Your AI security maturity score is probably inflated. Half of security organizations already run AI in production, and most can’t prove it’s governed. The SANS 2025 AI Survey reports that 50% of organizations use AI for security work today, another 30% will within a year, and only 35% run a formal AI risk and compliance program. That gap is where fake maturity lives. The new SANS AI Security Maturity Model exists to drag your real numbers into daylight, and the way it does that is the most useful part of the book.

Share

Your AI Security Maturity Score Is Fiction

You’ve seen the slide. It says Stage 3, maybe Stage 4, green across the board, shown to leadership with the confidence of someone who has never sat through an audit. Then a regulator calls or an incident hits, and the green turns out to be a vendor logo on a PDF and a policy nobody has opened since onboarding week.

I reviewed this model before release, alongside a group of practitioners SANS brought in. Chris Cochran, SANS Field CISO and VP of AI Security, wrote it. He co-authored prEN 18282 and leads the Agentic AI Task Force on the OWASP AI Exchange, where we collaborate, so the structure comes from someone who has done the work rather than someone selling a dashboard. Treat me as a biased but informed guide, and check my reasoning against the model yourself.

The model runs three pillars, Protect, Utilize, and Govern, across five stages from ad hoc to leading. That part looks like every maturity model you’ve met. The difference sits in the scoring, and it’s where the book earns its keep. The model assumes you’re inflating your score, then builds two mechanisms that force you to prove you aren’t. Once you see them, you can’t unsee how thin most Stage 3 programs turn out to be.

The survey data backs the suspicion. Adoption is sprinting, and governance is crawling behind it. When half your peers have AI in the building, and barely a third have a governance program, the difference is a pile of unmanaged risk wearing a maturity badge. A model that strips the badge off does you a favor, even when the result stings. The sting is the signal it’s working.

If you’ve ever watched a maturity self-assessment sail through a steering committee and wondered who was going to check it, you’re the reader this model was built for. You already suspected the number was soft. Here’s the structure that proves it.

Two Old Disciplines The Model Smuggles In

Nothing about the two mechanisms is new, and that’s the point. Cochran took two disciplines that security has trusted for 30 years and aimed them at AI, where the discourse has been mostly threat theater and Stage 4 daydreams.

The first mechanism is weakest-link capping. Your overall stage can’t float more than one level above your weakest pillar, and it can’t exceed your Govern score by more than one stage. Score Stage 1 in Govern, and your Stage 4 detection tooling earns you a Stage 2 overall, and no amount of tooling spend changes that. Anyone who survived CMMI or NIST tiering immediately recognizes this move. Maturity behaves like a floor function, not an average. The averaging instinct is the seductive error here, because averaging lets a strong pillar paper over a weak one, and a program with world-class detection and absent governance is exactly the program that ends up in the headlines. The cap rules refuse the trade.

Walk a real example. A team rates itself Stage 4 on Utilize because it runs AI-assisted detection across the SOC. Protect lands at Stage 3. Govern sits at Stage 1, because there’s no AI risk committee, no model inventory, and no documented oversight. The averaging story says Stage 3. The model says the Govern floor caps you at Stage 2, and the minimum-pillar rule confirms it. Your real maturity is the weakest load-bearing wall, not the prettiest room in the house.

The second mechanism is the evidence ceiling. Any capability you self-report without documentary evidence is capped at Stage 2. Without an approved policy, audit logs, or a dashboard export, you don’t get Stage 3. This is plain controls-testing doctrine, the same standard a SOC 2 auditor applies to a control narrative. Assertion isn’t evidence, and the model writes the rule into the scoring so you can’t talk past it. The discipline this imposes is quiet and real. Before you claim a stage, you go find the artifact. Half the time, the search itself tells you the honest answer, because the artifact doesn’t exist.

Put both mechanisms together, and your number drops, often by a full stage. That’s the system working. An honest Stage 2 you can defend in a board room beats a fictional Stage 3 that disintegrates the first time someone asks for proof.

The independent data agrees on which pillar carries the weight. The CSA and Google Cloud State of AI Security and Governance Survey, published December 18, 2025, found organizations with comprehensive policies nearly twice as likely to report early agentic AI adoption, 46%, against 25% for partial guidelines and 12% for policies still in development. Governance maturity, not tooling spend, predicts who’s ready to move. The model’s governance floor encodes that finding into the math instead of leaving it as advice.

Why Blocking AI Makes You Less Safe

Plenty of programs believe they’ve handled AI risk by banning it. The model has a name for that posture, the Framework of No, and it parks you at Stage 2 by design. Prohibition feels like control. The data says it manufactures blind spots.

UpGuard’s State of Shadow AI found 81% of employees and 88% of security leaders using unapproved AI tools, with 45% of workers routing around blocks to reach the applications they want. Software AG found that 46% of shadow AI users would keep using the tools even if their employer banned them outright. Read those numbers together, and the picture turns grim for the prohibition crowd. Your own security leaders sit inside the shadow AI population. Your block list is a polite suggestion. Every ban you can’t enforce converts visible usage into invisible usage, which runs precisely backward from the outcome you wanted.

The model treats prohibition as immaturity rather than rigor, and the staging reflects it. Higher stages move from blocking toward visibility, sanctioned tooling, and monitored usage, because you can only govern what you can see. A CISO who bans AI and reports the ban as a control runs a Stage 1 program narrating a Stage 3 story. The evidence ceiling catches it the instant someone asks for proof that the ban holds, and the proof never comes because usage moved to personal devices and unmanaged accounts the day after the policy shipped.

