← Apex Delivery|Delivery SignalCIO AIICT PMOEnterprise PMOICT TOMISO GovernanceAI MaturityCybersecurity
AI Maturity Assessment Blueprint Wiki · July 2026

Ten Blueprints for
AI Maturity Assessment

The structured maturity models for AI adoption, capability, and governance — the AI equivalents of CMMI and P3M3. 30+ models mapped, compared, and made practical for practitioners from the delivery-maturity heritage.

CMMI AIM · Launched Jun 2026 MITRE 6 Pillars · 20 Dimensions Gartner 5-Level Model ISO 42001 Certifiable P3M3 Heritage Mapped 2026 Benchmarks
Blueprint 01
Landscape: Why Maturity Assessment Matters

No single dominant "AI CMMI" like P3M3 dominates delivery maturity. Instead the field is a sprawl of 30+ models across formal standards, analyst frameworks, consultancy models, vendor frameworks, and domain-specific instruments. The clearest CMMI/P3M3 heir is CMMI AIM — launched June 2026 as the first formally appraised AI maturity model. This wiki maps the field so a delivery-maturity practitioner can navigate it without re-learning it from scratch.

The Field in Numbers
Where the market actually is in 2026
30+
Distinct AI maturity models identified in the field
~13%
Fully AI-ready — Cisco Pacesetters, 3 years running (Cisco 2025)
5%
"Future-built" organisations (BCG 2025)
~6%
See material EBIT impact from AI (McKinsey 2025)
Jun 2026
CMMI AIM formal launch date
Why Assess
What a maturity assessment actually answers
🧭

The Core Question

Where are we? Where do we need to be? What's the roadmap to close the gap? A maturity assessment converts the vague executive question "should we invest more in AI?" into a specific, evidence-based question: where are our capabilities relative to what our strategy demands?

📈

Evidence — Gartner Q4 2024

Gartner's Q4 2024 survey (432 respondents, press release 2 Jul 2025) found high-maturity organisations keep AI systems in production for 3+ years at more than double the rate of low-maturity organisations — 45% vs 20%. Maturity is not a vanity score; it predicts whether AI investment survives past the pilot.

💰

Evidence — BCG Widening AI Value Gap

BCG's 2025 study of 1,250 executives found "future-built" organisations achieve 1.7x revenue growth, 1.6x EBIT margin, 3.6x three-year total shareholder return, 2.7x ROIC, and 3.5x patent output versus the 60% of organisations still classified as laggards.

🎓

Evidence — Academic Landscape

Sadiq et al. (2021, PeerJ Computer Science) systematically reviewed 15 academic AI maturity models alone and found "maturity grid and continuous representation with five levels" is the currently trending structure — but concluded there is no consensus definition of what an AI maturity model even is.

🏆 Authority Point

Maturity assessment is the discipline that turns AI from an expensive experiment into repeatable value. The models converge on the same underlying structure far more than their branding suggests — the practitioner's job is not to find "the one true model" but to pick one, baseline honestly, and roadmap from evidence rather than enthusiasm.

Blueprint 02
Formal & Standardised Models

This is the only tier of the AI maturity landscape that offers genuine third-party assurance rather than self-assessment. Until 2026 there was no equivalent of a formally appraised AI capability level. That changed with the launch of CMMI AIM — but ISO/IEC 42001 remains the only certifiable standard, and it is a conformity standard, not a levelled maturity model.

The Standards Tier
Five formal instruments practitioners must know
📜

ISO/IEC 42001:2023 (AIMS)

NOT a levelled maturity model — a certifiable CONFORMITY standard (you conform or you don't). Built on the Harmonized Structure with a PDCA cycle.

  • Certified by accredited CABs: BSI, Schellman, A-LIGN, Mazars, TÜV, DNV
  • 3-year certificate validity with annual surveillance audits
  • Typical implementation: 6–18 months
  • Pre-certification readiness assessment functions as a de facto maturity baseline
🇺🇸

NIST AI RMF (2023)

Govern – Map – Measure – Manage. Its Implementation Tiers function as a maturity ladder: Partial → Risk-Informed → Repeatable → Adaptive, customised via Profiles.

