Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted AI & Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
STAR Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
AI Controls Matrix (AICM)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Controls
AI Safety
Enterprise Architecture
Blockchain
Zero Trust
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted AI & Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted AI & Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
STAR Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
AI Controls Matrix (AICM)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Controls
AI Safety
Enterprise Architecture
Blockchain
Zero Trust
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted AI & Cloud Consultant
CSAIChaptersEventsBlog
Join the June 2 webinar to learn how AI-driven threats are reshaping enterprise security and what teams can do to stay ahead. Register now →

Introducing the AI Security Maturity Model (AISMM)

Published 05/20/2026

Home
Industry Insights
Introducing the AI Security Maturity Model (AISMM)
Written by Rich Mogull, Chief Analyst, CSA.

It’s hard to overstate how quickly generative AI is evolving and changing how we do business. Capabilities change weekly, making cloud computing look slow by comparison. In my 25 years in technology I’ve never seen such rapid widespread adoption. In some cases, we even see adoption exceeding defined desired business outcomes. It’s messy, it’s fast, and yet we, in security, still need to manage its risks.

AI adoption inside enterprises is moving faster than security programs can keep up. Chatbots rolled out before procurement can finish the review. Agent pilots are greenlit while security is still drafting an acceptable use policy. jIt’s become mandatory for developers to keep up. The board wants a status update on "the AI security strategy" and the honest answer is "we're building the plane while flying it."

That gap between how fast AI is showing up in the enterprise and how quickly the security program can adapt to defend it is the gap the new CSA AI Security Maturity Model (AISMM) is built to close.

I'm pretty excited about this one. The AISMM is the product of over a year of research and several months of intensive writing and iteration with subject matter experts, and we're finally ready to share it.

 

What it is

The AISMM describes the maturity journey of an enterprise security program evolving to safely adopt and secure AI. It is not a checklist of AI controls, and it is not a measurement of any single AI project. It answers the question: What do I need to change in my security program to defend the AI my business is already using?

We modeled the structure on the Cloud Security Maturity Model (CSMM) — twelve categories across three domains, five CCM-aligned maturity levels, control objectives as KPIs — because that structure has been doing real work in real programs for years. The AISMM adds what AI security specifically needs: a deployment-type field for the three AI deployment patterns (self-hosted, PaaS, API/SaaS), direct alignment with the CSA AI Controls Matrix (AICM), and an expanded companion document (the AISMM Control Objectives Details) that carries the depth a spreadsheet can't hold (rationale, evidence, and scope notes for every KPI).

 

How it fits with the rest of CSA's AI work

The AICM and the AI-CAIQ are the comprehensive controls catalog and assessment questionnaire that answer "What controls should be in place for a given AI deployment?" The AISMM is the program-level maturity model that sits on top, answering "What does the security program managing all of this look like at each stage of maturity?" The two are designed as a layered pair.

The AISMM is also a complement to the recent Mythos research on agentic AI threats. Mythos is about adapting your security program to defend against AI-enhanced adversaries. That is, understanding what changes when the attackers have AI. The AISMM is about the other side of the same coin: adapting your security program to defend the AI your enterprise is using. The AISMM is the lens specifically focused on securing internal enterprise AI usage.

 

Where we are in the review process

The high-level structure (twelve categories, three domains, maturity-level definitions) went through extensive public review and received over 600 comments and suggestions. A lot of that feedback led to material enhancements: the deployment-type field, several category boundary changes, sharper descriptions of what each level looks like in practice. The structural model is where it is today because of the people who took the time to push back on early drafts.

The control objectives (the KPIs inside each category) have not yet been through public review. That review is the next phase, and we want your feedback. We fully expect to keep evolving the control objectives as organizations use the model and tell us what's clear, what's ambiguous, what's too aggressive, what's too lax, and what's missing entirely. But we couldn’t wait for feedback, we needed to get this into people’s hands now and will evolve it as it encounters reality.

 

A note on the pace of all this

AI is evolving at a pace that makes "done" the wrong goal for any framework right now. Providers ship new model versions, new agent capabilities, and new deployment patterns on what feels like a weekly basis. The AISMM is built to be a living document. We expect to revise it as the technology, the threat landscape, and the AICM itself mature. Treat version 1.0 as the starting point. To the greatest degree possible we intend to keep the core structure and stability in the control objectives, but we accept some of it may need to change more deeply over the long-term.

 

How to get involved

Download the AISMM workbook. Start with our introductory guide, then check out the detailed companion document. Run it against your own program. Use the per-category KPIs to spot the gaps. Then tell us what works and what doesn't.

This is also core to our new Expanded Enterprise Membership program. This model is the foundation for the AI Operational Maturity Roadmap, where we work directly with you to translate our research into improved and measurable security outcomes.

I don't claim to know exactly how AI security will play out over the next two years. Nobody does. But the AISMM is our best current map of the path from where most enterprises are today, to comprehensively and effectively defending enterprise AI use and AI-powered applications.

Shared Responsibility ModelRisk ManagementCAIQCloud Controls MatrixArtificial Intelligence

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Cloud Controls Matrix & CAIQ v4
The standard cybersecurity control framework.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
Learn to Audit AI Controls with CSA’s STAR AI Controls Auditor Course
Free Virtual Summit Registration + 50% Off TAISE for Attendees
Webinar: Emerging Reference Patterns for AI Agents and MCP in the Enterprise
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
Toxic Combinations: The Five Powers Fueling the Agentic Threat Landscape

Published: 05/20/2026

AI Agent Posture Management: Why Autonomous AI Requires Data-First Security Guardrails

Published: 05/19/2026

Combatting the Top Three Sources of Risk in the Cloud

Published: 05/18/2026

Patching Faster is Not the Answer to Mythos. Patching Smarter Is.

Published: 05/14/2026