The harsh reality is that the C-suite is often the worst offender, pasting board material and deal terms into consumer chatbots while security writes memos no one reads. A maturity model that scores prohibition honestly hands you the language to take that conversation upstairs, where the real shadow AI risk usually lives.

The Question Almost Nobody Can Answer

The Govern pillar carries a question that empties most rooms. When your AI agent causes harm, can you produce the audit trail proving the chain of authority from the human who authorized it to the action the agent took?

Sit with that, because the numbers are moving against you in a hurry. Entro Labs’ H1 2025 research found non-human identities grew 44% year over year and now outnumber humans 144 to 1 in cloud-native environments, up from 92 to 1 a year earlier. Rubrik Zero Labs, surveying 1,625 security decision-makers, found 89% have already wired AI agents into their identity infrastructure, while most concede they lack governance for those machine credentials. The agents are in production. The accountability layer is not.

Producing that audit trail demands plumbing that most programs skipped on the way to the demo. You need a durable identity for every agent, distinct from the human who delegated it, with a lifecycle someone owns from creation to revocation. You need structured logging that carries a trace ID through every reasoning step and every tool call, so that one agent action reconstructs end-to-end rather than dissolving into disconnected log lines. You need the decision artifacts, what the agent was asked, what it chose, what scope it held, what it touched, and what it retained long enough to satisfy an investigator who shows up a year later. Most shops have a shared service account, a static key, and a log that stops at the API gateway.

Picture the incident. An agent with delegated access moves money, deletes records, or leaks a dataset. Legal asks who authorized the action and on what basis. You can name the human who kicked off the workflow, and you can’t show the scope they granted, the policy that bound the agent, or the reasoning that led to the action. That’s a Stage 1 program that bought good tooling and skipped the accountability spine, wearing a Stage 4 costume.

This is the part of the model I’d hand to any team standing up agents this quarter. Build the identity, the trace, and the decision record before the first agent touches production, because reconstructing the trail after an incident costs an order of magnitude more than instrumenting it up front, and regulators have stopped accepting “we couldn’t tell” as an answer.

The World’s Moving Fast, So Here’s Where I’d Push v2

I like this model. I reviewed it because I wanted it to exist, and liking something doesn’t mean calling it finished. The ground is shifting under every one of us, so here’s where I’d push the next version.

The timeline estimates run directionally. The model offers stage-progression guidance that reads as reasonable, Cochran flags it as directional, and a team under pressure will quote those numbers to a budget committee as if a stopwatch produced them. V2 should ground the timelines in survey data or label them as planning heuristics in much louder type.

Parts of the scoring rely more on practitioner judgment than on published benchmarks. That’s a fair call for a first edition built from field experience, and it’s the soft spot a skeptical CISO will press. Tying more of the rubric to external evidence, the kind the SANS survey itself generates, would harden the model against the “says who” reflex.

Stage 5 reads as aspirational for nearly the entire field. Almost no program clears it today, which serves as a north star and makes risk a target, because an out-of-reach top stage invites the same score inflation that the rest of the model fights. V2 could split the leading practice we observe in the field from the theoretical ceiling, so teams stop grading themselves against a horizon.

The pillar weighting profiles arrive asserted rather than derived. The model hands you weightings for different organization types, which helps, and the reasoning behind the specific numbers stays under the hood. Publishing that rationale would let practitioners tune the weights to their own risk profile instead of inheriting a default they can’t interrogate.

None of this is fatal. All of it is the ordinary distance between a strong v1 and a sharper v2, and the regulatory clock is why closing that distance matters. The clock is messier than the headlines suggest. Prohibited practices and general-purpose AI rules are already in force. The heavy obligations for high-risk systems under Annex III were set for August 2, 2026, and on May 7, 2026 EU lawmakers reached a provisional agreement to push them to December 2, 2027, pending formal adoption. Until that adoption lands, the original date still stands in the law. Read the slip as breathing room and nothing more. The standards bodies needed the extra runway, and so do most programs. A maturity model that finds your real stage now beats a scramble when the deferral runs out.

Key Takeaway: This model wins by assuming your AI security maturity is inflated and forcing you to prove otherwise, and an honest score you can defend in front of a regulator beats a flattering one that collapses the moment someone asks for evidence.

What to do next

Download the model and score yourself against it without flinching. Walk each pillar on its own, gather the evidence before you assign a stage, then run the cap rules and watch your number settle where it belongs. Get the full 2026 SANS AI Security Maturity Model ebook here. If you’d rather not surrender an email yet, the executive summary linked off that page reads ungated.

Once you have a real baseline, the work shifts from scoring to strategy, which is the layer my CARE framework lives in, moving a program from where it scores to where it needs to be. For the agent-accountability gap in particular, I’ve written more on threat-modeling the systems you’re rushing into production over at RockCyber Musings.

👉 Subscribe for more AI security and governance insights with the occasional rant.

Share RockCyber Musings

👉 For ongoing analysis of agentic AI governance frameworks, the conversation continues at RockCyber Musings.

👉 Visit RockCyber.com to learn more about how we can help with your traditional Cybersecurity and AI Security and Governance journey.

👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com

👉 As a bonus, check out my conversation with AI Cyber Magazine, where we talked about everything from Context Rot to Least Agency.

The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.