  • 2024 GenAI Profile published; agentic profiles emerging
  • Voluntary, but increasingly law-referenced — Colorado AI Act affirmative defence cites it
  • Academic levelled model built on it: Dotan et al., arXiv 2401.15229
🏛️

CMMI AIM

THE development for CMMI/P3M3 practitioners. Owned by the CMMI Institute (an ISACA subsidiary since 2016). Pilot completed early 2026 with IBM Consulting, Infosys, and Government Technical Services Corp; formal launch 23–24 June 2026.

  • Integrates AI practices into the CMMI framework: capability levels, training/certification pathways
  • FORMAL INDEPENDENT APPRAISAL in the SCAMPI tradition — appraised, not certified
  • Base CMMI 5 levels: Initial, Managed, Defined, Quantitatively Managed, Optimizing
  • CMMI V3.0 (2023) already carried an AI-adoption focus; see ISACA Journal, "CMMI in the AI Age," Vol 3, 2025
🧩

ISO/IEC SC 42 Portfolio

The broader standards portfolio that feeds the data and governance dimensions of any AI maturity model.

  • ISO/IEC 22989 — terminology
  • ISO/IEC 23053 — ML framework
  • ISO/IEC 23894 — AI risk management
  • ISO/IEC 5259 — data quality for analytics and ML
  • ISO/IEC 42005 — AI system impact assessment
⚙️

IEEE 7000-Series

IEEE 7000-2021 (ethics) and CertifAIEd (assurance) contribute to responsible-AI maturity but are not a comprehensive staged model in their own right.

  • Treat as dimension inputs to the Governance & Responsible AI consensus dimension, not a standalone framework
  • Useful for organisations building bespoke internal RAI scorecards
📌 Can AI Maturity Be "Certified"?

Until 2026 the honest answer was no. As of mid-2026 the answer is: ISO 42001 offers certification of conformity, and CMMI AIM offers a true appraised maturity level — but they measure different things. Certification proves you conform to a management-system standard. Appraisal measures capability against defined process levels. A practitioner should not conflate the two when reporting to a board.

Blueprint 03
Analyst & Consultancy Models

This is the most-cited tier — the models practitioners are most likely to encounter in a board pack. All are self-assessment or facilitated instruments with no third-party assurance. Treat every cross-model percentage comparison as directional, not equivalent — level definitions are not consistent across providers.

The Big Comparisons
Eight analyst and consultancy instruments
ModelStructureKey evidence / statPractitioner note
Gartner AI Maturity Model7-question self-rated survey5 levels: Awareness, Active, Operational, Systemic, Transformational (1–5 rating scale)High-maturity avg 4.2–4.5; low-maturity avg 1.6–2.2High-level, self-reported; dimensions less transparent than MITRE. Third-party "seven pillars" expansions circulating online are NOT official Gartner IP.
IDC MaturityScape AIClassic CMMI-derived staging5 stages: Ad Hoc, Opportunistic, Repeatable, Managed, OptimizedIndia study: roughly two-thirds of organisations sit in the first two stagesDimensions: People, Process, Technology, Data — plus Strategy added in "AI-Fueled Organization 1.0" (Feb 2025)
ForresterAnalyst self-assessment toolAI maturity / readiness assessment with segmentation researchUsed for competitive benchmarking researchLess publicly documented level structure than Gartner or IDC — engagement-based
Accenture "Art of AI Maturity"2×2 index (Jun 2022)4 categories on foundational vs differentiation axes: Experimenters, Builders, Innovators, AchieversExperimenters 63% (score 29) · Builders 12% (44) · Innovators 13% (50) · Achievers 12% (64) — 0–100 index, median 36Achievers: 50% higher revenue growth, 53% more likely to have responsible-AI deployment. 17 capabilities scored. The "27% by 2024" figure widely quoted was a footnoted ML PROJECTION, never re-measured.
BCG 2025"Widening AI Value Gap / Build for the Future"3 tiers: Future-built 5%, Scalers 35%, Laggards 60% (1,250 execs, 41 capabilities)Agentic AI ≈17% of AI value in 2025, projected to 29% by 2028Separate AI Maturity Matrix exists for economies/public sector. AI Radar 2026 CEO segments: Followers 15%, Pragmatists 70%, Trailblazers 15%.
McKinsey State of AI 2025Authoritative adoption survey — NOT a levelled modelFielded 25 Jun–29 Jul 2025, 1,993 participants, 105 nations88% use AI in ≥1 function (up from 78%) · 72% GenAI · ~1/3 scaling · 39% report ANY EBIT impact · high performers ~6% (109/1,933 = 5.5%) attribute >5% EBIT to AIWorkflow redesign is the single attribute most correlated with EBIT impact. CEO governance oversight is among the attributes most correlated with bottom-line results.
DeloitteStrategy / talent / data / technology / operations frameworkFramework + quarterly State of GenAI surveysTracks adoption trend over time via recurring surveyBest used longitudinally rather than as a single-point score
IBM AI LadderData-centric progressionCollect → Organize → Analyze → InfuseSeparate 7-dimension framework scored Silver / Gold / PlatinumStrongest where the constraint is data readiness rather than governance or talent
⚠️ The Comparability Trap

