AI Security Maturity Model: From Shadow AI to Governed Agents

An AI security maturity model is a staged framework that tells program leaders which AI controls to build next and how to measure progress. AI security maturity should progress from continuous discovery to inline policy and agent runtime control, because each stage depends on evidence from the stage before it. The business outcome is faster, more confident AI adoption: teams that advance through the stages can show stakeholders measured risk reduction, audit evidence, and the next funded milestone. Aurascape helps teams discover AI use, enforce policy at the interaction layer, protect sensitive data in real time, and govern agent tool calls inline, so leaders can prove maturity with concrete evidence rather than assertions.

Last updated: July 2026.

For enterprises, AI adoption arrives in three overlapping phases: employees interact with Commercial AI and Embedded AI tools including AI Copilots; teams delegate work to agents that reason, access tools, and take actions; and eventually autonomous agents communicate and execute across multi-agent environments. Commercial AI refers to third-party tools employees use directly, such as ChatGPT, Claude.ai, and Gemini. Embedded AI refers to AI capabilities built into existing software-as-a-service products. AI Copilots are a distinct category within Embedded AI and must be governed separately from both Commercial AI and other Embedded AI features. The maturity model below follows that adoption progression. A program that moves to agent governance before establishing discovery will govern agents it has never fully seen. Advancing a stage before the one below it is working leaves the next control on an unverified foundation.

Why a staged maturity model beats a tool checklist

Most AI security programs stall because they buy capabilities out of order. A staged model fixes the sequence. Each level assumes the one below it is working, so controls build on each other. The World Economic Forum found that 94% of leaders name AI as the most significant driver of change in cybersecurity in 2026, and organizations assessing AI tool security before deployment nearly doubled, from 37% to 64%, in the same period (World Economic Forum, 2026). That pace rewards a repeatable model over one-off purchases.

A maturity model also gives the board a shared vocabulary. Instead of debating vendors, leaders debate whether the program has moved from visibility to enforcement, and whether agent runtime is governed or merely observed. The model below runs from Level 1 (discovery) through Level 6 (governed agents). An AI risk assessment across people, process, and technology at each stage shows exactly where the program sits and what it needs next. The CISO or a named AI governance council should own the overall model and report status by level, with business-unit leads accountable at their respective stages.

The six levels of AI security maturity

Treat the list as a roadmap, not a menu. Each level names the control gap, the capability that closes it, the evidence that proves advancement, and the stakeholder accountable for it.

  1. Discovery. Find every AI tool and agent in the environment, sanctioned and shadow, across network, endpoint, and application programming interface (API) planes. Evidence: a continuous, attributed inventory of AI apps and agents in use. Owner: security or IT operations.
  2. Policy and ownership. Write enforceable acceptable-use policy, assign accountable owners, and map obligations to controls. Evidence: a policy that a system can enforce, with documented exception and onboarding paths. Owner: CISO and business unit leads.
  3. Data protection. Inspect AI interactions inline and stop sensitive data from leaving through prompts, uploads, and outputs. Evidence: sensitive-data interactions monitored and acted on in real time with policy-action logs. Owner: data governance and security operations.
  4. Copilot and productivity control. Govern Embedded AI permissions, data access, and output risk inside software-as-a-service products. Evidence: least-privilege access mapped per copilot with output-review records. Owner: application security and compliance.
  5. AI-assisted coding. Govern coding assistant interactions and the risk of AI-generated code entering the pipeline. Evidence: coding-assistant use governed at the interaction layer with source-code and secrets controls active. Owner: engineering leads and application security.
  6. Governed agents. Control the agent-to-tool execution path inline so approved tool calls run and unsigned ones do not. Evidence: signed approved calls, fail-closed blocking, and audit records of what each agent attempted, which tool it invoked, what data it accessed, and what policy decision occurred. Owner: security architecture and the business teams deploying agents.

Levels 1 and 2: continuous discovery and enforceable policy

Level 1 proves which AI apps, accounts, tenants, and agents are active before policy or data controls depend on them. Discovery has two dimensions: find AI already running across the network, endpoint, and API planes, and proactively interrogate new tools before first employee use. Aurascape runs proactive discovery where agents continuously interrogate new tools ahead of adoption and secures them as they appear. (Aurascape, 2026).

