Level 0: On-Ramp

At this stage, organizations are just beginning to recognize that AI exists in their environment. Curiosity is driving discovery. There may be no formal AI strategy, but individuals are exploring how AI might enhance outcomes.

Example: A CISO attends a national security conference, hears about AI in threat detection, and returns with questions about how AI might be present in her organization. Teams begin exploring their environment and cataloging AI features in vendor systems.

This is the start of visibility.

Level 1: Reactive

AI is either absent or running in isolation. When things break, the team scrambles. There is no AI-specific recovery plan. Responses are improvised and reactive, with vendor dependencies and little documentation.

Example: A water utility experiences irregular pump operations after a vendor pushes an untested AI software update. No one knows how to roll it back. The issue is identified only after customer complaints and downtime.

Level 2: Informed

Leaders begin to recognize AI’s presence and its implications. Policies are discussed. Risk registers are updated. Teams conduct initial evaluations and scenarios. Still, oversight is inconsistent, and most systems lack assurance mechanisms.

Example: A regional airport introduced an AI-powered baggage handling optimizer designed to reduce transfer times. The system learned to prioritize high-frequency routes based on average passenger volume. But during a weather event that disrupted flights, it failed to reroute priority bags for international connections, causing cascading delays and passenger complaints. Staff were aware of the AI system, but no override procedure had been tested, and the model had never been stress tested during validation.

Level 3: Integrated

AI oversight is formalized, and systems are reviewed before deployment. Governance boards or working groups assess vendor models. Cross-functional collaboration is the norm. Teams trust but verify. Failure scenarios are rehearsed.

Example: A transit agency uses AI-enabled cameras to count passengers and adjust train frequency. During a citywide event, the system miscalculates surge load. Staff activate a manual override. The recovery works because it was practiced.

Level 4: Predictive

AI systems predict all disruptions. Predictive analytics and simulations inform maintenance and resource planning. Assurance testing is routine. Dashboards show model drift, accuracy degradation, and ethical concerns.

Example: A regional energy utility uses AI to model transformer stress and simulate load balancing during extreme weather. The model alerts staff days in advance, prompting preventive rerouting.

Level 5: Autonomous

AI makes decisions within defined guardrails. The organization trusts AI to act and self-correct. Responses are automatic but auditable. There is continuous improvement, stakeholder input, and a documented chain of logic.

Example: A smart grid system autonomously mitigates a frequency instability event by isolating nodes and adjusting supply. The entire response is logged and reviewed for explainability.