Accenture's oft-quoted "27% of organisations will be Achievers by 2024" was a machine-learning projection buried in a footnote — it was never re-measured, and by most other trackers (Cisco, BCG, McKinsey) the leading tier stayed in single digits through 2025–2026. Do not let a stale projection set board expectations.

Blueprint 04
Government & Academic Models

This tier contains the most rigorously decomposed and most CMMI-explicit instruments in the entire field — free, published, and government-grade. It also carries the strongest treatment for Australian practitioners, whose regulatory context is public-sector-led rather than statute-led.

Government & Audit-Grade Instruments
Six frameworks with genuine rigor
🎯

MITRE AI Maturity Model

THE most complete free government-grade instrument in the field. 6 pillars, 20 dimensions, 5 CMMI-derived levels — explicitly "adapted from CMMI." Published assessment tool available.

  • Pillars: Ethical/Equitable/Responsible Use · Strategy & Resources · Organization · Technology Enablers · Data · Performance & Application
  • Levels: Initial, Adopted, Defined, Managed, Optimized
🔍

US GAO AI Accountability Framework

GAO-21-519SP (2021) — 4 principles: Governance, Data, Performance, Monitoring, each with key practices, audit questions, and third-party assessor procedures.

  • Audit-oriented, full-lifecycle coverage
  • Designed for use by independent assessors, not just self-assessment
📊

NIST AI RMF Tiers

Cross-referenced from Tab 02 — Partial → Risk-Informed → Repeatable → Adaptive Implementation Tiers, the closest thing NIST offers to a maturity ladder.

🇸🇬

Singapore IMDA AI Verify

Testing framework and toolkit paired with the Model AI Governance Framework — technical testing rather than staged maturity.

  • Focused on technical testing of AI systems against stated governance principles
  • Model AI Governance Framework provides the policy layer that AI Verify tests against
🇬🇧

UK Government Ecosystem

CDDO/GDS heritage feeding into the DSIT AI assurance ecosystem, plus government self-assessment tools for departments.

  • CDDO/GDS legacy shapes digital-service-style self-assessment tooling
  • DSIT AI assurance ecosystem coordinates the broader UK assurance market
  • Department-level self-assessment tools remain fragmented rather than centrally mandated
🎓

Academic Landscape

Sadiq et al. 2021 (15 models) remains the reference systematic review.

  • Becklines & El-Gayar, AMCIS 2025 — supply chain application
  • Healthcare AI governance, medRxiv 2024
  • Human-centred AI research strand
  • Consistent finding across the academic literature: the same consensus dimensions recur, but empirical validation remains weak
Australian Public Sector — Strong Treatment
The Australian assurance and assessment stack

Australia is public-sector-assessment-led rather than statute-led — there is no standalone AI Act. For practitioners working in or with Australian government, this stack matters more than any global analyst model.

