Framework / Maturity Stack
Where does your legal function stand on AI?
Five Maturity Bands. Four lenses. One OS Score — and an evidence rule that separates the maturity a function has from the maturity it can defend. A legal-specific model for describing where a legal function stands on AI, and for directing the next investment.
What is the Legal AI OS Maturity Stack?
The Legal AI OS Maturity Stack is a structured model for describing where a legal function stands on AI. It is a legal-specific synthesis that organises established governance standards — such as the NIST AI Risk Management Framework and ISO/IEC 42001 — and professional-conduct duties into a single operating model. Five bands — Foundational, Operational, Integrated, Optimised, Defensible — describe the operating state of the function across four lenses: Adoption, Sophistication, Defensibility, and Autonomy. The lens weights of 25 / 25 / 30 / 20 are designed defaults that reflect a legal-sector emphasis on Defensibility; they are a design choice, not an empirically validated weighting. Band placement is expressed as an OS Score on a 1.0 to 5.0 scale, with composite thresholds at 2.0, 2.7, 3.4, and 4.2. The Stack answers two distinct questions: placement (where a function sits) and the band a function can defend with evidence. When the two differ, the defensible band is the lower of them. The Defensible band is a framework-defined assessment outcome that rests on an approved Defensibility Posture Statement. The framework's independent certification and attestation pathway exists within the model but is not currently offered as a service; the Diagnostic returns a placement, not an issued certification.
It does two distinct jobs. First, it places a function — an OS Score maps to a Maturity Band. Second, it identifies the band a function can defend — a separate rule establishes the highest band the function can substantiate with evidence. The two answers are often the same. When they differ, the defensible band is the lower of the two.
The Five Bands
From Foundational to Defensible.
Each band describes a distinct operating posture. Movement between bands is gradual — measured in quarters, not weeks — and reflects the maturation of governance, evidence, and capability rather than tool count alone. Each band also carries a Defensibility requirement: the evidence posture needed to defend that band.
Foundational
No structured programme; ad-hoc tool use.
OS Score < 2.0
Defends withNone
Operational
Initial governance; 1–2 tools in pilot.
OS Score 2.0 – 2.7
Defends withA baseline Defensibility posture
Integrated
Multi-pillar programme; governance active.
OS Score 2.7 – 3.4
Defends withAn established Defensibility posture
Optimised
ROAI measured; defensibility posture active.
OS Score 3.4 – 4.2
Defends withA mature Defensibility posture
Defensible
Institutional-grade AI governance; evidence on-demand.
OS Score ≥ 4.2
Defends withAn attested posture — an approved Defensibility Posture Statement
Placement vs Certification
The Stack gives two answers, not one.
Placement
Where a function sits — its OS Score, mapped to a band. It answers how far the function has come.
Certification
The band a function can defend with evidence. It answers what the function can stand behind.
The two are often the same. When they diverge, the defensible band is the lower of the two: a function can defend the band it can substantiate, not the band it aspires to. The sections that follow show how each is determined.
On certification
“Certification” here names a framework concept — the band a function can defend with evidence. It is a framework-defined assessment outcome, not a regulatory approval, an industry accreditation, or a legal compliance determination. The independent certification and attestation capabilities the framework defines exist within the model and are not currently offered as part of this service; the Diagnostic returns a placement.
The Four-Lens Model
One band. Four lenses.
Band placement is a weighted average across four lenses. The weighting is a design choice: Defensibility carries the largest share because evidence and accountability are the framework’s organising emphasis.
| Lens | Default weight | What it measures |
|---|---|---|
Adoption | 25% | How broadly AI is in use across the legal function — tools deployed, training received, integrations live, use cases shipped. |
Sophistication | 25% | How advanced the use cases and operating model are — policy depth, measurement framework, governance maturity, vendor-scoring rigour. |
Defensibility | 30% | Whether governance, evidence, and risk controls are board-grade. The highest-weighted lens by design, and the lens that gates certification. |
Autonomy | 20% | How much agentic or autonomous behaviour is in operation, and how well governed — tier matrix, charter coverage, oversight cadence. |
The default weights of 25 / 25 / 30 / 20 are a designed default reflecting a legal-sector operating model — Defensibility is weighted highest by design. They are not an empirically validated weighting, and they may be configured per engagement. Defensibility is the highest-weighted lens and the lens that gates certification; this is an architectural decision about evidence, not a claim about measured value or return.
The Free Baseline Diagnostic surfaces the Adoption and Sophistication lenses alongside the OS Score. Diagnostic Pro and the Executive Diagnostic score all four lenses, including Defensibility — the requirement for a certified band.
How Maturity Is Assessed
Lenses to a score, score to a band.
