AI maturity assessment. The five dimensions every enterprise should measure.

Why most maturity audits miss the point.

When a client shows us the maturity audit they have just received from a vendor or an industry analyst, the conversation usually starts in the same place. The document is heavy, well designed, and full of capability scores plotted against a published reference. The leadership team has spent budget and goodwill on it, and they are quietly unsure what to do with the result on a Monday morning.

The issue is rarely the rigour of the underlying analysis. It is the choice of what to measure. A tool inventory tells you what the organisation has bought. A use case count tells you what teams have tried. Neither tells you whether the next deployment is going to land in front of an operator who trusts the answer, on data the regulator will defend, in a workflow somebody has agreed to own. Those are the questions that decide whether AI generates returns. They are also the questions most maturity models do not ask directly.

In our work with leadership teams across our offices in Paris, Dubai, Singapore and Bali, we have moved towards a sharper framing. The point of a maturity assessment is to surface the conditions for durable value, not to produce a position on a quadrant. Five dimensions, in our experience, cover almost everything that matters.

The five dimensions worth grading.

Data foundation and access controls.

The first dimension is the data layer the agent or model will rely on. We look at three things together. Whether the canonical source for the data is named and accepted across the teams that use it. Whether access controls and personal data handling are documented, audited and enforced in the runtime rather than in a policy document. Whether lineage is traceable enough that a regulator or an internal audit team can be answered without three weeks of forensic work.

The reason we put this dimension first is that no investment in models compensates for weakness here. The clients we work with who have a strong data foundation tend to move from idea to production quickly. The clients who do not tend to spend their first quarter resolving disagreements between the team that owns the customer system and the team that owns the warehouse, and the second quarter convincing legal that the resolution holds.

Operating model and accountability.

The second dimension is who is responsible for AI outcomes in the organisation today, and whether that responsibility comes with the authority and the budget to actually act. Maturity is not having a chief AI officer. Maturity is having clear answers to who owns the value, who owns the risk, who owns the run cost and who decides when a use case is retired. In our experience these four questions usually surface at least one accountability gap that the audit did not name.

The teams we work with who score well on this dimension tend to have given operations the right to refuse a handover, and given a business sponsor the right to shut a use case down without ceremony. The teams who score badly tend to have an innovation function that ships pilots no one else has agreed to inherit.

Evaluation and risk discipline.

The third dimension is whether the organisation has the discipline to know how its AI is performing without waiting for an incident. We look for an evaluation suite that is fed by real production traffic, observability that lets a team replay yesterday's session, and a risk register that is updated every time a use case ships rather than every twelve months in a compliance binder. This is the dimension where most organisations we meet score worst, and it is the one that quietly decides whether a deployment survives its first regression.

Talent and literacy.

The fourth dimension covers the human side. We look at two things together: whether the organisation has access to the expert engineering and data talent it needs to build and operate AI systems, and whether the operators and managers who will work with those systems have enough literacy to challenge an output rather than accept it on faith. The shortage of expert AI engineers gets all the attention. The shortage of literate operators is, in our experience, the more frequent reason a deployment under-delivers.

Governance and decision rights.

The fifth dimension is the governance layer. We are not looking for a long policy document. We are looking for whether decision rights are clear at three points: when a use case is approved, when an incident occurs, and when a model or vendor is changed. A mature governance posture means those three moments do not require an emergency committee. They follow a process the organisation has rehearsed. This dimension is also where most of the AI Act, GDPR and equivalent regional regimes live in practical terms, and where the gap to a defensible compliance posture is usually visible at the first interview.

How to run the assessment without making it bureaucratic.

The version of this exercise that works tends to be small, fast and conversational. The teams we have advised on this typically convene a focused group of five to eight people: the executive sponsor, the chief information officer or chief technology officer, the data owner, the compliance lead, and at least one operator from a workflow the AI is likely to touch. Without the operator voice the assessment becomes an exercise in self-congratulation, and we have learned to insist on that seat early.

The format we recommend is two or three working sessions rather than a sixty-page deliverable. The first session covers data, operating model and evaluation. The second covers talent and governance. Between the two we run short interviews with operators and a quick technical inspection of the data and observability layers. The third session converts the findings into three or four concrete moves for the next two quarters. We have found that the deliverable matters less than the conversation. If the leadership team leaves the room with a shared view of the two weakest dimensions, the assessment has done its job.

The mistake we see most often is treating the assessment as a procurement gate. The audit becomes a justification for the next platform purchase rather than a guide to the next operational change. When that happens the assessment produces a tool, the tool produces an inventory entry, and the maturity score is unchanged at the next review.

A ten-question self-assessment.

Before commissioning a heavier audit, the leadership teams we work with often find it useful to score themselves honestly on the following ten questions. A "no" or a hesitant "kind of" is not a failure. It is a signal of where the next conversation belongs.

1. For the top three data sources our AI work will rely on, can we name the canonical owner and the audit trail?
2. Do we know who pays for the run cost of an AI use case after the pilot phase, before the pilot begins?
3. If a model we depend on is deprecated next quarter, do we have a defined fallback that does not require an emergency project?
4. Can a member of the team replay a session from last week and explain what the agent did, without engineering escalation?
5. Have operators in the affected workflows been interviewed about friction and trust before the use case shortlist was approved?
6. Is there a documented kill switch that does not require a code deployment to flip?
7. Does our risk register update when a use case ships, or only at the annual review?
8. Have legal, security and compliance been in the room before the first prompt is written, on at least the last three use cases?
9. Are AI literacy expectations defined for managers in the affected functions, not just for the technical teams?
10. If a regulator asked tomorrow how a specific output was produced, could we answer within a working day?

In our experience the score that matters is not the count of "yes" answers. It is the pattern. Three weak answers clustered on one dimension is more revealing than nine scattered weaknesses, and the priority list usually writes itself once that pattern is visible.

When the score is honest, the priority list writes itself.

The leadership conversations we sit in on tend to follow a similar arc once the five dimensions are graded honestly. The disagreement about what to invest in next quarter dissolves quickly. The two weakest dimensions are obvious, the third tends to be the one that surprises the room, and the budget conversation becomes about sequencing rather than about ambition. That is the practical value of the exercise.

If your team is preparing an AI plan for the next twelve months and the maturity question keeps coming back unanswered, the conversation we tend to open with is short. We ask which of the five dimensions you would grade lowest if you had to commit on a Monday, and whether the next planned investment addresses that dimension or one of the stronger ones. The answer is usually the second, and that is usually where the work begins.

The Consulting and Tech Factory teams in our Paris, Dubai, Singapore and Bali offices are reachable from the brief form below. We answer within one working day, with a partner who will sit on the file rather than a relationship manager.