Interactive Diagnostic · March 2026

AI Capability
Maturity Assessment

A Practical Guide for Deployment Managers

You are deploying AI whether you planned to or not. Your employees are already running Claude Code in their terminals, transcribing every meeting with AI tooling, and wiring homemade apps into their workflows without security review. The question is how to turn that unmanaged use into deliberate capability.

This Capability Maturity Model maps that path across five levels: Shadow, Sanctioned, Designed, Infrastructural, and Planetary — from the first unsanctioned use to the point where AI is invisible civilizational coordination infrastructure.

The conventional AI governance response — acceptable use policies, data boundaries, approved tool lists — addresses the wrong question. The right question is protocol design: specifying coordination rules at the handoff points where AI output enters organizational accountability.

Building capability systematically means clearing each level's governance requirements before advancing to the next. Each transition requires a different kind of governance. The failure modes at each level are predictable.

Most organizations are at Level 1 or early Level 2. That is the expected starting point, not a failure. The assessment below identifies where your organization sits, which failure modes you are most exposed to, and what the next move looks like.

Take the assessment →
The five levels

From shadow adoption to planetary infrastructure

Each level describes an organizational state with characteristic governance challenges and failure modes. Levels 1–3 are actionable today. Levels 4–5 are projected.

1
Shadow
AI is in use. The organization doesn't know how, by whom, or with what data.
AI tools are in active use through employee initiative, without organizational authorization or oversight. Individual workers use personal accounts for work tasks. No policy governs what data can be submitted to which services. Exposure is invisible until a data leak, regulatory inquiry, or quality failure makes it visible — typically 400+ days after the initial incident. The characteristic tension is between individual productivity gains and organizational risk that accumulates silently.
Historical parallel Spreadsheets in accounting — Lotus 1-2-3, mid-1980s Finance departments adopted spreadsheets through individual initiative before IT or management had any policy. Individual productivity gains were real; organizational risk from formula errors and uncontrolled data was invisible until it wasn't.
GovernanceabsentNo governance exists. No policies, no oversight, no organizational awareness of AI use patterns.
ToolingpersonalEmployees use personal accounts (ChatGPT, Claude, Copilot) for work tasks. No enterprise licensing, access controls, or data handling review.
Uncertainty handlingignoredAI outputs are used without review or verification. No distinction exists between AI-generated and human-generated work. From the enterprise's vantage point, a high-value bilateral AI pipeline and reckless shadow use look identical — both are invisible.
Coordinationad hocEach employee makes independent decisions about which tools to use and how. No shared standard or organizational visibility.
Feedback loopsnoneNo mechanism exists to detect, record, or learn from AI errors. Failures disappear into the flow of work.
VerificationnoneAI outputs are not verified before use in consequential contexts. No review step exists at any point in the workflow.
2
Sanctioned
The organization has granted AI access. It hasn't designed what to do with it.
The organization has granted broad AI access and signaled strategic intent. Enterprise licenses are deployed; adoption rates climb. What is missing is the governing protocol: which tasks, with what review process, what quality standard, what escalation path when AI fails. High adoption rates and early productivity gains accumulate alongside governance failures that surface when they become external-facing — in customer complaints, court decisions, or regulatory findings. The characteristic tension is between maximizing adoption speed and building the review infrastructure that makes adoption durable. When employees share AI-generated work, they share contexts — decision spaces, embedded assumptions, implicit workflows — not discrete artifacts. Access governance cannot address this; it cannot specify how to evaluate an embedded decision space.
Historical parallel Corporate email — Microsoft Exchange / Lotus Notes, early 1990s Email was mandated broadly before organizations had designed how to use it. The mandate produced adoption. The absence of workflow design produced attention overload, inbox as default coordination mechanism, and meeting culture as the override.
GovernancereactiveGovernance responds to incidents. Policies exist but are triggered by failures, not designed around AI's probabilistic properties.
ToolingsanctionedEnterprise AI licenses are in place and personal account use is discouraged. Tool selection has been reviewed, but workflows have not been redesigned around the tools.
Uncertainty handlingabsorbedErrors are noticed and corrected informally when they surface. No systematic process exists for detecting AI failures before they reach end users.
CoordinationmandatedAI use is mandated or encouraged organization-wide, but teams coordinate AI use independently with no shared workflow standard.
Feedback loopsreactiveFailures trigger individual corrections but no systematic tracking, aggregate learning, or trend analysis across workflows.
VerificationinformalSome outputs are reviewed before use, but informally and inconsistently. No defined criteria, no named reviewer, no record of what was checked.
3
Designed
AI workflows are designed, not improvised. The business model depends on them.
At least one core workflow has been deliberately designed around AI — with a named owner, quality metrics, and a defined escalation path for failures. Removing AI from that workflow would require rebuilding it. The governance question has shifted from controlling use to designing protocols that handle failure, versioning, and external dependencies without losing the speed advantage AI provides. Domain expertise is the limiting constraint: the knowledge required to specify what good AI output looks like in a specific context. The characteristic tension is between AI-accelerated internal velocity and external dependencies — regulatory timelines, supplier lead times, partner cycles — that move at human pace. Domain expertise functions as higher-level perception: the ability to read the shape of AI output without inspecting every line — sensing whether the logic holds, the framing fits, something critical is missing. In well-designed Level 3 workflows, AI provides commodity execution; domain knowledge is the scarce resource.
