Notifications
Clear all
Topic starter
09/06/2026 11:07 pm
TL;DR: AI governance maturity models measure whether organisations can actually see, control, and prove governance across employees, models, applications, and agents, and the WEF survey found 81% remain in the first two stages of responsible AI maturity. The real test is not policy existence but operational enforcement, auditability, and runtime defence that can stand up when regulators or boards ask for evidence.
NHIMG editorial — based on content published by WitnessAI: AI governance maturity determines whether an organization can see its AI activity clearly, govern it consistently, and prove that governance when someone asks
By the numbers:
- 81% remain in the first two stages of responsible AI maturity.
Questions worth separating out
Q: How should organisations assess AI governance maturity in practice?
A: Assess maturity by asking whether your programme can prove control, not just describe it.
Q: Why does Shadow AI undermine AI governance maturity scores?
A: Shadow AI undermines maturity because you cannot govern what you cannot see.
Q: When should organisations move from policy review to runtime AI controls?
A: Move to runtime controls as soon as AI systems can make decisions or trigger actions that affect data, workflows, or external systems.
Practitioner guidance
- Assess governance against operational evidence Score your programme on whether it can produce inventories, audit trails, risk classifications, and incident records on demand.
- Build a complete AI use-case inventory Catalog sanctioned, pilot, and Shadow AI across employees, applications, models, and agents.
- Assign clear governance ownership Name an accountable executive and create a cross-functional committee that includes security, legal, compliance, HR, and AI or data science leaders.
What's in the full article
WitnessAI's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step explanation of the four maturity levels and how each maps to NIST AI RMF, ISO 42001, EU AI Act, and DORA.
- Detailed scoring guidance for moving from policy-led governance to continuous runtime enforcement.
- Product-specific examples of network-level visibility, intent-based controls, and runtime guardrails across employee and agent activity.
- Benchmark details on organisational maturity, control gaps, and readiness indicators.
👉 Read WitnessAI's analysis of AI governance maturity models and control gaps →
AI governance maturity gaps: are your controls proving anything?
Explore further
10/06/2026 1:20 am
AI governance maturity is not a policy problem, it is a control problem. Organisations often score themselves on documents, committees, and stated principles, but those artefacts do not prove governance is working. The meaningful divide is between declared governance and operational enforcement, because only the latter can show whether AI behaviour is constrained in live environments. Practitioners should treat maturity as evidence of control execution, not evidence of intent.
A few things that frame the scale:
- Only 18% of organisations have established AI governance councils, according to The State of Non-Human Identity Security.
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, showing that governance gaps are beginning to drive programme spend.
A question worth separating out:
Q: What is the difference between AI governance maturity and AI compliance?
A: Compliance asks whether required obligations are met, while maturity asks whether governance works consistently across the full operating model. A compliant-looking policy can still fail if controls are manual, incomplete, or unenforced. Mature governance proves that the organisation can sustain control, evidence, and escalation over time.
👉 Read our full editorial: AI governance maturity models expose the gap between policy and control
