The Missing Layer in AI Security: Introducing the ASMM

As organizations accelerate their adoption of agentic AI, systems that don’t just generate content but reason, act, and operate autonomously, a gap is becoming impossible to ignore: our security maturity hasn’t kept up.

Agentic AI changes the rules. These systems execute real-world actions, rely heavily on non-human identities, interact with untrusted external inputs, and operate across extended time horizons without human approval at each step. That combination introduces risks that traditional security were never designed to handle. And if you’re in a regulated environment, providing audit evidence for the AI development lifecycle using legacy reporting mechanisms is nearly impossible.

What is the ASMM?

The AI Security Maturity Model (ASMM) is a structured assessment designed to evaluate how prepared an organization is to secure its AI-driven software development lifecycle. Built on the foundation of the NIST Cybersecurity Framework 2.0 and aligned with global standards like the NIST AI Risk Management Framework and the EU AI Act, the ASMM focuses on something most organizations overlook: security maturity, not just security controls.

Instead of asking “is this system secure?”, the ASMM asks a more strategic question: Do we have the governance, observability, and behavioral enforcement discipline required to secure AI at scale?

The model evaluates organizations across six domains—Govern, Identify, Protect, Detect, Respond, and Recover—mirroring the structure of modern cybersecurity frameworks while adapting them to the realities of agentic AI. Each area is scored using a clear maturity scale, allowing organizations to benchmark their current state and track improvement over time.

Why AI Needs a New Security Maturity Lens

Traditional maturity assumed predictable systems and human-driven actions. Agentic AI breaks both assumptions.

These systems can independently decide what actions to take, often chaining multiple steps together without oversight. Even more fundamentally, their outputs are non-deterministic. The same input may produce different results, complicating auditability, compliance, and forensic analysis. This isn’t just an incremental change in risk. It’s a shift in the nature of software itself, and that’s exactly why measuring maturity is essential.

Who Should Be Paying Attention

The ASMM is designed for organizations that are moving beyond AI experimentation into AI development and deployment. That includes companies building AI-powered products, enterprises embedding agents into business workflows, and platforms operating at scale.

In practice, it’s most valuable for CISOs, security and risk leaders, and engineering organizations responsible for organizational defense and audit controls for the AI systems. It’s equally relevant in regulated industries navigating compliance requirements and in fast-moving environments where governance hasn’t yet caught up with innovation.

If your organization adopts, builds, integrates or operates AI systems, you are in scope. The systems that can take action should also be evaluated with the Autonomy Test for agentic-specific controls.

How Does the ASMM Assessment Work in Practice

The ASMM is intentionally grounded in real-world execution. Your organization begins by identifying all AI systems in scope, then applying the Autonomy Test to determine which systems qualify as agentic. From there, scores roll up into domain-level and overall maturity ratings, revealing where the organization stands, from fragmented and reactive to adaptive and intelligence-driven.

The real value, however, comes from what follows: an illustration of the areas that need additional maturity, the ability to create your own roadmap, and a confirmation to justify funding or resources where maturity is low.

The result is not just a scorecard, but strategic intel for where you need to add additional controls or processes.

Why This Matters Now

AI adoption is moving faster than most organizations’ ability to secure it. Teams are already deploying agents that can access sensitive data, execute transactions, and interact with external systems. Without a structured way to assess maturity, security becomes reactive, driven by incidents instead of strategy.

The ASMM changes that by giving organizations a way to measure, communicate, and improve their AI security posture in a systematic way.

The Bottom Line

You can’t secure AI systems and software development at scale without a mature security program behind them. The ASMM provides a common language for that maturity, a measurable way to track it, and a practical path to improve it. It bridges the gap between traditional cybersecurity frameworks and the realities of agentic AI.

Take the Next Step

If your organization is building or deploying AI agents, now is the time to understand where you stand. Benchmark your current maturity, identify your highest-risk gaps, and start building a roadmap toward a more resilient AI security program. Because in the era of AI security maturity isn’t optional, it’s the foundation for everything that comes next.

Take the ASMM assessment