Maturity measures how systematically a control is implemented across your organization.
Target is the level a control should reach to provide meaningful assurance.
Use Assess mode to record where your org actually is, and see the gap to target.
Level
What it means
How to advance
none
Control doesn't exist. No process, tooling, or owner. The risk is entirely unmanaged.
Assign an owner. Write down what the control is supposed to do. Any documentation is progress.
initial
Ad hoc and manual. Someone does it sometimes, but it's undocumented and inconsistently applied. Relies on individual knowledge.
→ developing: Document the process. Build a repeatable checklist. Apply it to every agent, not just the ones you're worried about.
developing
A recognized practice. Partially implemented — some agents covered, some not. Coverage gaps are known but not yet closed.
→ defined: Automate the check. Wire it into the deployment pipeline as a blocking gate, not an advisory. 100% coverage.
defined
Documented, automated, enforced. The control runs on every agent as a mandatory pipeline gate. Failure blocks deployment or runtime action.
→ managed: Instrument outcomes. Add metrics: pass rate, time-to-remediation, false-positive rate. Set alert thresholds and respond to deviations.
managed
Quantitatively tracked. You measure the control's outcomes and alert on deviation. Response to failures is fast and consistent.
→ optimizing: Close the feedback loop. Metrics drive changes to thresholds, processes, and tooling. Continuous improvement is built in.
optimizing
Continuous improvement. Outcomes data drives automated process changes. The control evolves as the threat landscape and agent capabilities change.
Maintain and evolve. Share learnings. Review when framework requirements, agent capabilities, or threat models change significantly.