Level 2 converts inventory into enforceable policy. The gap is real: 90% of organizations say employees use AI tools, but only 38% have a formal, comprehensive AI policy and 25% have none (ISACA, 2026). Even where policy exists, many versions were not built to be tracked or enforced (Littler, 2024). A mature Level 2 assigns an accountable owner per AI use case, defines an exception and onboarding path for new tools, and expresses policy in terms a system can execute: which tools, which data classes, which Intentions, and which accounts or tenants are permitted.

A practical self-assessment at these two levels asks three questions across people, process, and technology. For people: does every AI tool in use have a named owner and an assigned risk classification? For process: is there a documented path from tool request to approval, periodic review, and offboarding? For technology: is discovery continuous and automated, or is the inventory a periodic spreadsheet export? The gap between the answers and the target state is the Level 1 and Level 2 work backlog. These levels map directly to the inventory and governance pillars of the NIST AI Risk Management Framework (AI RMF) and the discovery-and-classification requirements in Cloud Security Alliance (CSA) guidance on AI governance.

Levels 3 and 4: inline data protection and copilot control

Level 3 turns policy into enforcement. The control point is the interaction layer, where the AI Proxy secures the intelligence channel and inspects prompts, responses, uploads, and outputs in full conversational context. Aurascape applies and enforces five context-aware policy actions: allow, coach, warn, block, and redact (Aurascape, 2026). OWASP ranks Sensitive Information Disclosure (LLM02) among the top risks for AI model applications, noting that models can reveal confidential data, proprietary algorithms, or personal information through their outputs (OWASP, 2025). Level 3 closes that exposure at the interaction layer, not at the destination. The OWASP Top 10 for LLM Applications and the NIST AI RMF Govern and Manage functions both identify interaction-layer data controls as a primary control requirement at this stage.

Level 4 addresses Embedded AI and AI Copilots, which change the control point: permissions and outputs inside software-as-a-service products now matter as much as prompts sent to public AI. AI Copilots are distinct from Commercial AI tools and from other Embedded AI features, and must be governed separately. A copilot can inherit broad permissions and surface data across organizational boundaries. Personal versus enterprise tenant matters here: a copilot operating on a personal account bypasses enterprise controls entirely, while a licensed enterprise copilot still requires least-privilege permission mapping and output review. EchoLeak (CVE-2025-32711), a zero-click indirect prompt injection in Microsoft 365 Copilot, demonstrated how a copilot with broad data access can become a data-exposure vector (NVD, 2025). A mature Level 4 program maps copilot data access to least privilege, reviews outputs before they reach downstream tools, and logs which data the copilot surfaced and to whom.

Levels 5 and 6: AI coding pipelines and governed agents

Level 5 covers AI-assisted coding. Coding assistants are now common across developer teams: 84% of developers use or plan to use AI coding tools, up from 76% in 2024 (Stack Overflow, 2025). The Level 5 program governs which coding assistants are permitted, ensures source code and secrets do not leave through prompts, manages repository permissions, requires generated-code review before merge, and integrates coding-assistant interaction records into the security operations workflow. In one Aurascape deployment at a Fortune 100 insurance and financial enterprise, code delivery ran 40 percent faster with AI coding assistants while AI agent integrations tripled with no unauthorized data access (Aurascape, 2026). The governance layer helped the AI coding workflow scale with review records, source-code controls, and attribution evidence in place.

Level 6 governs runtime actions, where an agent moves from producing text to invoking tools, retrieving data, and changing systems. Least privilege for AI agents means an agent can only invoke the tools and data its task requires, enforced at the moment of the tool call rather than assumed from a static grant. The Cloud Security Alliance (CSA) found 82% of organizations have unknown AI agents and 65% had agent-related incidents (Cloud Security Alliance, 2026). Aurascape discovers and secures local AI agents and their interactions, then adds a Zero-Bypass MCP Gateway that cryptographically signs approved tool calls and blocks unsigned ones, governing the agent-to-tool execution path inline rather than observing it (Aurascape, 2026). Model Context Protocol (MCP) is one common tool-execution pattern, not the whole agent access-control problem. The runtime governance layer separates observing agent activity from controlling the downstream action, which maps to the OWASP Excessive Agency (LLM06) control requirement and the CSA agentic AI governance framework.