FrameworkDateDetail
National Framework for the Assurance of AI in Government21 Jun 2024Issued by Australia's Data & Digital Ministers — the foundation assurance instrument for government AI use
Voluntary AI Safety StandardAug 202410 guardrails, aligned to ISO 42001 and NIST AI RMF
Guidance for AI Adoption ("AI6")Updated Oct 2025Successor to the Voluntary AI Safety Standard — 6 essential practices
National AI PlanDec 2025Confirms reliance on existing laws plus an AI Safety Institute — no standalone Australian AI Act
NSW AI Assessment Framework (AIAF)Redesigned 2025MANDATORY risk-based self-assessment, built with CSIRO Data61, takes <30 minutes; high/critical-risk findings escalate to the AI Review Committee
NSW Agentic AI GuideOct 2025Australia's first government guidance specifically for agentic AI systems
Australian Responsible AI IndexOngoingProduced by Fifth Quadrant — sector-benchmarking instrument
DTA Policy v2.0Effective 15 Jun 2026First mandatory requirement: internal AI use-case register with accountable owners; all 94 mandatory agencies must publish public AI transparency statements
🏆 Authority Point

For Australian public-sector practitioners, the NSW AIAF plus the National Assurance Framework plus "AI6" together function as a de facto national maturity floor — even without a levelled model attached. A P3M3-literate assessor can map these directly onto the consensus dimensions in Tab 06 without waiting for a formal Australian AI maturity model to appear.

Blueprint 05
Domain-Specific Models

Below the enterprise-wide models sits a dense layer of domain-specific instruments — MLOps, data management, responsible AI, and the fast-emerging agentic AI category. Most are vendor-published and CMM-derived; several are the best-documented open instruments available for their specific domain.

Domain Instruments
Nine domain-specific frameworks
🔧

MLOps

Common axis across every MLOps model: automation and reproducibility of the model lifecycle. Maturity correlates directly with time-to-production and incident rate.

  • Microsoft: 5 levels — 0 No MLOps → 4 Full MLOps Automated Operations
  • Google: 3 levels — 0 Manual → 2 CI/CD pipeline automation
  • AWS: 4 phases — Initial, Repeatable, Reliable, Scalable
  • GigaOm: most explicitly CMMI-aligned — Levels 0–4 across strategy, architecture, modeling, processes, and management
🗄️

Data (Foundational)

DAMA-DMBOK, EDM Council DCAM, and CDMC form the data-layer maturity foundation that every AI model implicitly depends on.

  • DCAM: 8 components (Strategy, Business Case & Funding, DM Program, Data Governance, Data Architecture, Technology Architecture, Data Quality, Data Operations) × 5 levels (Not Initiated, Conceptual, Developmental, Defined, Achieved/Enhanced)
  • DCAM v3 adds AI/cloud focus — 35 capabilities / 109 sub-capabilities
  • EDM Council 2026 Global Benchmark (435+ orgs, 50+ countries): most organisations sit in the Developmental/Defined range — a key AI readiness constraint
  • CDMC covers the cloud-specific variant
🤝

Responsible AI / Governance

A cluster of vendor and academic instruments assessing RAI maturity specifically, distinct from broader AI capability maturity.

  • BCG RAI: lagging / developing / advanced / leading
  • Salesforce: ad hoc / organized & repeatable / managed & sustainable / optimized & innovative
  • IAPP: publishes governance benchmarks
  • Academic: RAI-OM and the Mäntymäki Hourglass Model

GenAI

2024–2026 frameworks are still emerging in this domain, and frequently overlay "GenAIOps" practices onto existing MLOps structures rather than defining genuinely new staged levels.

🤖

Agentic AI (2025–2026 Explosion)

The fastest-moving domain in the field — models are being published and revised faster than any other tier.

