GOVERN
What are the rules?
Define and enforce the policies, permissions, boundaries, and compliance requirements that determine what AI agents can and cannot do. Govern without Steer means policies disconnected from strategy. Govern without Architect means policies that can't be enforced because the infrastructure doesn't support them.
Assessment Controls (9)
Every AI initiative that passes through this pillar must satisfy these controls. The maturity model measures how consistently the organization enforces them.
Agent Action Tier Classification
Are agent action tiers defined? (fully autonomous / human-on-the-loop / hard human-in-the-loop)
Agent Least-Privilege Access
Are agent permissions scoped to least privilege, or do agents inherit their builder's full access?
Regulatory Compliance Mapping
Is the compliance posture mapped to relevant regulations (EU AI Act, NIST AI RMF, ISO 42001)?
Agent & Plugin Approval Workflow
Are there approval workflows for new agent creation and third-party tool/plugin integration?
Trust Boundary Documentation
Are trust boundaries documented — what data can agents access, what actions can they take, what systems can they call?
Human Delegation Limits
Are delegation limits defined — at what point must an agent defer to a human?
Boundary Enforcement Mechanism
Can the governance system enforce boundaries even when users try to bypass? (40% auto-approve problem)
Policy Testing & Validation
Are policies tested, not just documented? (Is there evidence the policy actually prevents the prohibited action?)
Policy Evolution Process
Is there a process for updating policies as technology evolves?