AI Governance Maturity Assessment

Understand where your organisation stands on AI governance across five key dimensions. Takes approximately 10–15 minutes.

Before you begin

We collect your details to send you a personal results summary and to build sector-level benchmarks.

Please enter your name.
Please enter a valid email address.
Please select your sector.
AI systems in use Optional

Select all that currently apply to your organisation — this helps contextualise your scores.

● Low risk
● Medium risk
● High risk
Data sensitivity Optional

Select the highest sensitivity level that applies to data processed by your AI systems.

AI Governance Maturity Assessment – Results

Overall Maturity Score (out of 5)

Maturity Radar

Your scores across the five governance dimensions.

Dimension Breakdown

Priority Actions

📊 Sector Benchmarks Coming Soon
As more organisations in your sector complete this assessment, Fair Accord will publish anonymised sector-level averages so you can compare your scores. Your responses contribute to building this picture.

Want a detailed report or a conversation with our team?

Talk to Fair Accord →

How to Use the AI Governance Maturity Assessment

A practical guide to scoring accurately, gathering the right evidence, and turning your results into action.

📋 Before you score
⬇️Base each score on evidence — policies, logs, meeting minutes, dashboards — not on what you plan to do.
⬇️If you are between two levels, choose the lower one and note what is missing.
🔄Dimensions can be scored independently — you do not need to complete them in order.
1
What each maturity level means
A plain-English picture of your organisation at each stage — click to expand
1
Initial
Ad hoc & reactive
AI is used without coordinated oversight. Decisions are made individually or per-project. There is no shared policy, no defined ownership, and no consistent process. Risk is managed by luck rather than design.
2
Developing
Awareness without consistency
Some teams have started to think about AI governance, but practices vary widely. Policies exist in draft or for specific projects only. Progress depends on individual champions rather than shared systems.
3
Defined
Structured & communicated
The organisation has documented and approved its approach to AI governance. Roles are clear, lifecycle controls exist, and most teams follow the same process. Governance is visible — though measurement is still being strengthened.
4
Managed
Measured & data-driven
Governance is actively monitored using defined metrics and KPIs. Leaders receive regular risk reports. Incidents trigger root-cause analysis and policy updates. AI governance is embedded in how decisions are made, not treated as a compliance checkbox.
5
Optimising
Proactive & continuously improving
AI governance is a strategic differentiator. The organisation anticipates emerging risks, engages with regulators, and uses feedback loops to keep policies ahead of practice. Continuous improvement is built into the culture.
2
What counts as evidence
Concrete artefacts that support each level — click to expand
Level Policy & Roles Risk & Lifecycle Monitoring & Metrics
1 – Initial No documents; individuals decide locally No inventory; testing informal or absent No dashboards, logs, or reporting
2 – Developing Draft policy; email threads showing informal escalation Spreadsheet list of AI projects; basic test notes Manual checks for one or two systems; incident log started
3 – Defined Approved AI policy; RACI chart; board sign-off minutes Central inventory with risk ratings; documented test criteria; lifecycle checklist Defined KPIs/KRIs; standard incident report template; monitoring for all material systems
4 – Managed Committee terms of reference; performance objectives referencing AI governance Go/no-go gate records; independent review reports; post-mortem write-ups Real-time dashboards; threshold alerts; root-cause analysis reports; bias/fairness metrics
5 – Optimising Policy update log tied to incidents and regulation changes; succession plans Red-team and stress-test results; continuous risk-scoring pipeline Predictive indicators; scenario models; contributions to external benchmarks or standards bodies
3
Who should be involved
Best run as a cross-functional conversation, not a solo exercise — click to expand
🏛️
Chief Risk Officer / Compliance
Holds the authoritative view on policy, escalation thresholds, and regulatory obligations. Essential for scoring Dimensions A and C accurately.
Core
💼
Business Owners of AI systems
Know which AI tools are in use, what decisions they influence, and what monitoring is actually in place day-to-day. Grounds the assessment in operational reality.
Core
⚙️
Technical Lead / AI/ML Engineer
Can speak to the development lifecycle, testing rigour, and monitoring infrastructure. Critical for Dimension B and D questions.
Core
📊
Data & Analytics Lead
Provides evidence on data quality controls, bias measurement, and fairness assessments. Often holds the inventory of models and datasets.
Key
⚖️
Legal / Data Protection Officer
Confirms the legal basis for AI uses, advises on regulatory exposure, and validates evidence for Dimension C documentation requirements.
Key
🎓
HR / Learning & Development
Can evidence training programmes, awareness campaigns, and how AI governance is embedded in onboarding and performance objectives (Dimension E).
Consult