Historical parallel Git and CI/CD — 2008–2015 Competitive position in software development came to depend on how well the deployment workflow was designed. Teams that designed CI/CD protocols well shipped faster and with fewer regressions. Domain expertise — knowing what to test and when — was the limiting constraint, not tool access.
GovernancedesignedAt least one workflow has a designed governance protocol: specific review criteria, named ownership, defined escalation paths. Governance is workflow-specific, not organization-wide.
Toolingpurpose-builtThe organization has built or customized AI tooling for its specific domain context — beyond off-the-shelf configuration. Internal tooling reflects the specific verification and coordination requirements of the workflows.
Uncertainty handlinggovernedAI outputs in governed workflows are reviewed against defined criteria by named reviewers. Outside governed workflows, handling remains informal.
CoordinationdesignedCoordination protocols are explicitly designed for AI-native workflows — handoffs, review cadences, and escalation paths are structured to handle the speed differential between AI production and human review.
Feedback loopssystematicQuality metrics track workflow performance on a defined cadence. Failures trigger protocol reviews, not just individual corrections.
VerificationproceduralVerification follows documented procedures in at least one workflow. Reviewers know what they're checking, why they're checking it, and what constitutes a failure. At the individual level this manifests as orientation debt: contexts multiplying faster than any reviewer can evaluate them.
4
Infrastructural Projected
AI is sector infrastructure. The question is no longer whether to use it but how to govern it collectively.
AI capability has become a baseline expectation across the sector. Individual organizational advantage has been competed away; the governance challenge is now collective. The questions are market-structural: how does the industry coordinate AI use, handle shared risks, establish interoperability standards, and prevent concentration of AI capability that produces anti-competitive outcomes. Individual organizational maturity is necessary but not sufficient at this level. The characteristic tension is between industry standardization — which enables coordination — and organizational differentiation through proprietary AI capability. AI has shifted from destination intelligence — people going to tools — to intelligence media, where intermediate artifacts circulate between people's bespoke AI setups like industrial intermediates between factories. At Level 4, governing this factory-to-factory coordination at sector scale is the central challenge.
Historical parallel EDI in retail and manufacturing — late 1980s–1990s Walmart mandated Electronic Data Interchange for all suppliers. Early adopters had competitive advantage. Then every major retailer adopted it. Individual advantage disappeared; the floor for the whole sector rose. Not adopting EDI meant not participating in the market.
GovernancesystematizedGovernance protocols are systematized across the organization and aligned with sector-wide standards. The organization contributes to or formally complies with industry AI governance frameworks.
ToolingnativeAI is native to the organization's core infrastructure — not deployed as a layer on top of existing systems but embedded in the systems themselves.
Uncertainty handlingsystematizedCross-workflow quality standards exist and are tracked at the organizational level. Handling is consistent and measurable across all critical workflows.
CoordinationautomatedCoordination between AI workflows is automated where possible. Handoffs between workflows are governed by protocol without requiring manual intervention at each step.
Feedback loopspredictivePerformance data from AI workflows predicts failure modes before they occur. Quality instrumentation is forward-looking, not just reactive.
VerificationmetricedVerification is tracked with quantitative metrics across all critical AI workflows. Error rates, correction rates, and escalation rates are monitored and reported on a defined cadence.
5
Planetary Projected
AI is invisible infrastructure for civilization-scale coordination. The governance challenge is legibility, not adoption.
AI governs critical civilizational coordination systems — supply chains, financial infrastructure, public health surveillance. The governance challenge is no longer adoption or protocol design but legibility: understanding what the systems are doing well enough to intervene when they fail. Individual organizational governance is a component of a problem no single actor controls. Historical precedent: the 2021 Maersk ransomware attack and the Ever Given Suez blockage as early examples of how infrastructure-level failures propagate across sectors before any actor can respond.
Historical parallel Internet protocols — TCP/IP, SMTP, BGP, 2000s–present The 2021 Facebook BGP misconfiguration took down Facebook, Instagram, and WhatsApp globally. The failure propagated before any single actor could respond. The internet's routing protocols are invisible until they fail — and when they fail, the failure is everywhere at once.
GovernanceinfrastructureGovernance is itself infrastructure — embedded in protocols operating at civilizational scale. No single organization controls or fully understands the full governance system.
ToolingnativeAI tooling is indistinguishable from the infrastructure it governs. Tools are not deployed separately — they are the substrate of coordination across systems.
Uncertainty handlinggenerativeAI protocols generate new coordination mechanisms in response to uncertainty faster than human review can operate. Human oversight functions at system design level, not individual output level.
CoordinationinfrastructureCoordination between systems happens through AI protocols at machine speed, below the threshold of human attention in normal operation.
Feedback loopsgenerativeThe system modifies its own governing protocols in response to observed failures. Human intervention is required only for novel failure modes the self-correction mechanism cannot address.
Verificationself-correctingVerification is self-correcting at the protocol level. Failures trigger automated protocol adjustments. Human oversight is required only for failure modes outside the system's known envelope.
Why this model exists

