Indicative operating state
Shadow AI is widespread. No governance framework. No measurement. Tools acquired in isolation, often without procurement review. Board lacks visibility. Most AI use is undocumented and undefensible.
How this band operates
Foundational organisations are not deficient — they are at the start. The risk is operating in this band without acknowledging it: shadow AI compounds, and regulatory exposure compounds with it.
Recommended next steps
- →Run the Free Baseline Diagnostic to confirm position
- →Map shadow AI exposure via stakeholder interviews
- →Establish a basic AI governance charter (start with COR-01)
- →Define an executive sponsor for AI
- →Inventory current AI tooling and sub-processors