Maturity Assessment

Most Organisations Think They're at Level 3.

By The1938Group  |  30 June 2026  |  Johannesburg


Ask most executives whether their organisation has AI governance in place and you will hear yes. Ask them to describe it and you will hear: 'We have a policy somewhere. People know not to put sensitive data in. IT handles that.'

That is Level 2, at best. Possibly Level 1 with good intentions.

The gap between where organisations think they are on AI governance and where a structured assessment places them is one of the most consistent findings in our work with South African businesses. It is not dishonesty. It is the absence of a measurable standard being put in place. A shared framework must be used to define what 'good' actually looks like at each stage, across every dimension that matters.

The 1938 Group AI Maturity Assessment Tool is that measuring stick. It evaluates AI governance across eight domains, using 43 questions (rated on a 1-5 scale) to give your leadership team a clear, evidence-based picture of where you actually stand with a clear roadmap of what needs to be prioritised to reach the next level.

This article introduces the framework. The full assessment tool is available through The 1938 Group AI Safety Programme.

Why 'We Have a Policy' Is Not Enough

An AI usage policy is one input to one domain of eight. Having it gets you partway through Domain 2 (Governance Structure). It says nothing about whether your staff have been trained, whether your data classification framework is actually applied, whether your risk register exists and is actively maintained, whether anyone is monitoring AI usage, or whether your organisation could respond coherently to an AI-related incident.

The cost of maturity gaps is not theoretical. Consider what Level 1 actually looks like in practice: 


WHAT LEVEL 1 LOOKS LIKE

THE UNDERLYING GAP

Employees use AI tools without any guidance

No AI usage policy exists or has been communicated

No one knows what data has entered public AI systems

No data classification framework applied to AI inputs

Shadow AI — tools being used that IT doesn't know about

No approved tools list or tool evaluation process

No training on AI safety has been delivered

No formal AI awareness or skills programme

An AI incident occurs and no one knows how to respond

No incident response plan or reporting mechanism

Executives have no visibility into AI usage or risk

No governance body, owner, or executive sponsorship

 

Each of these situations is happening in organisations all across South Africa (including organisations that believe they have AI governance in place). The maturity assessment does not ask what you intend to have. It asks what evidence exists as proof that the practice is actually happening.

 

THE POPIA DIMENSION

For SA organisations: a Level 1 or Level 2 maturity rating on Data Management (Domain 4) means your AI usage is likely processing personal information without lawful basis, without a privacy impact assessment, and without the data minimisation practices POPIA requires. That is not a governance gap. That is a regulatory exposure.

 

The 8 Domains: What Is Actually Being Assessed

The assessment evaluates maturity across eight domains, each weighted by their contribution to overall AI governance. The standard weighting below can be adjusted for industry context, higher-risk industries such as financial services and healthcare weight Governance and Risk more heavily; innovation-focused organisations weight Strategy and Technology higher.

 

#

DOMAIN

WEIGHT

WHAT IS ASSESSED

1

Strategy & Vision

10%

AI strategy alignment, leadership commitment, investment, roadmap

2

Governance Structure

15%

Policies, oversight bodies, roles, approval processes, compliance monitoring

3

Risk Management

15%

Risk identification, assessment, register, mitigation, risk appetite

4

Data Management

15%

Classification framework, handling procedures, POPIA compliance, minimisation

5

Ethical Framework

10%

Ethics principles, bias awareness and management, transparency, human oversight

6

Skills & Training

15%

Training programme, coverage, content quality, effectiveness measurement

7

Technology & Tools

10%

Tool approval, approved list, enterprise infrastructure, security controls, shadow AI

8

Operations & Monitoring

10%

Usage monitoring, incident response, reporting, verification, continuous improvement

 

Three domains consistently reveal the most significant gaps in South African organisations at this stage of AI adoption:

Domain 4: Data Management

This is where the largest gap between intention and practice sits. A lot of organisations have a conceptual understanding that sensitive data should not enter public AI tools. Far fewer organisations have a documented classification framework, fewer have trained their staff to apply the practises, implementing data minimisation practices, or understanding what their AI tool providers actually do with input data.

Domain 6: Skills and Training

Training coverage is the single most telling metric for where an organisation sits on the maturity ladder. A Domain 6 score below 3 means a significant proportion of your AI users have received no formal guidance on safe usage, which means every interaction with an AI tool is a governance gap. The assessment measures not just whether training exists, but coverage, content quality, effectiveness measurement, and whether ongoing awareness is embedded.

Domain 3: Risk Management

Most organisations at Level 1 or 2 have no AI risk register, no defined risk appetite for AI, and no systematic process for identifying AI-related risks before they materialise. The standard corporate risk framework was not designed with LLM hallucinations, data exposure via public AI tools, or autonomous AI agent risks in mind. This domain requires specific AI risk thinking, something which The 1938 Group AI Risk Register Template (Deliverable 7 in the programme) addresses directly.

The Five Maturity Levels: An Honest Mirror

The framework uses five levels, each with a precise definition of what the evidence must show, not what the intention is, not what the policy says, but what demonstrably exists and is consistently applied.

 

LVL

NAME

SCORE

WHAT IT LOOKS LIKE

IMPLICATION

1

INITIAL

0–20%

Ad hoc usage. No policies. Individual discretion. Unknown risk exposure. No governance.

High risk of data exposure. Compliance violations likely. No accountability if something goes wrong.

2

DEVELOPING

21–40%

Basic awareness emerging. Some informal guidelines. Limited training. Reactive to issues.

