This Capability Maturity Model maps the path across five levels: Shadow, Sanctioned, Designed, Infrastructural, and Planetary — from the first unsanctioned use to the point where AI is invisible civilizational coordination infrastructure. Each level is defined by the governing protocol required, the characteristic failure mode when that protocol is missing, and a historical parallel from earlier technology transitions.
The five levels
From shadow adoption to planetary infrastructure
Each level describes an organizational state with characteristic governance challenges and failure modes. Levels 1–3 are actionable today. Levels 4–5 are projected.
1
Shadow
AI is in use. The organization doesn't know how, by whom, or with what data.
AI tools are in active use through employee initiative, without organizational authorization or oversight. Individual workers use personal accounts for work tasks. No policy governs what data can be submitted to which services. Exposure is invisible until a data leak, regulatory inquiry, or quality failure makes it visible — typically 400+ days after the initial incident. The characteristic tension is between individual productivity gains and organizational risk that accumulates silently.
Historical parallelSpreadsheets in accounting — Lotus 1-2-3, mid-1980sFinance departments adopted spreadsheets through individual initiative before IT or management had any policy. Individual productivity gains were real; organizational risk from formula errors and uncontrolled data was invisible until it wasn't.
GovernanceabsentNo governance exists. No policies, no oversight, no organizational awareness of AI use patterns.
ToolingpersonalEmployees use personal accounts (ChatGPT, Claude, Copilot) for work tasks. No enterprise licensing, access controls, or data handling review.
Uncertainty handlingignoredAI outputs are used without review or verification. No distinction exists between AI-generated and human-generated work. From the enterprise's vantage point, a high-value bilateral AI pipeline and reckless shadow use look identical — both are invisible.
Coordinationad hocEach employee makes independent decisions about which tools to use and how. No shared standard or organizational visibility.
Feedback loopsnoneNo mechanism exists to detect, record, or learn from AI errors. Failures disappear into the flow of work.
VerificationnoneAI outputs are not verified before use in consequential contexts. No review step exists at any point in the workflow.
2
Sanctioned
The organization has granted AI access. It hasn't designed what to do with it.
The organization has granted broad AI access and signaled strategic intent. Enterprise licenses are deployed; adoption rates climb. What is missing is the governing protocol: which tasks, with what review process, what quality standard, what escalation path when AI fails. High adoption rates and early productivity gains accumulate alongside governance failures that surface when they become external-facing — in customer complaints, court decisions, or regulatory findings. The characteristic tension is between maximizing adoption speed and building the review infrastructure that makes adoption durable. When employees share AI-generated work, they share contexts — decision spaces, embedded assumptions, implicit workflows — not discrete artifacts. Access governance cannot address this; it cannot specify how to evaluate an embedded decision space.
Historical parallelCorporate email — Microsoft Exchange / Lotus Notes, early 1990sEmail was mandated broadly before organizations had designed how to use it. The mandate produced adoption. The absence of workflow design produced attention overload, inbox as default coordination mechanism, and meeting culture as the override.
GovernancereactiveGovernance responds to incidents. Policies exist but are triggered by failures, not designed around AI's probabilistic properties.
ToolingsanctionedEnterprise AI licenses are in place and personal account use is discouraged. Tool selection has been reviewed, but workflows have not been redesigned around the tools.
Uncertainty handlingabsorbedErrors are noticed and corrected informally when they surface. No systematic process exists for detecting AI failures before they reach end users.
CoordinationmandatedAI use is mandated or encouraged organization-wide, but teams coordinate AI use independently with no shared workflow standard.
Feedback loopsreactiveFailures trigger individual corrections but no systematic tracking, aggregate learning, or trend analysis across workflows.
VerificationinformalSome outputs are reviewed before use, but informally and inconsistently. No defined criteria, no named reviewer, no record of what was checked.
3
Designed
AI workflows are designed, not improvised. The business model depends on them.
At least one core workflow has been deliberately designed around AI — with a named owner, quality metrics, and a defined escalation path for failures. Removing AI from that workflow would require rebuilding it. The governance question has shifted from controlling use to designing protocols that handle failure, versioning, and external dependencies without losing the speed advantage AI provides. Domain expertise is the limiting constraint: the knowledge required to specify what good AI output looks like in a specific context. The characteristic tension is between AI-accelerated internal velocity and external dependencies — regulatory timelines, supplier lead times, partner cycles — that move at human pace. Domain expertise functions as higher-level perception: the ability to read the shape of AI output without inspecting every line — sensing whether the logic holds, the framing fits, something critical is missing. In well-designed Level 3 workflows, AI provides commodity execution; domain knowledge is the scarce resource.
Historical parallelGit and CI/CD — 2008–2015Competitive position in software development came to depend on how well the deployment workflow was designed. Teams that designed CI/CD protocols well shipped faster and with fewer regressions. Domain expertise — knowing what to test and when — was the limiting constraint, not tool access.