  • Microsoft Agentic AI Adoption Maturity Model: explicitly CMM-based, 5 levels (100 Initial, 200 Repeatable, 300 Defined, 400 Capable, 500 Efficient), 5 capability pillars
  • Salesforce: 4 levels
  • Gartner Agentic AI Maturity Roadmap: 5 levels (Aug 2025)
  • Academic AAGMM: 5 governance levels
🔬

Microsoft RAI MM (Detail)

The best-documented open instrument alongside MITRE. Published by Microsoft Research / Aether in 2023.

  • 24 empirically derived dimensions from interviews and focus groups with 90+ RAI specialists
  • Grouped into Organizational Foundations, Team Approach, RAI Practice
  • 5 levels per dimension: Latent → Leading
  • Subject of CSCW 2025 research (RAI-OM)
🪟

Microsoft General AI Maturity Model

5 levels: Latent, Emerging, Developing, Realizing, Leading — Microsoft's enterprise-wide model, distinct from the RAI-specific and MLOps-specific instruments above.

☁️

Google Cloud AI Adoption Framework

Structured across 4 areas (people, process, technology, data), 6 themes (Learn, Lead, Access, Scale, Automate, Secure), and 3 phases (Tactical, Strategic, Transformational).

📦

AWS CAF AI/ML Perspective

Cloud Adoption Framework AI/ML perspective plus a dedicated ML maturity phase model: Initial, Repeatable, Reliable, Scalable.

Blueprint 06
The Consensus Dimensions

Synthesising all 30+ models across every tier of this wiki, seven dimensions recur with remarkable consistency — regardless of whether the model calls itself a maturity model, a readiness index, or an adoption framework. These seven dimensions are the practical answer to "what should we actually assess?"

The Seven Dimensions
What every credible AI maturity model measures
🎯

1. Strategy & Leadership

Vision, C-suite sponsorship, roadmap, and funding commitment behind AI adoption.

  • Present in Gartner (Awareness → Transformational), IDC (+Strategy in AI-Fueled Org 1.0), MITRE (Strategy & Resources pillar)
  • P3M3 mapping: Financial Management perspective
🗄️

2. Data

Quality, governance, architecture, and accessibility of the data AI systems depend on.

  • Core to IDC, DCAM, MITRE Data pillar, IBM AI Ladder
  • EDM Council 2026 benchmark shows this as the most common constraint on AI readiness
🏗️

3. Technology & Infrastructure

Platforms, MLOps tooling, compute capacity, and network readiness.

  • MITRE Technology Enablers pillar; Cisco Infrastructure pillar
  • Covered in depth by every MLOps-specific model (Microsoft, Google, AWS, GigaOm)
👥

4. People & Talent

Skills, upskilling programs, defined roles, and organisational design for AI-era work.

  • MITRE Organization pillar; Cisco Talent pillar; IDC People dimension
  • P3M3 mapping: Resource Management perspective
⚖️

5. Governance & Responsible AI

Risk management, ethics, regulatory compliance, and oversight structures.

  • MITRE Ethical/Equitable/Responsible Use pillar; Cisco Governance pillar
  • The dimension ISO 42001, NIST AI RMF, and Microsoft RAI MM assess most deeply
🌱

6. Culture

Experimentation appetite, change management capability, and genuine adoption behaviour.

  • Cisco Culture pillar; a consistent blind spot in self-assessment instruments
  • P3M3 mapping: Stakeholder Engagement perspective
📈

7. Operations & Value

Use case delivery, production deployment discipline, and ROI measurement.

  • MITRE Performance & Application pillar; the dimension McKinsey's EBIT-impact research targets directly
  • P3M3 mapping: Benefits Management + Management Control perspectives
📌 Cleanest Operationalisation

Cisco's 6-pillar AI Readiness Index (Strategy, Infrastructure, Data, Governance, Talent, Culture) is the cleanest operationalisation of these seven dimensions into a fielded, repeatable instrument — it simply folds Operations & Value into Strategy.

