AI Governance Maturity Model: The Five Stages and Where Most Enterprises Actually Sit
AI governance maturity models tend to read as aspirational ladders that everyone climbs eventually. The version that matches what regulators ask for in 2026 has five concrete stages defined by the per-decision evidence the deployer can produce at each level. This piece walks through the five stages, where each stage sits against EU AI Act Article 12 and Fannie Mae LL-2026-04 obligations, and the architectural control that moves an organization to the next stage.
Most published AI governance maturity models read as aspirational ladders. Stage 1 has no governance. Stage 5 has perfect governance. The stages in between are described in language ("ad-hoc," "defined," "managed," "optimized") that came out of CMMI in the 1990s and does not map cleanly to what an EU AI Act regulator or a Fannie Mae reviewer actually asks about in 2026. The version of the maturity model that matches the 2026 evidentiary regime has five stages defined by the per-decision record the deployer can produce, the inspection layer the records get committed at, and the regulatory obligation each stage closes.
I want to walk through the five stages defined by record capability, where most enterprises actually sit (the answer is closer to Stage 2 than the published surveys suggest), the regulatory obligation each stage clears, and the architectural control that moves the organization to the next stage.
Stage 1: no AI inventory, no records, no policy
The Stage 1 organization has AI usage somewhere in the company but no centralized inventory, no written policy, and no record of what AI did when. The Cloud Radix data suggests this stage is more common than the published surveys admit: 86% of IT leaders report they are blind to AI interactions and 90% of CISOs rank shadow AI as their top concern. The Stage 1 organization cannot answer "which AI systems are in scope" or "what records do we have." Under EU AI Act Article 9 (risk management) and Article 12 (recording), this stage is unprepared.
The control that moves an organization out of Stage 1 is an inventory pass: SSO logs, expense reports, network DNS records, and a structured interview with the heads of each function. The output is a list of AI systems and a placeholder for the policy each one should be governed by.
Stage 2: written policy and a partial inventory
The Stage 2 organization has a written AI usage policy (often a paragraph in the acceptable-use policy), a partial inventory of AI systems (the ones the AI/ML team owns), and no per-decision record. The policy says what users should not do. The enforcement is on attestation. Most enterprises sit here, including ones that report to surveys that they are "Stage 4 mature."
The regulatory exposure: the policy answers the documented-system question but the per-decision question fails. EU AI Act Article 12 expects records that the policy alone does not produce. The Fannie Mae LL-2026-04 disclosure obligation expects per-decision evidence on demand. The policy is read but the records are what the regulator credits.
The control that moves an organization out of Stage 2 is an inspection layer at the runtime boundary. Without it, the records the next stage requires cannot exist.
Stage 3: per-decision records committed at the inspection layer
The Stage 3 organization has an inspection layer on the HTTP path between authenticated users or agents and the LLM. Every request is intercepted, identity-bound, classified, and evaluated against policy. Every decision produces a tamper-evident record with identity, classification, policy version, decision outcome, timestamp, and an integrity signature. The record series is independent of the application that made the request.
This is the stage that clears EU AI Act Article 12 and Article 19. The records carry the fields the regulation specifies (period of use, input data, identification of natural persons involved). The deployer can answer "which natural person prompted which model on what date with what data classification under what policy version."
Stage 3 also clears the Fannie Mae LL-2026-04 disclosure obligation for the loan files the AI touched, the NIST AI RMF Manage 4 expectation, and the ISO 42001 operational controls. The same record series satisfies multiple regimes because the regimes converge on the same evidentiary requirements.
Stage 4: vendor AI usage covered via contractual disclosure
The Stage 4 organization has Stage 3 plus a procurement and legal posture that covers vendor AI usage. The contracts with AI-using vendors require vendor-side audit records that match the deployer's evidentiary obligation, retrievable on demand. The under-reported piece is that most procurement contracts predate the regime. Stage 4 is reached by a 6 to 12 month procurement program, not by a technical deployment.