New protocols are the key to AI adoption success.

Adoption maturity is defined by an organization's ability to govern uncertainty.

Most organizations apply enterprise-software governance logic to AI: policies, compliance controls, tooling checklists. That logic was designed for deterministic processes. AI systems are probabilistic. The mismatch produces characteristic failures — shadow adoption, quality floor collapse, liability exposure, over-reliance. The conventional response treats this as a control problem. The right framing is protocol design.

The unit of maturity in this model is the organization's ability to govern uncertainty productively: to define which AI outputs require human verification, to enforce that oversight, and to learn from failures when they occur.

Individuals with domain expertise are already discovering new protocols through daily AI use. Organizational standardization lags behind by design: the protocols worth formalizing are those that have proved their value through individual experimentation. The model describes how organizations close that gap.

Levels 1–3 describe organizational states deployment teams can act on directly. Levels 4–5 describe what happens when AI governance becomes an industry and civilizational challenge, beyond what any single organization controls.

Read more ↗
Evidence base

Explore three case studies

Read the diagnostic question at the bottom of each card — one of these patterns is probably yours.

Level 1 — Shadow

Samsung Electronics ↗

Technology / Semiconductor
Three engineers submitted proprietary source code and meeting transcripts to personal ChatGPT accounts within one month in April 2023. No policy governed this. Samsung had no visibility into what data had left the organization until after the fact. The data could not be recalled.
When governance is absent, exposure is invisible until it isn't.
Do you know which AI tools your employees are using today — and which organizational data they've submitted to those tools?
Samsung banned all external AI tools, built an internal LLM (Samsung Gauss), then selectively re-admitted external tools under a governed protocol over two years. The arc — incident → ban → internal alternative → governed re-admission — is the most documented Level 1 exit path available. The Samsung incident was not unusual in scale: contemporaneous Cyberhaven research found that in a 100,000-person company, confidential data was being shared with AI services hundreds of times per week. (Cyberhaven, Q1 2024.) Most organizations move directly to re-admission without building the governance protocol the ban was meant to create space for. The ban without a governed alternative is as common a failure mode as the original leak.
Level 2 — Sanctioned