🏆 Authority Point

MITRE's 6 pillars / 20 dimensions remains the most rigorously decomposed public instrument covering these seven consensus dimensions — if you need to defend a dimension set to a skeptical board or auditor, MITRE's published tool is the strongest free reference.

Blueprint 07
P3M3 / CMMI Mapping for Practitioners

This is the flagship tab for a P3M3/CMMI-literate practitioner. Every major AI maturity model traces its staged structure back to the same CMMI ancestry that P3M3 shares — MITRE says so explicitly. That means the assessment method, the level semantics, and the "not everyone needs Level 5" principle all transfer directly.

Level Mapping
P3M3 vs IDC vs MITRE vs CMMI AIM
LevelP3M3IDC MaturityScapeMITRE AI MMCMMI AIM
Level 1AwarenessAd HocInitialInitial
Level 2RepeatableOpportunisticAdoptedManaged
Level 3DefinedRepeatableDefinedDefined
Level 4ManagedManagedManagedQuantitatively Managed
Level 5OptimizedOptimizedOptimizedOptimizing

MITRE explicitly states its 5-level structure is "adapted from CMMI" — the closest documented lineage to P3M3 of any model in this wiki, given P3M3 and CMMI share common ancestry via the Capability Maturity Model tradition.

Perspectives Mapping
P3M3 perspectives → AI maturity dimensions
P3M3 perspectiveMaps to AI dimension
Management ControlOperations & value governance
Benefits ManagementValue / ROI dimension
Financial ManagementStrategy / funding
Risk ManagementGovernance / responsible AI
Stakeholder EngagementCulture / change
Organisational GovernanceAI governance
Resource ManagementTalent + infrastructure
What Transfers Directly
Assessment method and principles from the P3M3 heritage
🔁

Assessment Method Transfer

P3M3's attribute-based, evidence-driven, facilitated assessment methodology — culminating in a development plan — is directly transferable to AI maturity assessment.

  • Evidence-based scoring beats self-rated surveys (Gartner, Cisco) for defensibility
  • Facilitated workshop format maps directly onto MITRE and Microsoft RAI MM assessment styles
  • The muscle memory of a P3M3 assessor applies almost without modification
🪪

Key Difference — Accredited Assessors

P3M3 has AXELOS/PeopleCert-accredited assessors underpinning consistency across engagements.

  • AI maturity lacked any equivalent accreditation body until 2026
  • ISO 42001 certification (via accredited CABs) is the first comparable assurance layer
  • CMMI AIM appraisal (SCAMPI tradition) is the second — and the one closest to P3M3's own heritage
🎯

"Not Everyone Needs Level 5"

The core P3M3 principle applies unchanged: set differentiated target levels per dimension tied to actual business need.

  • A Tier 4 productivity-tooling use case does not need Level 5 governance maturity
  • A Tier 1 agentic deployment does — differentiate the target, don't flatten it
  • This is the single most useful P3M3 habit to carry directly into AI maturity roadmapping
🏆 Authority Point

A practitioner who has run P3M3 assessments already has the hardest skill: facilitated, evidence-based maturity assessment against a staged model. The AI maturity landscape does not require learning a new discipline — it requires mapping a familiar discipline onto a new, less standardised vocabulary. Use this table as the Rosetta Stone.

Blueprint 08
Running an Assessment

Running an AI maturity assessment follows the same five-stage cycle as any mature P3M3-style assessment programme — the difference is in how the assessment types stack, and how the results are integrated with risk and governance frameworks rather than treated as a standalone score.

