Enterprise Governance & Risk

AI Governance Maturity: A Four-Stage Progression

You cannot jump from "a few pilots and a Slack channel" to "audited AI management system" in one quarter. A maturity model tells you which gap to close next — and which to deliberately leave open for now.

Claude 3P 101 · Updated July 2026 · Unofficial guide

Maturity models get a bad reputation because they are often used for scoring theater. Used properly, they answer a practical question: given where we are, what is the smallest set of changes that meaningfully reduces risk? The four stages below describe how AI governance typically develops in an enterprise using Claude through the API or a cloud platform. This is recommended practice for self-assessment — it is not a regulatory framework, and no stage constitutes compliance with any law. Confirm actual obligations with counsel.

Stage 1 — Ad hoc: AI happens to you

What it looks like: individual teams have API keys or cloud model access; nobody has the full list. There is no policy, or an unenforced one. Data-handling defaults are whatever the platform ships with, unexamined.

Exit steps: establish visibility before control. Enumerate every route to Claude your organization actually uses (first-party API, Claude Platform on AWS, Bedrock, Vertex AI, Foundry) and start the model inventory, however rough. Publish a one-page interim use policy with an escalation alias. Read your platform's data-handling defaults so decisions are informed — for example, Anthropic states the Claude API deletes inputs and outputs within 30 days by default and does not train on commercial inputs/outputs without express permission, while on Bedrock and Google Cloud the cloud provider is the data processor.

Stage 2 — Defined: rules exist and owners are named

What it looks like: a ratified policy, a charter naming accountable owners, an intake form for new use cases, and a basic risk-tiering rubric. Reviews happen, but consistency depends on who performs them.

Exit steps: make the paper structure technically real. Consolidate access so keys are provisioned through governed accounts, not personal ones. On the Claude platform, this is where workspaces earn their keep: separate projects and environments per workspace with API keys scoped to a single workspace, so "one approved use case" maps to a unit you can limit, monitor, and — if needed — archive (archiving a workspace immediately revokes all its API keys). Assign Console organization roles by job function rather than sharing admin credentials.

Stage 3 — Managed: the process runs the same way every time

What it looks like: every use case passes intake and tier-appropriate validation before launch; the inventory is complete and current; change management covers prompt, model, and retrieval changes; incidents follow a playbook and produce lessons.

Exit steps: move from repeatable to measurable. Instrument usage centrally — on the Claude API, the Admin Usage and Cost API reports token consumption with breakdowns by model, workspace, and service tier, which lets you reconcile actual usage against the inventory instead of trusting self-reporting. Establish quantitative launch criteria (evaluation scores, review turnaround) and record them as evaluation documentation.

Stage 4 — Optimized: governance is measured and audited

What it looks like: governance metrics are reviewed on a cadence; internal audit tests the controls; drift between inventory and reality is detected automatically; the program improves itself after every incident and review cycle. Organizations at this stage sometimes align to a formal standard — ISO/IEC 42001:2023, the international standard for AI management systems (Anthropic announced its own accredited certification under it in January 2025) — either for certification or simply as an external checklist.

Assessing yourself honestly

QuestionStage it tests
Can you list every Claude integration in production today?1 → 2
Would two different reviewers assign the same use case the same risk tier?2 → 3
Did your last three launches all produce the required evidence, without chasing?3
Could you show an auditor usage data that matches your inventory?3 → 4

Score by the weakest area, not the average — one ungoverned high-risk deployment outweighs ten well-run pilots. And resist skipping stages: a Stage 4 metrics dashboard built on a Stage 1 inventory measures fiction.

Where to go next

If you placed yourself at Stage 1, start with building the program from scratch. At Stage 2 or 3, the highest-leverage reads are the inventory guide and change management.

Sources