Klarna ↗

Financial Technology
90% daily AI adoption in the first month. Two-thirds of customer service handled by AI. $40M in claimed profit improvement. Twelve months later, the CEO reversed course and began rehiring human agents, citing quality failures the absent governance layer could not address.
The mandate produced adoption. Adoption revealed quality failures. Quality failures required protocol. Designing protocol required slowing adoption. Leadership didn't want to slow adoption.
When your AI produces a wrong answer in a customer-facing workflow, does a defined process exist for catching it — or does someone fix it when they notice?
The financial results and the quality failures coexisted for longer than they should have. Cost savings from AI-handled volume were immediate and measurable. Quality degradation was diffuse and slow to surface — it required customers to complain, complaints to accumulate, and leadership to connect the pattern. That lag is the Level 2 trap: the metrics that look good are leading, and the metrics that matter are trailing. By the time the reversal became necessary, Klarna had already built the customer expectation that human support was gone.
Level 3 — Designed

Boom Supersonic ↗

Aerospace / Manufacturing
mkBoom automates full aircraft structural analysis from a parametric configuration file. The design methodology depends on it. Removing AI from Boom's core workflows would require rebuilding them — not substituting a human. A design discovery — Boomless Cruise — emerged through AI-enabled iteration that would have taken months under previous methods. Zero safety incidents across the XB-1 program.
When AI is embedded in the competitive position, governance shifts from controlling use to designing protocols that handle failure, versioning, and external dependencies while preserving the speed advantage AI provides.
If your primary AI-assisted workflow stopped working tomorrow — would you pause it, or rebuild it?
Boom is a late Level 3 case, not Level 4 or 5. Their business model depends on AI; the aerospace industry does not depend on Boom's approach. Level 3 is organizational competitive reliance. Level 4 is when the industry itself cannot function at standard productivity without AI. Boom is the clearest documented case of an organization that designed its governance protocol alongside its AI capability — rather than after a failure forced it.
Self-assessment

Where is your organization?

Answer based on where your organization is today. Six months from now is not the question.

Option A
AI tools are in active use, but the organization has limited visibility into which tools, by which teams, on which account types. No formal data boundary policy governs what can be submitted to external AI services. When AI produces a wrong answer, the response is case-by-case — whoever notices it fixes it. There is no defined process.
Option B
Enterprise AI licenses have been rolled out broadly. AI use is encouraged or mandated. At least one team has started designing workflows around AI outputs. But governance is uneven: some workflows have review criteria, others don't. Quality failures in AI-assisted work are handled inconsistently across teams.
Option C
At least one core workflow has been deliberately designed around AI — with a named owner, a quality metric, and a defined escalation path when it fails. Removing AI from that workflow would require rebuilding it. The organization can describe its verification protocol for that workflow without consulting a policy document.
The situation
A team lead reports that an AI tool produced an incorrect summary that went into a client deliverable. The error was caught by the client, not internally. What happens next in your organization?
There is no defined process — it gets handled ad hoc, noted informally, and people move on
It gets escalated, but who handles it and how depends on who's in the room
A defined review protocol exists for that workflow; the failure triggers a specific response and a record is created
Placing your organization…
The situation
Your organization mandated AI adoption six months ago. Leadership wants a governance status update. Which of these is closest to the honest answer?
We have a policy document. Enforcement is inconsistent — it depends on the team
One or two teams have designed their workflow around AI with real accountability. Most teams haven't
Multiple core workflows are designed, owned, and tracked. We have quality metrics for at least two of them
Placing your organization…
The situation
The AI tool your primary workflow depends on ships a model update. The tool's outputs change in ways that aren't immediately obvious — the failure modes differ from the previous version. What happens in your organization?
The review protocol stays the same. Someone might notice the change over time — it hasn't come up as a process question
The team that owns the workflow evaluates the update before deploying. The protocol is reviewed and adjusted if needed
Governance protocols are versioned with tooling changes. Multiple workflows are evaluated and updated on a defined schedule
Placing your organization…
Your result
Go deeper

The Protocolized newsletter

Covers AI adoption, organizational governance, and protocol design — written for practitioners, not vendors.

Subscribe ↗
Working through this with your team?

Talk through your placement

If you're navigating Level 2 or 3, we run structured working sessions on governance protocol design.

Get in touch ↗

From the Archive

Essays from Protocolized on protocol thinking, AI adoption, and organizational design.