Five Levels of AI Posture
Introducing the AI Posture Maturity Model
You can't govern AI collaboration you can't observe.
That is the honest starting point for any organization trying to get AI right. Policies exist. Training was completed. Boxes were checked. None of it proves that the analyst caught the hallucination before it reached the client. None of it proves the underwriter questioned the AI-generated risk score that turned out wrong. None of it proves the attorney verified the citation before filing. That is the proof gap.
This post introduces a way to close it. We call it AI Posture, formally Aggregated Intelligence Posture: what your organization actually does with AI, measured, not declared.
Today we are publishing the People vector of that framework, a five-level maturity model with evidence criteria at each level. Free to adopt. Companion vectors (Infrastructure, Regulation, and others admitted under open criteria) live alongside at aiposture.org.
Why a New Maturity Model
Every major consulting firm ships an AI maturity model. Most of them measure aspiration. Leadership commitment. Cultural readiness. Strategic alignment. These categories feel thoughtful on a slide and mean almost nothing when regulators ask what you can demonstrate.
Regulated industries need something different: capability states that an auditor can test. Posture, not intent. Evidence, not vibes.
This framework borrows from three lineages that already solved similar problems. From the Capability Maturity Model, we take staged organizational capability. From Dreyfus, we take the discipline of describing observable behavior at each stage of skill acquisition. From Rogers' Diffusion of Innovation, we take adoption-stage framing. None of these traditions were built for AI collaboration, where the unit of analysis is neither a system alone nor a person alone. The AI Posture maturity model synthesizes their structure and applies it to the problem.
The Five Levels of AI Posture
The five levels are Perceiving, Assessing, Integrating, Calibrating, Engineering. A Level 0 precedes the framework as a scope declaration: the vector is not in scope, or the non-scope claim is contradicted by observable use. Each level describes a verifiable organizational posture, with a single posture statement, a short list of required evidence, and an auditor test that would confirm it.
Level 0: Ignoring (N/A or falsified)
Posture: "The People vector does not apply here. We do not use AI, or we will not say we do."
Evidence: A declared scope boundary. The organization states that AI is not in use within the scope being assessed. No behavioral data is expected because no behavior is claimed.
Auditor test: The scope boundary holds unless externally contradicted. Evidence that AI is actually in use (shadow AI, personal-account use, unapproved tools) falsifies the scope and invalidates the organization's AI Posture assertion for this stamping. Not only the People vector. The whole assertion.
Level 0 is a scope declaration, not a score. Two variants matter in practice. Passive: the organization sincerely believes AI is not in use, and the scope is valid. Active: the organization declares AI not in use while AI is demonstrably in use by its people. The second form is failed governance expressed as a scope claim. Ignoring is the name for what that looks like. A valid Level 0 is rare and usually time-bounded. A falsified Level 0 is common, and fatal to the assertion.
Level 1: Perceiving
Posture: "We use AI. We have not yet measured how."
Evidence: AI use is acknowledged in at least one written policy. No behavioral measurement exists.
Auditor test: Produce the written acknowledgment, dated.
Perceiving is where most organizations start, and many remain there for longer than they think. The organization knows AI is in use. There may even be a written policy that says "be careful." There is no mechanism for observing what people actually do with AI, no regulatory map, no infrastructure evaluation. The posture is aware but unmeasured.
Level 2: Assessing
Posture: "We've looked. Here is what we found."
Evidence: Baseline behavioral assessment exists. Regulatory exposure analysis exists. Infrastructure scan for agent interactions exists.
Auditor test: Produce baseline report, regulatory mapping, infrastructure scan.
Assessing is the first step out of Perceiving, and often the place where a first-time posture audit reveals surprises. The organization has looked at its own People+AI behavior, mapped its regulatory exposure, and evaluated infrastructure. The data may be uncomfortable. That is the point. Assessing is about seeing clearly, not acting yet.
Level 3: Integrating
Posture: "What we found changed what we do."
Evidence: At least one policy change traces to assessment data. Regulatory requirements exist as controls. Infrastructure remediations verified via follow-up scan.
Auditor test: Show policy change with source data. Show control framework. Show before-and-after scan comparison.
Integrating is where observation becomes governance. Assessment results drive policy. Regulatory requirements become controls. Infrastructure fixes are verified, not assumed. The organization can trace decisions back to evidence. This is where defensibility begins.
Level 4: Calibrating
Posture: "We measure continuously. The data drives governance."
Evidence: Cohort-level assessment data. Compliance monitoring on a defined cadence. Jurisdictional variants in use for multi-jurisdiction organizations. Privacy-preserving aggregation verified.
Auditor test: Produce cohort report, monitoring cadence, anonymization validation.
Calibrating is ongoing, not episodic. Cohort-level data shows patterns across teams and functions. Monitoring runs on a defined cadence, not after an incident. Multi-jurisdiction organizations use jurisdiction-specific variants because a US assessment does not answer EU questions. Aggregation is privacy-preserving by construction, not by promise.
Level 5: Engineering
Posture: "AI collaboration is an engineered capability, continuously maintained."
Evidence: Continuous assessment embedded in professional development. Verifiable attestation of compliance. Framework adapts as AI capabilities evolve. Unified multi-vector governance.
Auditor test: Show attestation mechanism. Show framework adaptation in the last 12 months. Show cross-vector unified governance.
Engineering is the posture of an organization where AI collaboration has become part of how work is designed, developed, and governed. Assessment is embedded in professional development. Attestation of compliance is verifiable, not asserted. The framework adapts as the underlying technology changes. The posture is unified across people, infrastructure, and regulation, not governed in silos.