The Assessment Cycle
Baseline → Target → Roadmap → Execute → Re-assess
📍
Baseline
Current-state score
🎯
Target
Differentiated levels
🗺️
Roadmap
Prioritised gap plan
🚀
Execute
Deliver the plan
🔄
Re-assess
Annual / triggered
Assessment Types
Four ways an assessment can be delivered
TypeCost / effortObjectivityExamples
Self-assessment questionnaireCheapest — minutes to hoursLeast objectiveCisco and Gartner online tools; NSW AIAF (<30 minutes)
Facilitated / workshopDays to weeksModerate — evidence-based, facilitator-ledMITRE, Microsoft RAI MM, P3M3-style facilitated assessments
Certified / audited6–18 month programmeHigh — accredited third-party auditorISO 42001 (annual surveillance, 3-year recertification)
AppraisedFormal appraisal engagementHighest — independent SCAMPI-tradition appraisalCMMI AIM (new as of Jun 2026)
Making It Stick
Integration, cadence, and reporting
🧩

Integration Stack

NIST AI RMF (risk structure) + ISO 42001 (certifiable AIMS) + a maturity model (benchmark and roadmap) are complementary, not competing.

  • Team pattern: use RMF for risk analysis
  • Use ISO/IEC 23894 to deepen risk treatment
  • Use ISO/IEC 22989 for shared vocabulary
  • Use ISO 42001 for the repeatable, auditable management system
📅

Cadence

Annually, or on material context change — new use case, new data source, or new regulation.

  • Mirrors the NIST Manage→Map loop
  • Mirrors standard P3M3 re-assessment practice
  • Trigger-based re-assessment catches drift a fixed annual cycle would miss
🏛️

Board Reporting

Maturity scores form a defensible baseline for investment cases.

  • Use Gartner's production-longevity data (45% vs 20%) as a narrative anchor
  • Use BCG's value-gap findings (1.7x revenue, 3.6x TSR) to frame the cost of inaction
  • Always name the source model — never present a bare score without provenance
🔧

The McKinsey Lever

Workflow redesign drives EBIT impact more than any other single attribute measured by McKinsey.

  • Prioritise use-case selection and operating-model change over tooling investment
  • CEO governance oversight is also strongly correlated with bottom-line results
Blueprint 09
Benchmarks & Statistics 2026

The headline number for 2026 is not adoption — it's stagnation and, in one leading index, outright regression. As expectations rise with the agentic AI wave, several trackers show organisations moving backwards on relative maturity even as investment increases.

The Headline Numbers
Five statistics every practitioner should know cold
13%
Cisco Pacesetters — three years running
5/35/60%
BCG future-built / scalers / laggards split
88%
Organisations using AI in ≥1 function (McKinsey)
39%
Report ANY enterprise EBIT impact (McKinsey)
<1%
Score above 50/100 on the ServiceNow index
The Surveys
Eight benchmarking studies behind the headline numbers
StudyMethodologyKey finding
Cisco AI Readiness Index 2025Double-blind, 8,000+ senior leaders, 30 markets / 26 industries, released 14 Oct 2025Pacesetters ~13% three years running. Only 15% have AI-ready networks; 19% fully centralised data. Pacesetters are 4x more likely to move pilots into production.
BCG 20251,250 executives, 41 capabilities5/35/60 split. Future-built organisations: 1.7x revenue growth, 3.6x TSR, 1.6x EBIT margin.
Accenture 2022"Art of AI Maturity" index12% Achievers, 13% Innovators, 12% Builders, 63% Experimenters.
McKinsey State of AI 20251,993 participants, 105 nations88% AI use, 72% GenAI, ~1/3 scaling, ~6% high performers, 39% report any EBIT impact.
IDC MaturityScapeRegional deep-dives (e.g. India study)Majority of organisations sit in the first two of five stages.
ServiceNow / Oxford Economics Enterprise AI Maturity Index 20254,500 organisationsAverage score FELL 20% year-on-year (44 → 35); <1% scored above 50/100; top score fell from 71 to 58; Pacesetters 18.2%. Illustrates that as expectations rise with agentic AI, organisations can move backwards on relative maturity even while investing more.
IAPP / Pacific AI 2025Governance-focused survey75% have AI usage policies but only 36% have a formal governance framework; only 28% (2024) had formally defined oversight roles. AI governance roles grew 17% in 2025 (Stanford HAI / McKinsey).
GartnerQ4 2024 survey, 432 respondents45% of high-maturity organisations keep AI operational 3+ years, vs 20% of low-maturity organisations.
⚠️ Moving Goalposts

The ServiceNow/Oxford Economics decline is the single most important 2026 data point for a practitioner presenting to a board: it demonstrates that "maturity" is being measured against a rising bar (agentic capability), not a fixed one. A flat or declining score does not necessarily mean an organisation regressed — it may mean the goalposts moved faster than the organisation did. Report both the absolute score and the trend in what is being measured.