The regulatory exposure that this stage closes is the disclosure gap for embedded AI: when a vendor SaaS uses an LLM under the hood, the deployer cannot produce the record from the runtime layer alone because the deployer's inspection layer does not see the vendor's traffic. The contractual clause produces the record from the vendor side.
Stage 5: agentic AI action lineage and continuous policy alignment
The Stage 5 organization has Stage 4 plus full action lineage records for agentic AI workflows and a single policy version source the inspection layer pulls from in real time. Action lineage is the chain of decisions the agent made and the tool calls it issued, each captured with the policy state at the moment. Continuous policy alignment means the policy written in the GRC system and the policy enforced at the inspection layer are the same version with the same timestamp.
Stage 5 clears the agentic-AI provisions in NIST AI RMF, the operational controls in ISO 42001, and the autonomous-decision provisions emerging in jurisdictions that follow the EU AI Act. The Texas Responsible AI Governance Act, effective January 1, 2026, and the California AI Transparency Act, also effective January 1, 2026, both expect record series at this granularity for the categories they cover.
Where most enterprises actually sit
The published surveys put the median at Stage 3 or higher. The Cloud Radix data on AI usage blindness and the IBM Cost of Data Breach figures on shadow AI exposure put the realistic median closer to Stage 2. The gap is the inspection layer. Organizations that have a written policy and an inventory but no runtime inspection at the request boundary are at Stage 2 by the record test the regulator applies.
The shape of the August 2, 2026 EU AI Act deadline and the August 6, 2026 Fannie Mae deadline means that Stage 2 organizations have a defined window to reach Stage 3. The deployment timeline for the inspection layer runs in weeks for most stack shapes, which makes the deadline achievable.
DeepInspect
DeepInspect is the inspection layer that moves an organization from Stage 2 to Stage 3. It sits inline on the HTTP path between authenticated users or agents and any LLM, binds identity to every request, evaluates policy from a single version source, and commits a tamper-evident per-decision audit record. The record series satisfies the EU AI Act Article 12 and Article 19 obligations, the Fannie Mae LL-2026-04 disclosure obligation, the NIST AI RMF Manage 4 expectation, and the ISO 42001 operational controls.
For Stage 4 and Stage 5, DeepInspect supports the agentic AI action lineage and the policy version alignment. The contractual vendor disclosure piece (Stage 4) is a parallel program in procurement and legal.
If you are facing the August deadline, let's talk.
Frequently asked questions
- How does this maturity model differ from the published CMMI-style ones?
The published CMMI-style models describe organizational maturity ("ad-hoc," "defined," "managed"). The five-stage model in this piece describes record capability against regulatory obligations. The two are related but not interchangeable. An organization can be CMMI Level 4 in documented process and Stage 2 in record capability if the inspection layer is missing.
- Can an organization skip Stage 2 and go directly to Stage 3?
In practice, no. Stage 2 (written policy and partial inventory) is a prerequisite for the inspection layer to evaluate policy against. Without a written policy, the inspection layer has nothing to enforce. The two stages can be completed in parallel programs, but the Stage 3 deployment depends on the Stage 2 outputs.
- How long does the move from Stage 2 to Stage 3 take?
The inspection-layer deployment runs in weeks for most stack shapes. The policy alignment runs in parallel and can take 4 to 8 weeks. The inventory closure (catching the AI service usage outside the AI/ML team's purview) runs longest, typically 8 to 12 weeks. Stage 3 is achievable by the August 2026 deadlines for organizations that start in May or June.
- Where does ISO 42001 certification fit in this model?
ISO 42001 certification is a documented-system credential. It indicates that the organization has the management system framework in place. The certification does not by itself produce the per-decision records that Stage 3 requires. Most certified organizations are at Stage 2 or Stage 3 depending on whether the inspection layer is also deployed.
- Where do agentic AI workflows fit in this maturity model?
Agentic AI workflows raise the record obligation to action lineage (Stage 5). Each decision the agent makes, each tool call it issues, and the policy state at the moment have to be captured. The architecture pattern is covered in the autonomous AI agent governance piece and the NIST piece.