Skip to content
IC Inline Code
Book a discovery call

Free self-assessment

AI Governance Maturity Self-Assessment

Twelve questions across the four NIST AI RMF functions. Four minutes. Receive your maturity scorecard immediately, and a personalised PDF report by email with framework-aligned next steps.

No sales call required. We do not share your results. Unsubscribe at any time.

01

GOVERN function

Govern

Policies, accountability, and culture for AI risk

Q1We have a documented AI acceptable use policy approved by the board or executive committee.
Q2A named individual is accountable to our board for AI risk (CISO, CRO, CIO, or fractional officer).
Q3We have completed an AI tooling discovery in the last 12 months, including shadow AI on personal accounts.
02

MAP function

Map

Use case registry, data classification, and vendor risk

Q4We maintain a register of AI use cases with business owner, data classification, and risk rating.
Q5Our data is classified by sensitivity, and that classification governs what may be entered into AI systems.
Q6We have a vendor risk assessment process specifically scoped to AI suppliers.
03

MEASURE function

Measure

Logging, threat modelling, and monitoring

Q7Logging and audit log retention are configured on our managed AI tools (Copilot, ChatGPT Enterprise, Claude, etc.).
Q8We conduct threat modelling on AI use cases using a recognised framework (OWASP LLM Top 10 or MITRE ATLAS).
Q9We have monitoring or alerting for material AI events (data exfiltration, prompt injection, unusual usage).
04

MANAGE function

Manage

Incident response, training, and board reporting

Q10We have a documented AI incident response playbook covering prompt injection, AI data exfiltration, and shadow AI discovery.
Q11We provide AI-specific training covering prompt hygiene, sensitive data handling, and approved tool usage.
Q12We report AI risk posture and incidents to our board or risk committee at least quarterly.

All questions are required. Your responses are scored client-side; nothing is sent until you request the report.