AI Maturity Guide 2026

2026 EDITION - AVAILABLE NOW

AI Maturity guide 2026.

20 practical steps for board members, CTOs, CISOs, and GRC leaders to move from AI ambition to genuine AI control — across governance, risk, development, and security.

88%

of organizations use AI in at least one function.

1.5%

across all systems in production, only 1.5% are classified as AI systems.

20

concrete steps to close the gap.

The AI boardroom gap

AI is everywhere. Maturity is rare.

Most leadership teams still struggle to answer the most basic questions about their AI footprint. This guide gives you a shared language — and a clear plan of action.

Q.01

Where exactly are we using AI today?

Few organizations have a reliable, up-to-date view of where AI is embedded in their systems — or how critical those uses really are to the business.

Q.02

Which AI solutions are business-critical?

AI in products, internal tooling, and development pipelines carries very different risk profiles. Most enterprises haven’t mapped the distinction.

Q.03

Are we in control of the risks?

Regulatory pressure is increasing globally. Non-compliance with AI regulation is now the most commonly cited AI risk — mentioned by 57% of executives (EY, 2025).

Q.04

Is any of this actually moving the needle?

AI is widespread but mature, governed use that consistently delivers value is still rare. The gap between ambition and measurable business outcomes keeps growing.

Who it’s for

Built for the four roles that shape AI outcomes.

Each section of the guide speaks directly to a leadership role — start with yours, then use the other sections to understand what to expect from your peers.

01 /

Board & Leadership

Executives

Setting direction, asking the right questions, and demanding portfolio-level visibility across all AI initiatives and risks.

4 steps — strategy & direction

02 /

GRC Leaders

Governance / Risk / Compliance

Turning fast-moving regulation and standards into a clear, workable AI governance system aligned with ISO/IEC 42001.

8 steps — governance & compliance

03 /

CISO & Security

Chief Information Security

Extending security and resilience practices to AI-assisted development and AI systems running in production at scale.

4 steps — AI security

04 /

CTO & Engineering

Technology & Development

Building and running AI-enabled software in a structured, measurable way — including governance of AI-assisted and agentic development.

4 steps — AI development

Written by

“

AI maturity will not come from a single project, pilot, or purchase. It will come from a steady, deliberate shift in how you govern your software and AI as one portfolio.

Rob van der Veer

Chief AI Officer, Software Improvement Group

Elected co-editor of the EU AI Act security standard, lead author of the global standard on AI system life cycle processes (ISO/IEC 5338), key contributor to ISO/IEC 27090, and founder of the OWASP AI Exchange — effectively open-sourcing international AI security standardization.

ISO/IEC 5338 ISO/IEC 27090 EU AI Act OWASP AI Exchange ISO/IEC 42001

Rob van der Veer — Chief AI Officer, Software Improvement Group

FREE DOWNLOAD

Get the AI Maturity Guide 2026.

20 concrete steps grouped by role — board, GRC, CISO, and CTO
RACI structure so you know who owns what from day one
Regulatory guidance across EU, US, UK, and APAC jurisdictions
Standards alignment — ISO/IEC 42001, 5338, 27090, EU AI Act, OWASP AI Exchange
Practical scenario — a realistic, typical enterprise AI maturity program, from first steps to ongoing governance

Download AI Maturity Guide

Name

This field is for validation purposes and should be left unchanged.

Name*

First Last

Business email*

Job Title*

Company*

Privacy*

By submitting this form, you consent to being contacted in accordance with our privacy policy. You can opt out at any time.

2026 EDITION - AVAILABLE NOW