Blueprint 10
Selecting or Building Your Model

With 30+ models in the field, the practical question is not "which is best" but "which fits your context, and how do you sequence adoption." This tab closes the wiki with a decision framework, a 4-stage adoption roadmap, and an honest accounting of where the whole field still falls short in 2026.

Decision Framework
Which model fits which practitioner context
🧭

P3M3/CMMI-Literate CIO — Primary Pick

The two most natural starting points for a delivery-maturity practitioner.

  • MITRE: free, government-grade, 6 pillars / 20 dimensions / 5 CMMI-derived levels, published assessment tool
  • Gartner: analyst benchmarking, directly comparable to peer organisations
🪪

Need External Credibility / Regulatory Defensibility

Pursue third-party assurance rather than self-assessment.

  • ISO 42001 certification for a recognised, globally portable conformity mark
  • Evaluate CMMI AIM now it has formally launched — the only appraised option with CMMI heritage
🇦🇺

Australian Public Sector

Anchor on the Australian stack rather than importing a global model wholesale.

  • National Framework for the Assurance of AI in Government
  • NSW AI Assessment Framework (mandatory, <30 minutes)
  • "AI6" Guidance for AI Adoption
  • Together these function as the de facto Australian maturity floor, even without a dedicated Australian AI maturity model
🏗️

Structure Comparison

Three underlying structural families recur across the 30+ models.

  • Staged (CMMI-like) — the most common, and the most familiar to a P3M3 practitioner
  • Continuous — scored per-practice rather than per-level
  • Dimensional / matrix — e.g. BCG's 2x2, Accenture's 2x2
  • Most instruments in the field are self-assessment or marketing tools — only ISO 42001 and CMMI AIM currently offer genuine third-party assurance
4-Stage Adoption Roadmap
From first baseline to board-level cadence
Honest Critique — 2026 Gaps
What the field still gets wrong
1️⃣

No Universal Level Definitions

Level 3 in Gartner does not mean the same thing as Level 3 in MITRE, IDC, or CMMI AIM. Never treat cross-model scores as equivalent.

2️⃣

Self-Reporting Is Gameable

Self-reported instruments are gameable and systematically optimistic. Treat cross-model percentage comparisons as directional only, not precise.

3️⃣

Weak Empirical Validation

Many academic models carry weak empirical validation — cite Sadiq et al. 2021's own conclusion as the caveat.

4️⃣

Agentic AI Outpacing Updates

Agentic AI capability is outpacing model updates — the ServiceNow/Oxford Economics declining scores are a direct symptom of moving goalposts.

5️⃣

Limited Accredited-Assessor Ecosystems

Outside ISO 42001, there is essentially no accredited-assessor ecosystem comparable to what P3M3 practitioners take for granted via AXELOS/PeopleCert.

6️⃣

Marketing Dressed as Maturity

Many vendor "maturity models" are marketing instruments in disguise — distinguish these clearly from MITRE, GAO, NIST, and ISO before citing them to a board.

7️⃣

CMMI AIM Is Brand New

Launched June 2026, CMMI AIM is not yet battle-tested. Verify its status and case history before making a board-level commitment based on it.

8️⃣

The Accenture Projection Problem

Accenture's "27% Achievers by 2024" figure was a projection, never re-measured — a cautionary example of how a single footnoted estimate becomes repeated as fact.

🏆 Authority Point

Pick a model, baseline honestly, and roadmap from evidence — but never present a maturity score to a board without naming which model produced it and what its known limitations are. The practitioner who says "we scored Level 3 on MITRE, and here is what that specifically means and does not mean" will always out-credibility the one who says only "we are Level 3."