attestations, credential rotation adherence. These figures appear alongside cost and reliability metrics in operational reviews.

The trust model becomes dynamic. An agent's permitted scope can narrow automatically in response to anomalous behavior — elevated error rates, unusual connection patterns, or a spike in guardrail triggers — without requiring a human decision first. Human review validates the adjustment; it does not precede it.

Compliance is evidence-based rather than assertion-based. For each relevant regulatory framework, there is a mapping to specific controls and a defined process for producing evidence on request. Audit trails are tamper-evident, with enough context to reconstruct the state of any agent at any point in the past.

Risk is quantified at the portfolio level. You can answer "which agents represent our largest data exposure?" and prioritize remediation accordingly.

The transition from stage 3 to stage 4 is less about adding controls than about building feedback loops that make existing controls responsive. Metrics that live in a dashboard but do not drive any process are measurement theater.

Stage 5: Optimized

Optimized organizations use governance data to improve agents, not just control them. The program operates as a continuous learning loop across the entire agent lifecycle.

Cost-per-outcome metrics feed back into which agents are expanded or retired. Guardrail violation patterns identify prompting or configuration improvements that reduce future violations. Trust score trends reveal which agent behaviors correlate with downstream quality, informing how new agents are configured before they accumulate behavioral history.

New agents inherit policy templates by default, are monitored from first deployment, and are enrolled in the trust scoring system without manual setup. Exceptions require explicit justification that is itself logged and subject to review.

The governance program is itself versioned and improved. Policies change in response to incident retrospectives, threat model updates, and regulatory developments. The organization can extend trust to agents from partner organizations because its federation controls are mature enough to make the associated risk legible and bounded.

Stage 5 is less a destination than a discipline. The external environment — regulatory requirements, threat models, agent capabilities — keeps changing, and the program must keep pace.

What Blocks Each Transition

The move between stages is a process change more than a technology purchase. Tooling enables transitions; it does not cause them.

Ad-hoc to repeatable: no one owns the problem. Governance needs a named owner with authority to require compliance from other teams.
Repeatable to defined: the checklist exists but is not enforced. Enforcement requires integration with deployment and credential systems, not just documentation.
Defined to managed: controls exist but are not measured. This transition requires defining metrics, building collection tooling, and establishing a review cadence that acts on the data.
Managed to optimized: measurement exists but does not drive improvement. The feedback loop from governance signal to agent configuration needs to be explicitly designed and owned.

The most common mistake is trying to jump from stage 1 to stage 4 by deploying a comprehensive platform before building the operational practices to use it. Tooling amplifies existing practices; it cannot substitute for them.

Praesidia provides the infrastructure that each of these transitions depends on — agent registry, per-connection access policy, enforced spend caps, content guardrails, and tamper-evident audit logs — so teams can adopt capabilities incrementally rather than building each layer from scratch. For a structured way to evaluate whether a platform covers all six requirement domains, see the AI governance platform RFP checklist.

Common questions

Do all AI use cases need to reach stage 5?

No. The appropriate target depends on your risk profile, the autonomy of your agents, and regulatory exposure. An internal productivity tool with limited external integrations may be well-governed at stage 3. An agent with access to financial systems or customer PII warrants stage 4 or 5 posture. Risk classification should drive the target, not an aspirational desire to score well on every dimension.

How do I determine which stage we are actually at?

Identify the lowest stage where a significant characteristic does not hold. If your agent inventory is incomplete, you are at stage 1 regardless of how sophisticated your monitoring is — monitoring an incomplete inventory creates false confidence. The stages are cumulative: each assumes the properties of the stages below it. Gaps in foundational controls do not disappear because you have layered later-stage tooling on top of them.

Can a governance program regress?

Yes. Teams that scale rapidly, are acquired, or are reorganized often find that their governance program does not keep pace with the agent estate it is supposed to cover. A process designed for ten agents may behave more like stage 2 when managing two hundred, because manual steps do not scale. Treat governance coverage — the percentage of agents under active, enforced policy — as a tracked metric, especially during periods of organizational change. The AI agent compliance checklist for 2026 has more guidance on building a sustainable program.