The DIG Maturity Model is a five-level scale that measures how defensible an organization's AI-influenced decisions are, from ad hoc and unrecorded (Level 1) to defensible by default (Level 5), assessed against the four pillars of Digital Information Governance.
Most AI governance scores rate the model. The DIG Maturity Model rates the decision: when an AI-influenced decision is challenged, how readily can the organization defend it? The scale runs from Level 1, where decisions leave no usable trail, to Level 5, where defensibility is captured automatically at decision time.
The five levels
Level 1, Ad hoc
AI shapes decisions, but nothing durable is recorded. When a decision is questioned, the organization reconstructs it from memory, if at all. No decision is defensible by design.
Level 2, Aware
Policies exist and some systems log activity, but coverage is uneven. Defensibility depends on which person made the decision and whether they happened to keep a record.
Level 3, Defined
The four pillars are standard practice for high-stakes decisions. Provenance is tracked, decision trails are captured, and most decisions can be reconstructed on request. This is the first level a regulator would call governed.
Level 4, Managed
Controls are tested, not assumed. The organization is audit-ready on demand, monitors how AI systems represent it, and measures decision coverage instead of hoping for it.
Level 5, Defensible by default
Decision integrity is captured automatically as each decision is made. Audit is continuous, representation is governed, and defensibility is the resting state rather than a scramble after a challenge. See decision integrity.
Level summary
| Level | What it looks like |
|---|---|
| Level 1, Ad hoc | AI influences decisions with no durable record. Decisions cannot be reconstructed after the fact, so none of them are defensible by design. |
| Level 2, Aware | Policies exist on paper and some activity is logged, but coverage is partial and inconsistent. Whether a decision is defensible depends on the individual who made it. |
| Level 3, Defined | The four pillars are standard practice for high-stakes decisions. Information provenance is tracked, decision trails are captured, and the organization can reconstruct most decisions on request. |
| Level 4, Managed | Controls are tested rather than assumed. The organization is audit-ready on demand, representation across AI systems is monitored, and coverage is measured rather than hoped for. |
| Level 5, Defensible by default | Decision integrity is captured automatically at the moment each decision is made. Audit is continuous, representation is governed, and defensibility is the default state rather than an after-the-fact scramble. |
What changes as you climb
Each level is a shift in when the record is created. At Level 1 it is never created; at Level 3 it is assembled when asked; at Level 5 it is captured at decision time and verified continuously. The climb is from reconstructing defensibility under pressure to producing it on demand, which is exactly the posture the EU AI Act, ISO/IEC 42001, and TRAIGA reward.[3]
Find your level
A governance readiness assessment places an organization on this scale against each pillar and shows the gap to the next level. ModalPoint runs the assessment for regulated operators.
Frequently asked questions
What is the DIG Maturity Model?
A five-level scale that measures how defensible an organization's AI-influenced decisions are, from Level 1 (ad hoc, no record) to Level 5 (defensible by default, captured at decision time), assessed against the four pillars of Digital Information Governance.
How is it different from an AI maturity model?
Most AI maturity models rate model capability or adoption. The DIG Maturity Model rates decision defensibility: whether an AI-influenced decision can be reconstructed, explained, and proven on demand.
What level should we aim for?
Level 3 is the first level a regulator would consider governed; Level 4 and 5 are where audit-readiness becomes routine. Regulated operators making consequential AI-influenced decisions should target Level 4 or above.
References
- NIST AI Risk Management Framework (AI RMF 1.0): Govern, Map, Measure, Manage. National Institute of Standards and Technology, 2023. View source ↗
- Information governance: the records and data lifecycle discipline (storage, retention, disposition), distinct from AI decision governance. ARMA International, Generally Accepted Recordkeeping Principles; AIIM. View source ↗
- EU AI Act, Regulation (EU) 2024/1689 (Official Journal of the European Union); ISO/IEC 42001:2023; Texas Responsible AI Governance Act (TRAIGA). View source ↗
- USPTO Trademark Reg. No. 99559923, Digital Information Governance / DIG, owner Matthew Bertram. View source ↗