Nexora / Insights / Field Note · I/03

Why governance maturity stalls at level two.

A repeated pattern in regulated enterprises: governance reaches policy, charters a committee, and plateaus. The three operational systems that close the gap to level three.

TB By Tobi Babatunde · Published 3 February 2026 · Nexora Platforms
Reading time06 minutes AudienceCISO · AI Governance Lead SeriesOperational Governance / 03 UpdatedFebruary 2026

Across thirty governance assessments in 2025, the same shape kept reappearing: an AI policy approved by an executive committee, a steering group meeting quarterly, and almost no operational evidence connecting either to the AI actually running in the business. Policy without practice. Governance frozen at level two.

The stall is not a failure of intent. It is a structural property of how AI governance programmes are usually scoped. Most start as a policy exercise — a working group, a written framework, a board update — because policy is the discipline organisations know how to execute. The transition from policy to operational governance is a different discipline, and it is almost never the same people doing it.

S/00The stall

The pattern is recognisable. Six to nine months after a board decides "we need an AI governance programme," the organisation has produced:

What it has not produced, in most cases:

The first list is policy. The second is governance. The gap is where maturity stalls.

S/01A five-level reference

The maturity model below is calibrated to ISO/IEC 42001 and the operational evidence regulators (and increasingly, audit committees) look for. It is not new — variants exist in CMMI, COBIT, and the NIST AI RMF profile work — but it is the version we use in field engagements.1,2

FIG · 01AI governance maturity · five levels
L1 · AD-HOC Reactive No policy, no committee. Issue-driven response. EVIDENCE: NONE RISK: ACUTE L2 · POLICY Documented Policy + committee. Underused intake. EVIDENCE: PAPER RISK: SILENT L3 · OPERATIONAL Practiced Intake live · evidence flowing. Reporting cadence stable. EVIDENCE: PER DECISION RISK: MEASURED L4 · MEASURED Quantitative KRIs · trend analysis. Programmatic feedback. EVIDENCE: STATISTICAL RISK: TREND-OBSERVABLE L5 · OPTIMISING Continuous Self-improving controls. Anticipatory posture. EVIDENCE: PREDICTIVE RISK: MANAGED ≈ 70% OF ENTERPRISES STOP HERE POLICY ENERGY OPERATIONAL ENERGY
The transition from level two to level three requires a different operating muscle than the one that produced levels one and two.

S/02Why two is the ceiling

Level two is the highest level you can reach by doing the work that originally got the programme stood up. Writing policy, chartering a committee, mapping to a framework — these are document-shaped activities. They produce artefacts that look like governance.

Level three is a different activity. It requires:

The reason programmes stall is that none of these three things are produced by extending the level-two playbook. Writing a better policy does not produce a live intake. Adding committee members does not produce evidence. Mapping to one more framework does not produce a cadence.

Level two is what you build by writing.
Level three is what you build by operating.

S/03Three systems for level three

The transition is concrete. There are three operational systems that, in combination, produce the level-three posture. Each is independently deployable, and each becomes load-bearing only when the others are in place.

System one · Intake at speed

An intake that operates faster than the business's appetite for AI use cases. Too slow, and use cases route around it. The intake must accept submissions in minutes, classify them within a working day, and return an actionable decision (approved, conditionally approved, escalated) inside a week for typical cases.

Speed is the property that determines whether the intake is used. A two-week classification cycle produces a parallel shadow path; a two-day cycle does not. Build for the second.

System two · Evidence per decision

The audit-grade artefact. For every AI-mediated decision of regulatory or commercial significance, the system retains the prompt or input, the retrieved context, the model identifier, the guardrail trace, the human review state, and the resulting action — immutably and replayably.

The hard part is not the storage. It is the discipline of routing all qualifying decisions through a path that produces this record. The system fails silently if a fraction of decisions bypass the evidence plane.

System three · A fixed reporting cadence

A quarterly board report whose structure does not change between cycles. The same metrics. The same charts. The same maturity self-assessment. Quarter-over-quarter comparison is the entire point: the board is not learning about AI each cycle, it is tracking the trend.

This sounds trivial. It is the single most reliably skipped element. Most programmes report a new shape each cycle because the framework is still being designed. Lock the framework first, even if the metrics are imperfect; iterate within the same structure.

NXR · Operating Note

The order matters. Build intake first because nothing else has anything to operate on without it. Build evidence second because it is where regulators and audit committees actually probe. Build reporting cadence third because it is the artefact that proves the other two are running.

S/04What this costs

The operational shift to level three is a six-to-nine month programme in most enterprises. The cost is rarely tooling — it is the orchestration: the people who run the intake, the engineers who wire the evidence plane, and the governance lead who owns the reporting cadence.

The honest signal that the transition is working is not a maturity score. It is the quality of the answer to the simplest possible question: "show me the last AI use case we approved, the evidence it has produced, and where it sits in the current board report." If that walk-through is possible in five minutes, the programme is at level three. If it is not, the programme is at level two with extra documentation.

Nexora's AI Governance Framework System is the operating model for the three systems above. The Executive Board Reporting System is the cadence that makes the third system reportable. The two together are the shortest path between level two and level three we have observed in field engagements.

References & further reading

  1. 1ISO/IEC 42001:2023, "Information technology — Artificial intelligence — Management system." iso.org/standard/81230.html
  2. 2NIST, "AI Risk Management Framework: Generative AI Profile (NIST AI 600-1)," July 2024. nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf
  3. 3OECD, "AI Principles," updated 2024. oecd.ai/en/ai-principles
  4. 4European Commission, "Artificial Intelligence Act (Regulation (EU) 2024/1689)," 2024. eur-lex.europa.eu/eli/reg/2024/1689/oj

Move past level two.

The AI Governance Framework System provides the operating model for intake, approval, evidence, and audit. The Board Reporting System gives you the fixed cadence to demonstrate it quarterly.

Preview AI Governance Framework → Preview Board Reporting System →

Continue reading

Briefing · I/01
What boards are quietly asking about AI

Eight questions appearing in audit committees that most CISOs are not yet structured to answer.

08 min read Architecture · I/02
Zero Trust for autonomous agents

Identity, authorisation, and segmentation patterns when the principal isn't a human or a service.

12 min read