Inconsistent protection. Gaps in coverage. Over-reliance on individual judgment. Compliance gaps.

3

DEFINED

41–60%

Documented policy. Consistent application. Formal training. Clear roles. Basic monitoring.

Compliance-focused but potentially bureaucratic. Limited measurement of effectiveness.

4

MANAGED

61–80%

Metrics-driven. Regular review. Proactive risk management. Integrated with business.

Good risk management. Regulatory compliance. Organisational learning. Executive confidence.

5

OPTIMISED

81–100%

Continuous improvement. Industry leadership. AI as strategic differentiator. Innovation enabled safely.

Competitive advantage. Maximum AI value. Minimal risk exposure. Stakeholder confidence.

 

The most important insight from the level definitions: Level 3 is the minimum defensible position for any organisation that is actively using AI tools for work that carries professional, legal, or regulatory consequences. Level 3 means documented processes exist and are consistently applied. It does not mean perfection. It means evidence.

For South African organisations: demonstrating Level 3 or above on the Data Management and Governance domains is material to your ability to evidence POPIA compliance in the context of AI usage. The Information Regulator's focus on responsible parties' accountability obligations makes the governance documentation requirements of Level 3 the minimum you should be able to produce.

How the Assessment Works: 43 Questions Across 8 Domains

The assessment is structured around 43 questions, five or six per domain, each rated on the 1–5 scale. For each question, the assessor selects the rating that best describes current state, supported by evidence. The instruction is deliberate: rate current state honestly, not aspirational state. Overrating produces inappropriate recommendations and false confidence.

Examples of the questions across domains:

•       Domain 2, Q2.1: Does your organisation have a documented AI usage policy? (1: None. 3: Basic policy documented and communicated. 5: Industry-leading policy, regularly benchmarked and updated.)

•       Domain 4, Q4.3: Is AI usage compliant with data privacy regulations? (1: No consideration of privacy compliance. 3: Privacy considerations in AI usage policy. 5: Privacy by design integrated into all AI processes.)

•       Domain 6, Q6.2: What proportion of relevant employees have received AI training? (1: None or minimal, under 10%. 3: Moderate coverage, 30-60%. 5: Near-complete coverage, over 90%.)

•       Domain 7, Q7.5: Is shadow AI (unauthorised tool usage) identified and managed? (1: No visibility. 3: Processes to identify and address shadow AI. 5: Proactive approach with acceptable alternatives and easy reporting.)

•       Domain 8, Q8.2: Is there an incident response plan for AI-related incidents? (1: No plan. 3: Basic procedures documented. 5: Mature plan with regular drills and improvement cycle.)

 

Completing the full assessment takes two to three hours when done properly, involving IT, Legal, HR, Compliance, and business unit representatives rather than a single person's perspective. The multi-stakeholder approach is intentional: it allows for an alignment between what the policy says and what actually happens on the ground.

From Assessment to Action: The Gap Analysis and Roadmap

A score without a plan is just a number. The 1938 Group assessment framework includes a gap analysis template that translates domain scores into prioritised recommendations, and an action planning guide that structures the roadmap across three phases.

The standard recommendations by transition point provide a starting framework:

 

TRANSITION

PRIORITY ACTIONS

Level 1 → 2

Publish AI usage policy. Assign governance owner. Implement RED/AMBER/GREEN classification. Create approved tools list. Deliver basic awareness training. Establish incident reporting.

Level 2 → 3

Comprehensive policy with full coverage. Formal training programme with tracked completion. Governance committee established. Risk register created. Tool approval process formalised. Data handling procedures documented.

Level 3 → 4

Metrics and reporting for AI governance. Regular governance review cadence. Risk-based approval workflows. Usage monitoring and analytics. Training effectiveness measurement. Integration with enterprise risk management.

Level 4 → 5

Continuous improvement programme. Innovation framework within governance. AI centre of excellence. Advanced automation and controls. External benchmarking. Industry recognition sought.

 

The gap analysis also includes a priority matrix (plotting each gap by impact and effort) to help leadership distinguish quick wins (high impact, low effort) from major projects (high impact, high effort) and avoid investing heavily in low-impact areas while critical vulnerabilities remain unaddressed.

 

QUICK WIN PATTERN

The most common high-impact, low-effort quick win across Level 1 and 2 organisations: publish a basic AI usage policy, communicate it, and deliver a two-hour awareness session. Together, these move Domain 2 and Domain 6 from Level 1 to Level 2 in under 30 days and create the documented foundation that everything else can be builds onto.

 

Using the Assessment as a Leadership Conversation

The maturity assessment is most valuable when it is used to create a shared, evidence-based understanding of the AI governance position across the leadership team, not as an audit, but as a mirror.

The questions in the eight domains are deliberately designed to surface conversations that often do not happen: Who actually owns AI governance in this organisation? Do our people know how to classify data before using an AI tool? What would we do if an AI-related data exposure occurred tomorrow? Has anyone mapped the AI tools that are currently in use and the tools used that IT does not know about?

These are not comfortable questions. But they are the questions that determine whether AI is a managed capability or an unmanaged liability.

The organisations that will use AI most effectively over the next five years are not necessarily the ones moving fastest. They are the ones who know where they stand, know what needs to change, and are building the governance infrastructure that lets them move confidently rather than recklessly.

Follow 1938Group on LinkedIn for the weekly module updates or visit info@the1938group.co.za to book for the full workshop.

https://www.linkedin.com/company/the1938group/