GovernancedesignedAt least one workflow has a designed governance protocol: specific review criteria, named ownership, defined escalation paths. Governance is workflow-specific, not organization-wide.
Toolingpurpose-builtThe organization has built or customized AI tooling for its specific domain context — beyond off-the-shelf configuration. Internal tooling reflects the specific verification and coordination requirements of the workflows.
Uncertainty handlinggovernedAI outputs in governed workflows are reviewed against defined criteria by named reviewers. Outside governed workflows, handling remains informal.
CoordinationdesignedCoordination protocols are explicitly designed for AI-native workflows — handoffs, review cadences, and escalation paths are structured to handle the speed differential between AI production and human review.
Feedback loopssystematicQuality metrics track workflow performance on a defined cadence. Failures trigger protocol reviews, not just individual corrections.
VerificationproceduralVerification follows documented procedures in at least one workflow. Reviewers know what they're checking, why they're checking it, and what constitutes a failure. At the individual level this manifests as orientation debt: contexts multiplying faster than any reviewer can evaluate them.
4
Infrastructural Projected
AI is sector infrastructure. The question is no longer whether to use it but how to govern it collectively.
AI capability has become a baseline expectation across the sector. Individual organizational advantage has been competed away; the governance challenge is now collective. The questions are market-structural: how does the industry coordinate AI use, handle shared risks, establish interoperability standards, and prevent concentration of AI capability that produces anti-competitive outcomes. Individual organizational maturity is necessary but not sufficient at this level. The characteristic tension is between industry standardization — which enables coordination — and organizational differentiation through proprietary AI capability. AI has shifted from destination intelligence — people going to tools — to intelligence media, where intermediate artifacts circulate between people's bespoke AI setups like industrial intermediates between factories. At Level 4, governing this factory-to-factory coordination at sector scale is the central challenge.
Historical parallelEDI in retail and manufacturing — late 1980s–1990sWalmart mandated Electronic Data Interchange for all suppliers. Early adopters had competitive advantage. Then every major retailer adopted it. Individual advantage disappeared; the floor for the whole sector rose. Not adopting EDI meant not participating in the market.
GovernancesystematizedGovernance protocols are systematized across the organization and aligned with sector-wide standards. The organization contributes to or formally complies with industry AI governance frameworks.
ToolingnativeAI is native to the organization's core infrastructure — not deployed as a layer on top of existing systems but embedded in the systems themselves.
Uncertainty handlingsystematizedCross-workflow quality standards exist and are tracked at the organizational level. Handling is consistent and measurable across all critical workflows.
CoordinationautomatedCoordination between AI workflows is automated where possible. Handoffs between workflows are governed by protocol without requiring manual intervention at each step.
Feedback loopspredictivePerformance data from AI workflows predicts failure modes before they occur. Quality instrumentation is forward-looking, not just reactive.
VerificationmetricedVerification is tracked with quantitative metrics across all critical AI workflows. Error rates, correction rates, and escalation rates are monitored and reported on a defined cadence.
5
Planetary Projected
AI is invisible infrastructure for civilization-scale coordination. The governance challenge is legibility, not adoption.
AI governs critical civilizational coordination systems — supply chains, financial infrastructure, public health surveillance. The governance challenge is no longer adoption or protocol design but legibility: understanding what the systems are doing well enough to intervene when they fail. Individual organizational governance is a component of a problem no single actor controls. Historical precedent: the 2021 Maersk ransomware attack and the Ever Given Suez blockage as early examples of how infrastructure-level failures propagate across sectors before any actor can respond.
Historical parallelInternet protocols — TCP/IP, SMTP, BGP, 2000s–presentThe 2021 Facebook BGP misconfiguration took down Facebook, Instagram, and WhatsApp globally. The failure propagated before any single actor could respond. The internet's routing protocols are invisible until they fail — and when they fail, the failure is everywhere at once.
GovernanceinfrastructureGovernance is itself infrastructure — embedded in protocols operating at civilizational scale. No single organization controls or fully understands the full governance system.
ToolingnativeAI tooling is indistinguishable from the infrastructure it governs. Tools are not deployed separately — they are the substrate of coordination across systems.
Uncertainty handlinggenerativeAI protocols generate new coordination mechanisms in response to uncertainty faster than human review can operate. Human oversight functions at system design level, not individual output level.
CoordinationinfrastructureCoordination between systems happens through AI protocols at machine speed, below the threshold of human attention in normal operation.
Feedback loopsgenerativeThe system modifies its own governing protocols in response to observed failures. Human intervention is required only for novel failure modes the self-correction mechanism cannot address.
Verificationself-correctingVerification is self-correcting at the protocol level. Failures trigger automated protocol adjustments. Human oversight is required only for failure modes outside the system's known envelope.
Protocols for Business
Ready to take the assessment?
A 2-minute diagnostic places you on one of the five levels, returns the failure modes you're most exposed to, and gives you clear direction on what do next.