Tip: Schedule a 90-minute working session with Core and Key roles present. Share the assessment in advance so each person can gather relevant evidence. Treat disagreements on scores as useful data — they often reveal governance gaps.

4
How to use your results
Turning a score into a governance improvement roadmap — click to expand
1
Identify your lowest-scoring dimensions first
Your weakest dimension is your greatest exposure. Governance is only as strong as its least mature component — a high score in culture means little if risk management is ad hoc. Focus improvement effort where the gap is largest.
2
Set a realistic target level for the next 12 months
Aim to move each lagging dimension up by one level. Jumping multiple levels in a single year is rarely sustainable. Define the specific artefacts or practices that would evidence a higher score, and assign ownership to named individuals.
3
Brief your board or leadership on the overall score
A scored maturity assessment is a concise, evidence-grounded way to bring AI governance onto leadership agendas. Use the radar chart output to show strengths and gaps at a glance, without technical detail.
4
Benchmark against your sector
As more organisations complete the assessment, Fair Accord will publish sector-level benchmarks. Your score will be compared anonymously so you can see where you stand relative to peers — and calibrate your ambition accordingly.
5
Reassess in 6–12 months
Governance maturity is not a one-time audit. Plan to repeat the assessment after implementing improvements. Use the change in scores as evidence of progress for regulators, auditors, or boards — and to sustain momentum internally.
Want support with your roadmap?
Fair Accord works with organisations to translate assessment results into a prioritised governance action plan. Visit fairaccord.com/contact to start a conversation.
5
AI systems — understanding risk tiers
How to classify the AI tools your organisation uses and why risk tier matters for governance

Not all AI systems carry the same governance burden. The framework groups commonly deployed systems into three risk tiers based on the potential for harm, the degree of human oversight typically applied, and the regulatory scrutiny that systems in each category are likely to face — in particular under the EU AI Act and equivalent emerging legislation.

During the assessment registration step you are asked to identify which of these systems your organisation currently uses. The information contextualises your maturity scores and feeds into the Risk & Governance Positioning card shown in your results.

Risk tier reference

Low risk  (weights 1.0 – 1.5)
  • Productivity & writing assistants1.0
  • Search, summarisation & knowledge tools1.0
  • Predictive analytics & forecasting dashboards1.5
  • Automated scheduling or workflow tools1.5
ⓘ  Standard acceptable use policies and data handling guidelines are usually sufficient. Governance focus: output accuracy, bias in generated content, and appropriate human review before acting on outputs.
Medium risk  (weights 2.5 – 3.5)
  • Customer service chatbots or virtual agents2.5
  • Document processing & classification2.5
  • Fraud or anomaly detection3.5
  • HR tools (CV screening, performance analytics)3.5
ⓘ  Requires transparency obligations, documented testing criteria, clear escalation paths, and defined human review processes. Consider impact assessments before deployment.
High risk  (weights 4.0 – 5.0)
  • Content moderation & trust and safety4.0
  • Credit scoring or financial underwriting4.5
  • Hiring, promotion or disciplinary decisions4.5
  • Biometric identification (facial, voice, fingerprint)4.5
  • Clinical decision support or diagnostic AI5.0
  • Surveillance or monitoring systems5.0
ⓘ  Subject to EU AI Act high-risk obligations. Requires conformity assessments, human oversight mechanisms, comprehensive documentation, and — in some cases — prior regulatory notification.

