Key facts
- Four common stages: ad hoc, aware, managed, optimised.
- Most SMEs starting out sit at ad hoc or aware.
- Moving one stage at a time is more realistic than jumping straight to optimised.
- An AI inventory is usually the first thing that separates ad hoc from aware.
- Reassess your stage roughly annually, or after a significant change in AI use.
Stage 1: Ad hoc
No AI inventory, no consistent risk process, and governance (if it exists) depends on individual judgement rather than any agreed structure. Most organisations that have not deliberately invested in AI governance start here.
Stage 2: Aware
An inventory exists, and there is some awareness of AI risk, but classification and review are inconsistent, and policies (if written) are not reliably followed. This is a meaningful step up from ad hoc, but governance is still fragile.
Stage 3: Managed
A working operating model is in place: clear roles, a risk classification process, policies that are actually followed, and a regular review cadence. Most organisations pursuing EU AI Act compliance or ISO 42001 certification are aiming for at least this stage.
Stage 4: Optimised
Governance is embedded in how the organisation works, measured with real metrics, and continuously improved based on what those metrics show. Few organisations need to reach this stage to meet their compliance obligations, but it represents genuine best practice.
Using the model
Identify your current stage honestly, then focus on the single next step (usually: build an inventory if you don't have one, or formalise the operating model if you do) rather than attempting to jump straight to optimised.
Frequently asked questions
What are the stages of an AI governance maturity model?
Commonly: ad hoc, aware, managed, optimised.
What separates ad hoc from aware?
Usually the existence of an AI inventory and some baseline awareness of AI risk.
What stage should most SMEs aim for?
Managed is usually sufficient to meet EU AI Act and ISO 42001 expectations; optimised is best practice but not required.
How often should you reassess your governance maturity stage?
Roughly annually, or after a significant change in how the organisation uses AI.
What is the most common first step to improve maturity?
Building or improving an AI inventory — visibility comes before everything else.
Related pages
Sources
Last updated 19 June 2026.