Diagnostic Tool

The AI Governance
Maturity Ladder.

Where you actually are — not where the vendor ecosystem says you should be. Place your organisation on the ladder, filter risk per agent, and get a specific governance prescription, including what to skip.

Take the diagnostic See the framework
Illustrative tool only. This diagnostic is designed to prompt thinking about AI governance — it is not professional, legal, regulatory, or compliance advice. Outputs are general in nature and do not account for your specific organisational, regulatory, or legal circumstances. Consult a qualified professional for advice specific to your situation.
Framework 1

The Maturity Ladder

The progression: checklist → register → framework → operating model. Each stage includes the previous. The mistake at every transition is either jumping ahead or staying behind.

Stage 1
Exploration
Deployment Checklist

0–2 agents. Nothing customer-facing. One hour to set up. Thirty minutes a week to maintain.

Per agent, you needWhat it does · What data it accesses · Which model and provider · What success looks like · Who reviews weekly
Stage 2
Validation
Deployment Register

2–10 agents, some touching customer data. Test: can you answer "what models are we using?" in under five minutes?

Living inventoryAgents · Models · Versions · Providers · Data flows · Costs · Human review gates
Stage 3
Scaling
Governance Framework

10+ agents, agent-to-agent interactions, material API costs. Now — and only now — you need a governance framework.

Now you needFormal access controls · Automated monitoring · Audit logging · Cost budgets · Incident response · Version pinning
Stage 4
Embedded
Operating Model

Agents as core business infrastructure. The registry is no longer a record — it's a strategic asset.

Stage 3 plusVendor diversification · Concentration risk · Data portability · Formal ownership · Board visibility
The key insight: Most companies are at Stage 1 or early Stage 2. The vendor ecosystem is selling Stage 3 and 4. If you're buying a governance framework for a company that needs a deployment checklist, you're being sold to. And if you're avoiding governance entirely because the only options feel like overkill — that's the gap this tool is designed to close.
Framework 2

The Per-Agent Risk Filter

The maturity ladder tells you what governance infrastructure your organisation has available. This filter tells you how much of it to activate for any individual agent. Four dimensions. Governance investment is justified when an agent scores high on two or more.

Dimension 1

Blast Radius

If this agent fails or hallucinates, what is the worst realistic outcome?

LowInternal summary wrong
HighClient email hallucinated
CriticalFinancial records modified
Dimension 2

Reversibility

Can you undo what the agent did? A draft is different from a sent email, which is different from an executed transaction.

FullyDraft for review
PartiallySent email
NoneExecuted transaction
Dimension 3

Data Sensitivity

What category of data does this agent access or process?

LowInternal docs only
MediumCommercial / business
HighPII · financial · health
Dimension 4

Volume & Velocity

How often does it act? How fast do errors compound before anyone notices?

LowOnce a day, reviewed
MediumDozens per day
HighContinuous, automated
How the two frameworks interact. Your organisational stage determines what governance infrastructure you have available. The per-agent filter determines how much of it to activate for each deployment.

A Stage 4 enterprise should still ship a low-risk internal summarisation agent with a checklist and no committee approval. A Stage 1 startup processing customer payment data needs real governance — even with only one agent. Conflating these two questions — treating every agent the same based on your organisational default — is how you get either bureaucratic paralysis or ungoverned chaos.
Activate governance when an agent scores high on 2 or more dimensions — regardless of organisational stage
Eight Governance Areas

What governance actually means in practice

"AI governance" means different things to consulting firms, regulators, and the people actually deploying AI. At the practical level — what a CAIO or COO actually has to build and maintain — it breaks down into eight areas. Click any card to see what it means at each stage.

Putting It Together

The eight areas are the rows. Your stage determines how deep each one goes.

The deployment checklist, the deployment register, the governance framework — these aren't different things. They're the same eight governance areas, documented at increasing depth. Pick your stage to see what your governance artefact should actually contain.

These checklists are illustrative guides only — not professional, legal, regulatory, or compliance advice. The appropriate governance for your organisation depends on your specific circumstances. Consult a qualified professional for advice specific to your situation.

The Diagnostic

Ten questions. A personalised prescription.

Answer honestly about where you are today, not where you want to be. The tool places you on the maturity ladder and generates a specific governance prescription — including what to skip.

AI Governance Diagnostic

Answer for your current state — not your aspirations. Takes around 5 minutes.

1 / 10
Ready to talk

Want to talk through your result?

If your prescription raised more questions than it answered, a short conversation with Kate is enough to work out what's actually next for your organisation.

Book a call with Kate Send a message