Identity and access management (IAM) and identity governance and administration (IGA) are where programs most often overreach. Aurascape complements IAM and IGA and is never the identity system of record. Teams enroll, own, and issue agent identities and tokens through their IAM and IGA platforms such as Okta, Microsoft Entra, or SailPoint. Aurascape adds discovery of agents and their interactions, inline governance of the agent-to-tool execution path, and attribution evidence. The CSA reports that 92% say legacy IAM cannot manage AI and non-human-identity risk on its own (Cloud Security Alliance, 2026), which is precisely why runtime governance sits alongside identity management, not on top of it.

Platform strategy and the build-versus-buy decision

A maturity model exposes the build-versus-buy question at every stage, because each level needs a control your existing stack may not supply at the required depth or update cadence. Large Secure Service Edge (SSE), Secure Access Service Edge (SASE), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), and Secure Web Gateway (SWG) platforms are complementary and additive. A mature AI security program adds AI-native controls without rip-and-replace of any incumbent. Build controls your team can maintain over time. Buy controls that change faster than your team can responsibly track.

The comparison below focuses on architectural scope at each control layer, not on vendor limitations. Middle columns reflect the scope of controls as typically deployed; individual enterprise deployments vary.

Capability Build in-house Existing SSE or CASB (additive) Aurascape
Long-tail AI discovery Requires custom discovery logic, ownership workflows, and continuous maintenance as new AI tools appear Extends to AI apps already in scope of the deployed coverage Proactive discovery across the long-tail of new AI tools released daily
Data inspection depth Custom classification rules maintained in-house, with ongoing tuning required DLP policies applied to covered traffic destinations Realtime classification on AI interactions with full conversation context
Policy actions on interactions Policy logic implemented per tool, maintained separately Applies policy to covered destinations and traffic paths, with AI interaction context dependent on deployed capabilities Allow, coach, warn, block, redact with Intentions and entitlement context
Agent tool-call governance Custom wrappers per agent, maintained separately as agent tooling evolves Covers network traffic in scope; agent tool-call signing requires additional dedicated capability Zero-Bypass MCP Gateway signs approved calls and blocks unsigned ones inline

The AI security business case is strongest when each maturity level connects to a risk reduced, a compliance obligation addressed, or a blocked adoption unblocked. Gartner predicts over 40% of agentic AI projects will be canceled by the end of 2027 due to escalating costs, unclear value, or inadequate risk controls (Gartner, 2025). Governed projects are easier to defend in budget reviews because teams can show control evidence, adoption evidence, and the next funded milestone.

Measuring maturity: metrics, frameworks, and the phased roadmap

Maturity is only real if it is measurable. Report progress by level, not by tool count. The table below maps each level to the risk it reduces, the control required, the evidence it produces, and the executive metric. Name the framework each level maps to so board and steering-committee reporting ties maturity status to a recognized standard.

Level Risk reduced Control required Executive metric Framework mapping
1. Discovery Unknown AI in use Continuous inventory across network, endpoint, API % of AI usage discovered and attributed NIST AI RMF: Govern, Map; CSA AI governance: discovery
2. Policy Unenforced acceptable-use policy Enforceable policy with named owners and onboarding path % of AI tools with assigned owner and active policy NIST AI RMF: Govern; ISACA AI governance framework
3. Data protection Sensitive data in prompts and outputs Inline AI-specific data classification and enforcement % of interactions covered by inline policy OWASP LLM02; NIST AI RMF: Manage
4. Copilot control Excess copilot permissions and output exposure Least-privilege access mapping and output review Copilots with least-privilege access confirmed OWASP LLM02; NIST AI RMF: Manage
5. AI coding Source code, secrets, and generated-code risk Interaction-layer governance for coding assistants % of coding-assistant use governed OWASP LLM02; NIST AI RMF: Manage, Measure
6. Governed agents Ungoverned agent tool calls and blast radius Inline signing of approved tool calls, fail-closed blocking % of agent tool calls signed and governed OWASP LLM06; CSA agentic AI governance; NIST AI RMF: Manage

Assign each phase an owner, an approval path, a control milestone, and a board metric. A practical phased roadmap runs in three windows. In the first 30 days, deploy discovery across network, endpoint, and API planes and establish an attributed inventory. Between 30 and 90 days, publish enforceable acceptable-use policy, activate inline data protection on covered interactions, and begin copilot permission mapping. Beyond 90 days, complete coding-assistant governance and begin the agent runtime program including tool-call signing and fail-closed blocking. Levels 5 and 6 are longer-cycle milestones requiring security architecture, application security, and the business teams deploying agents to align on a shared governance model before go-live.