How the AI risk score is calculated

Step 1 Each system you select is assigned a weight from the table above (1.0 – 5.0). The highest weight across all your selected systems forms the base score.
Step 2 Breadth factor: each additional system beyond the first adds +0.1 to the base, capped at +0.5. Organisations deploying many systems carry proportionally greater governance demand.
Step 3 The data sensitivity level you selected (1 – 5) is combined with the AI risk score: AI score × 60% + Data sensitivity × 40% = Composite Risk Score.
Result The Composite Risk Score (1.0 – 5.0) positions your organisation on the horizontal axis of the Risk & Governance Positioning chart. Your overall maturity score from the assessment sets the vertical axis.
Why this matters for your maturity score
Organisations operating high-risk AI with immature governance (low overall scores) will appear in the Governance Gap quadrant of the Risk & Governance Positioning chart. The weighted scoring means this classification is now sensitive to which systems you run and how many — not just whether you ticked a high-risk category.
6
Data sensitivity levels
A five-level classification scale for the data flowing through your AI systems

The data your AI systems process directly affects the governance controls required. A five-level sensitivity scale is used in the assessment — aligned to GDPR categories, the EU AI Act, and commonly adopted data classification frameworks. During registration you indicate which levels apply across your AI portfolio; this informs how your governance maturity scores are contextualised.

The scale uses a traffic light colour scheme: Levels 1–2 are green (lower sensitivity), Level 3 is amber (moderate), and Levels 4–5 are red (higher sensitivity, stricter obligations). Each level carries a sensitivity weight (1 – 5) that feeds directly into the Composite Risk Score calculation alongside your AI system score.

Level 1
weight 1.0
Public or anonymised data
Data that is either publicly available or has been irreversibly anonymised such that no individual can be identified — directly or indirectly. No personal information is present.
Governance implication: minimal data-specific controls required beyond standard quality assurance and output accuracy checks.
Level 2
weight 2.0
Internal business data, non-personal
Commercial, operational, or financial data used internally — such as sales figures, process logs, or supply chain data. Does not contain personal information.
Governance implication: standard confidentiality and information security controls apply. Key concerns: commercial sensitivity and model integrity rather than individual rights.
Level 3
weight 3.0
Personal data
Data that relates to an identifiable individual — including names, email addresses, device identifiers, location data, or any combination that permits re-identification. Defined under GDPR Article 4.
Governance implication: GDPR obligations are triggered — lawful basis, transparency notices, data subject rights, and data processor agreements. A Data Protection Impact Assessment (DPIA) is advisable for high-volume or novel processing.
Level 4
weight 4.0
Sensitive personal data
Personal data that carries heightened risk of harm if exposed or misused — including health and medical records, financial account or credit data, biometric data used for identification, and precise geolocation.
Governance implication: explicit consent or another Schedule 1 condition is typically required. DPIAs are likely mandatory. Strict access controls, encryption at rest and in transit, and breach response planning are essential.
Level 5
weight 5.0
Special category or regulated data
The most sensitive tier — covering GDPR special categories (racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, criminal convictions) plus data relating to children, government-classified information, and sector-specific regulated data (e.g. patient records under NHS frameworks, financial data under FCA rules).
Governance implication: strictest controls, explicit consent or a specific legal gateway, Data Protection Officer involvement, likely regulatory notification obligations, and — for AI systems — mandatory human oversight before automated decisions take effect.

How data sensitivity feeds into your risk score

Highest level If you select multiple sensitivity levels, the highest level applies for scoring — because your governance must be calibrated to your most sensitive data, not your average data.
40% weight The data sensitivity score contributes 40% of the Composite Risk Score (AI systems contribute 60%). This reflects that data context amplifies AI system risk rather than replacing it.
Compounding effect A Level 5 data sensitivity score combined with a 5.0-weighted AI system (e.g. clinical diagnostic AI on patient records) produces the maximum Composite Risk of 5.0 — placing the organisation firmly in the Governance Gap quadrant unless maturity scores are equally high.
Matching data sensitivity to AI risk tier
Governance demands compound when high-risk AI systems process high-sensitivity data. Organisations in this position should expect the most intensive regulatory scrutiny and should prioritise Dimensions A (Policy), B (Risk), and D (Accountability) in their improvement roadmap.