The Plateau
Most organizations today operate at Level 1. Not every organization needs Level 5.
That statement will be unusual coming from a company that sells tools for measuring AI posture. We say it anyway. This is a framework, not a sales ladder. Level 5 is the right destination for organizations where AI collaboration is mission-critical and continuously evolving. It is overkill for most. A regional law firm doing AI-assisted contract review is well served at Integrating. A multinational bank running AI-driven credit decisions across jurisdictions should target Calibrating at minimum. Healthcare systems making clinical AI decisions probably need Engineering.
The ladder does not obligate you to climb it. It shows where you are and what the next rung would cost. The decision to climb is business judgment.
What This Is Not
This is a framework. It is not a certification. It is not a standard. It is not a compliance guarantee.
Frameworks describe what to observe and what evidence to produce. Standards impose required practices with governance bodies behind them. Certifications attest that a specific organization met specific criteria at a specific point in time. This framework sits in the first category. Measurement and attestation are separate concerns.
It is also not a replacement for existing program frameworks. NIST AI RMF, ISO/IEC 42001, and EU AI Act conformance programs measure program design, governance structure, and remediation discipline. AI Posture measures verified output behavior. Running one does not substitute for the others. Where regulation or contract requires a specific framework, that framework remains required.
If you adopt this framework and use it to describe your posture, you are making a claim that can be tested. That is its value. Neither this post nor the framework itself can make the claim true for you.
Companion Vectors
This model covers the People vector of AI Posture: how individuals and teams actually behave in collaboration with AI systems.
Two other vectors are published alongside in v0.2 of the specification. Infrastructure covers how ready an organization's digital presence is for AI agent interactions. Regulation covers how completely an organization has met its AI-specific obligations across binding jurisdictions. Each has its own maturity structure following the same five levels.
The vector set is open. Additional vectors may be admitted when they meet the criteria in the specification: a distinct actor-class, an externally observable artifact, independent variation, and independent constraining power.
An organization's overall AI Posture is the minimum of its in-scope vectors. A Calibrating People vector cannot lift a Perceiving Regulation vector. This constraint rule is structural, not a scoring convenience. Domains constrain each other in practice, and the framework reflects that. Stay tuned via our Substack or RSS for deeper posts on each vector and the cross-vector aggregate.
How to Use It
Different audiences use the ladder differently:
- Board reporting. "We are at Assessing across our AI-facing teams, with a plan to reach Integrating by Q4. Here is the evidence." The framework gives governance committees a vocabulary and a burden of proof at the same time.
- Procurement. When evaluating vendors, ask which posture level their tools help you reach. A vendor that says "we get you from Perceiving to Calibrating" is making a testable claim. A vendor that cannot answer in those terms is selling something less specific than governance.
- Compliance. Posture documentation mapped to specific regulatory requirements is more defensible than attestations of intent. Integrating posture, paired with evidence, is the minimum bar many AI-specific regulations will converge on.
- Individual practitioners. Locate yourself. Then make the next move deliberate. "I'm at Assessing. My next step is Integrating, which requires changing what I do based on what I have observed."
Posture assertions are time-stamped and decay. A posture claim is valid at the moment it is made, with an assessor-declared next-review date. Readers weight older claims as weaker signals. This is a framework for moments, not for guarantees of future state.
Foundations
No framework is invented in a vacuum. This framework synthesizes three:
- From the Capability Maturity Model, we borrowed the staged-capability structure: each level is a complete posture, not an incremental score. Organizations do not live between levels.
- From Dreyfus (the five-stage model of skill acquisition), we borrowed the discipline of describing observable behavior at each stage. The difference between Assessing and Integrating is not effort, it is what can be seen.
- From Rogers' Diffusion of Innovation, we borrowed the framing of adoption as a staged social process. Organizations move through posture levels the way technologies move through markets: not uniformly, not always forward, and not without friction.
What these traditions did not address, and what this framework addresses, is the unit of analysis for AI collaboration. It is neither a person alone nor a system alone. It is the interaction. That is the part that has to be observed, because that is where both value and risk show up.
Where to Go From Here
The framework is free. Full specification at aiposture.org, including evidence criteria, a self-assessment, and a downloadable PDF.
The self-assessment is Bayesian adaptive. Three openers set scope. Up to five questions per in-scope vector, usually fewer. The output is an estimated AI Posture with a per-vector posterior, an evidence checklist, and a named constraining vector. It takes five to seven minutes.
A companion essay on where this framework came from, including why Aggregated rather than Artificial, is coming soon.
Want a concrete way to locate your organization on the ladder? The adaptive self-assessment at aiposture.org takes five to seven minutes and produces a per-vector posture estimate with an evidence checklist you can test against.
Get Involved:
- Take the assessment (free, always)
- Explore our Baseline offerings (for organizations)
- Read the whitepaper (comprehensive framework)
- Contact us about your specific requirements
Recommended Reading
📖 The Proof Gap and Verification:
- The Proof Gap - Why demonstration matters more than declaration
- Filling The Missing Trust Layer - The ecosystem context for this framework
📖 Understanding PAICE:
- What PAICE Is Actually Testing For - The behavioral ground truth under the model
- Understanding the Five PAICE Dimensions - Individual-level framework that feeds organizational posture
- Closing the Collaboration Gap - The whitepaper that grounds this work
Curious but short on time?
Take the 3-minute PAICE Pulse — a quick confidence check that maps how you see your own AI collaboration posture. No login required.