Integrate AI security controls into existing security operations at each level. AI interaction records feed incident response when they capture who used AI, which account or tenant, sanctioned or personal, what data was shared, what the AI returned, what action was attempted, which tool was invoked, what policy decision occurred, and what record exists. These interaction records support audit and effectiveness and are governed by role-based access control (RBAC) for privacy. Triage and escalation in the security operations center use the same interaction records for evidence, policy tuning, and post-incident review. In one Aurascape deployment at a large transportation and logistics company, proof of value to full deployment ran about six weeks, from 400 users on day one to 2,000 at full rollout, with sensitive-data interactions monitored across 100 percent of deployed users (Aurascape, 2026). The healthcare AI governance case study shows how enterprise-scale governance, covering more than 60,000 users worldwide, can deploy under a single governance model across regions and regulatory environments (Aurascape, 2026).

Frequently asked questions

What is an AI security maturity model?

An AI security maturity model is a staged framework that sequences AI controls from discovery through governed agents. It tells program leaders which capability to build next and how to prove progress. Each level assumes the one below it is working, so controls build on each other rather than compete for budget.

Where should a program start?

Start with discovery. Build a continuous inventory of AI apps and agents across network, endpoint, and API planes, including the shadow AI long tail, before adding enforcement. Without an attributed inventory, policy and data controls apply to an incomplete picture of what is actually in use.

How do I measure AI security maturity?

Measure by level, not by tool count. Track the share of AI usage discovered and attributed, interactions covered by inline policy, time to govern a newly discovered tool, and the ratio of signed approved agent tool calls to blocked ones. Map metrics to named frameworks such as the NIST AI RMF and the OWASP Top 10 for LLM Applications for board and steering-committee reporting.

How does this model support an AI security business case?

The business case is strongest when each maturity level connects to a risk reduced, a compliance obligation addressed, or a blocked adoption unblocked. A program that can show control evidence and adoption evidence at each stage is easier to defend in budget reviews and supports audit, regulatory review, and stakeholder reporting.

How should AI risk assessment fit into the model?

AI risk assessment runs across people, process, and technology at every level. For people: does every AI tool have a named owner and a risk classification? For process: is there a documented path from tool request to approval, review, and offboarding? For technology: is discovery continuous and automated? The gap between current-state answers and target-state answers is the program backlog for that level.

Should we build AI security tools or buy an AI security platform?

Build controls your team can maintain over time. Buy controls that change faster than your team can responsibly track, such as long-tail discovery and inline AI-specific data classification. An AI security platform that is additive to your SSE, SASE, CASB, DLP, or SWG stack supplies continuous discovery, interaction policy, and agent runtime enforcement without rip-and-replace.

Does Aurascape replace our identity system?

No. Aurascape complements IAM and IGA and is never the identity system of record. Teams enroll, own, and issue agent identities and tokens through platforms like Okta, Microsoft Entra, or SailPoint. Aurascape adds discovery, inline agent-to-tool governance, and attribution evidence alongside those systems.

How does the model handle AI agents?

Agent runtime governance sits at Level 6 and enforces least privilege at the moment of the tool call. Aurascape discovers and secures local AI agents and their interactions, then uses the Zero-Bypass MCP Gateway to sign approved calls and block unsigned ones inline. MCP is one common tool-execution pattern; the full agent access-control problem spans discovery, policy, and runtime enforcement across all execution paths.


Aurascape gives program leaders a measurable path through the AI security maturity model, from discovering shadow AI across the full environment to governing agent tool calls inline with signed approvals and attribution evidence. It adds AI-native discovery, inline data protection, and agent runtime governance on top of your existing SSE, SASE, CASB, DLP, and SWG stack and complements your IAM and IGA systems, so maturity advances without rip-and-replace.

See how Aurascape maps controls to every stage of your AI security maturity model →

Aurascape Solutions