Maturity measures how systematically a control is implemented across your organization.
Current reflects where the industry broadly sits today — most organizations are at initial.
Target is the level a control should reach to provide meaningful assurance.
Use Assess mode to record where your org actually is.
Level
What it means
How to advance
none
Control doesn't exist. No process, tooling, or owner. The risk is entirely unmanaged.
Assign an owner. Write down what the control is supposed to do. Any documentation is progress.
initial
Ad hoc and manual. Someone does it sometimes, but it's undocumented and inconsistently applied. Relies on individual knowledge.
→ developing: Document the process. Build a repeatable checklist. Apply it to every model, not just the ones you're worried about.
developing
A recognized practice. Partially implemented — some models covered, some not. Coverage gaps are known but not yet closed.
→ defined: Automate the check. Wire it into the build or deployment pipeline as a blocking gate, not an advisory. 100% coverage.
defined
Documented, automated, enforced. The control runs on every model as a mandatory pipeline gate. Failure blocks release.
→ managed: Instrument outcomes. Add metrics: pass rate, time-to-remediation, false-positive rate. Set alert thresholds and respond to deviations.
managed
Quantitatively tracked. You measure the control's outcomes and alert on deviation. Response to failures is fast and consistent.
→ optimizing: Close the feedback loop. Metrics drive changes to thresholds, processes, and tooling. Continuous improvement is built in.
optimizing
Continuous improvement. Outcomes data drives automated process changes. The control evolves as the threat landscape and requirements change.
Maintain and evolve. Share learnings. Review when framework requirements, model types, or threat models change significantly.