Acme Co

AI Governance Assessment · March 2026

Healthcare500-1000 employees

Overall Governance Maturity

0.1

out of 5.0

Level 1 · ODirected

Early stage — governance foundations being established. Significant gaps in Govern, Monitor, and Measure pillars.

Maturity by Pillar

Pillar Scores

STEER

Level 1 · O · Directed

25%

5/9 assessed · 4 gaps

ARCHITECT

Level 1 · O · Directed

15%

4/12 assessed · 8 gaps

GOVERN

Level 0 · R · Ad Hoc

10%

3/9 assessed · 7 gaps

MONITOR & CONTROL

Level 0 · R · Ad Hoc

2/13 assessed · 11 gaps

MEASURE

Level 0 · R · Ad Hoc

2/11 assessed · 9 gaps

Sample Control Assessments

AI Governance Steering Committee

“No formal committee exists. Leadership mentioned ad hoc decisions made in IT meetings, but no dedicated governance body.”

— CFO

RNot Started

AI Initiative Portfolio Management

“No centralized view of AI initiatives. Multiple teams experimenting independently. IT has partial visibility but no formal portfolio.”

— CFO

RNot Started

AI Investment Criteria & Scoring

“Finance has general IT investment criteria but nothing AI-specific. CFO acknowledged the need for AI-specific evaluation — especially given HIPAA implications.”

— CFO

YIn Progress

Cross-Functional Governance Representation

“IT leads most AI discussions. Compliance and legal are 'consulted' but not formally part of decision-making. CFO wants finance involved earlier.”

— CFO

YIn Progress

Pre-Deployment Success Metrics

“Success metrics defined retroactively, if at all. 'We know it's working when people use it' — no quantitative baselines.”

RNot Started

Regulatory Compliance Mapping

“HIPAA compliance is strong for traditional systems but no mapping to AI-specific regulatory requirements. EU AI Act not on the radar yet.”

— CFO

RNot Started

Per-Initiative ROI Tracking

“No initiative-level ROI tracking for AI. General IT cost tracking exists but doesn't isolate AI spend or outcomes.”

— CFO

RNot Started

What Level 3 (Governed) Looks Like

Where Acme Co could be in 6-12 months with structured governance:

AI Governance Steering Committee meeting monthly with cross-functional representation — IT, Finance, Compliance, Legal, Operations

Complete portfolio view of all AI initiatives with defined investment criteria and success metrics before deployment

Policies defined and enforced — agent permissions scoped to least privilege, trust boundaries documented per system

Regulatory compliance mapped: HIPAA controls verified for AI systems, EU AI Act readiness in progress

Human gates for high-risk decisions — action tiers defined (autonomous / supervised / gated)

Regular reporting to the board on AI governance posture and initiative ROI

Kill switches and monitoring in place for production AI systems

Every AI initiative goes through formal approval — no more shadow AI

Assessment Context

Governance Tracks

Employee UseVendor Platform

Complexity Level

Active

Compliance Priorities

HIPAAEU AI Act (Aug 2026)SOC 2

Target Maturity

Level 3(Governed)

Priority Risks

No formal AI governance body — decisions made ad hoc in IT

EU AI Act deadline Aug 2026 — no compliance mapping started

HIPAA controls verified for traditional systems but not AI

No kill switches or monitoring for AI systems in production

Recommended Next Steps

Form cross-functional AI governance steering committee

Conduct AI initiative inventory and shadow AI audit

Map HIPAA and EU AI Act requirements to AI systems

Define investment criteria for AI initiatives