The OS Score is a weighted average across the four lenses, normalised to a 1.0–5.0 scale. The Diagnostic scores each lens from evidence supplied by the function; the lens scores combine at their default weights to produce the composite OS Score, which maps to a Composite Maturity Band using fixed thresholds.
| Band | OS Score |
|---|---|
| Foundational | < 2.0 |
| Operational | 2.0 – 2.7 |
| Integrated | 2.7 – 3.4 |
| Optimised | 3.4 – 4.2 |
| Defensible | ≥ 4.2 |
This composite is the placement. It answers where the function sits. It is not, on its own, a certification — certification applies the Defensibility gate described next.
Certification Logic
Certification is never higher than placement.
Placement asks where a function sits on the composite OS Score. Certification asks which band the function can defend with evidence. Certification is capped by the Defensibility Lens.
Certification Band
= the lower of:
- the Composite Maturity Band — from the OS Score, and
- the highest band supported by the Defensibility Lens.
A band cannot be certified unless the Defensibility Lens meets the requirement for that band. A function whose composite reads Optimised but whose Defensibility evidence supports only Integrated certifies at Integrated. The composite describes capability; certification describes what that capability can withstand under scrutiny. Certification here is a framework-defined assessment outcome — not a regulatory approval, an industry accreditation, or a legal compliance determination.
Defensibility Thresholds
A rising requirement at every band.
Each band sets a rising minimum on the Defensibility Lens. A band is certifiable only when the function’s Defensibility evidence meets that band’s requirement.
| Band | Defensibility requirement to certify |
|---|---|
| Foundational | None |
| Operational | A baseline Defensibility posture |
| Integrated | An established Defensibility posture |
| Optimised | A mature Defensibility posture |
| Defensible | An attested posture — an approved Defensibility Posture Statement |
The precise lens thresholds are part of the Diagnostic methodology and are returned in the Diagnostic output. The public model defines the rule; the Diagnostic applies the cut-points.
Worked Example
When placement and certification diverge.
The function has the adoption and sophistication of an Optimised programme, but its governance and evidence base substantiates only an Integrated claim — so it certifies at Integrated, not Optimised. The composite reflects how far the function has come; certification reflects what it can defend today. The Diagnostic names the gap: the Defensibility evidence required to move certification up to meet the placement.
Why Defensibility Matters
Defensible is different in kind from Optimised.
Defensibility describes whether a function operates AI with governance, documented evidence, structured risk controls, and named accountability — the posture a board, regulator, auditor, or insurer would expect to see.
It is weighted highest among the lenses by design, and it is the only axis that gates certification. The reason is architectural. Adoption and sophistication describe what a function does; defensibility describes whether it can evidence it. The Stack is built so that the band a function certifies at is a band it can stand behind.
This is why Defensible is different in kind from Optimised. Optimised is a high composite score. Defensible is an evidenced posture: it rests on an approved Defensibility Posture Statement — a framework-defined construct, not an external accreditation. The framework’s independent certification and attestation pathway is not currently offered as a service. Optimised is reached by performance; Defensible is reached by evidence.
Relationship to the Diagnostic System
The Stack is the model. The Diagnostic is the instrument.
The Diagnostic is the instrument that places a function on the Stack. Three depths return results calibrated to the placement depth each can reach.
| Diagnostic | What it scores | What it returns |
|---|---|---|
| Free Baseline | Adoption + Sophistication | An indicative placement. It does not score Defensibility, so it returns placement only. |
| Diagnostic Pro | All four lenses, including Defensibility | A placement up to Optimised, with the Defensibility Lens scored. |
| Executive Diagnostic | All four lenses + stakeholder interviews + evidence audit | The Defensibility Posture Statement the framework defines for the Defensible band — a pathway not currently offered as a service. |
The Diagnostic outputs a Band placement that anchors the advisory conversation.Find the right Diagnostic →
Place Your Function
Now place your function on the Stack.
The Maturity Stack is the model; the Diagnostic is the instrument. Start with the Free Baseline for an indicative placement, or run the Diagnostic Pro to assess the Defensibility Lens and the band you can defend.
Related Framework
The Maturity Stack sits within the wider Legal AI OS.
Legal AI OS
The complete operating framework — 8 pillars, 6 layers.
Defensibility Standard
Governance, evidence, and accountability for board- and regulator-ready AI operations.
ROAI 4-Category
A framework for describing Legal AI returns.
Risk Taxonomy 2026
Nine canonical classes of Legal AI risk.
AI Lifecycle
Concept → Build → Deploy → Operate → Sunset.
Agentic Governance
Autonomy tiers and the Agentic Charter framework.
Some related pages are in active development. Links route to the current canonical surface; per-topic anchor essays publish over the coming weeks.