AI projects are initiated ad hoc, with no formal link to broader business objectives.

There is some alignment with organisational goals, but it is not consistent or documented.

Each AI project must demonstrate alignment with strategic priorities or measurable targets before approval.

We track the strategic impact of AI initiatives (e.g. revenue, cost savings, customer satisfaction) through defined KPIs.

No formal AI strategy exists; decisions are made on a project-by-project basis.

We have an AI strategy, but it is either outdated or does not consider all of the required security concerns

There is a documented AI strategy with the key security considerations

The AI strategy is routinely updated, aligns with business goals and incorporates the required security considerations

Prioritisation is left to individual teams with no formal criteria.

A centralised or cross-functional group reviews all potential AI projects, but with limited transparency.

Formal scoring or criteria (e.g. projected ROI, strategic fit, technical feasibility) guide use case selection.

We have a repeatable framework or committee process to approve and prioritise AI initiatives based on impact.

Success is judged anecdotally; we do not formally track ROI.

Basic financial metrics (e.g. cost savings) are recorded, but intangible benefits are seldom measured.

We document both financial returns and qualitative benefits (e.g. user satisfaction, strategic impact). AI project outcomes are continuously reviewed to refine and improve future initiatives.

We work on AI projects ourselves. We do not have an AI partner.

Partnerships happen casually; there is no formal vendor selection or oversight.

Short-term engagements with external experts occur when internal teams lack knowledge, but no strategic plan exists.

Defined processes or committees identify, evaluate, and prioritise key AI partnerships. We manage vendor relationships systematically, measuring outcomes to ensure they align with strategic goals.