Demo

This is an example report using representative data. Your actual score will be different.

Take the real assessment →
Montro|

SELF-ASSESSMENT · v1.8

Get my real report →

Your report · Completed 29 Apr 2026

AI Governance Maturity Report

Example Organisation · Standard track · EU-27 · ID demo · 29 Apr 2026

View Board / DPA / Vendor report packs →

Overall maturity

2.4 /5.0

L2 · Emerging

You are emerging — approaching the threshold for sustainable AI governance. Three high-leverage actions get you to Defined.

Dimensions at/above L3

1/8

Questions answered

16/16

Regulatory gaps

11

Actions queued

8

WHERE YOU'RE EXPOSED

You're exposed in these areas. 11 regulatory gaps · 8 prioritised actions.

Maturity profile

TARGETL3.0StrategyAIRiskDataThird-PartyPeopleProcessesMetrics
Your score
Target (L3)

Dimension breakdown

WEIGHTED·TARGET L3.0
Strategy & Leadership
2.5/5L3 · Defined
2.5/5
L3 · Defined
AI & SaaS Inventory
1.8/5L2 · Emerging
1.8/5
L2 · Emerging
Risk Mgmt & Compliance
2.0/5L2 · Emerging
2.0/5
L2 · Emerging
Data Governance
2.5/5L3 · Defined
2.5/5
L3 · Defined
Third-Party & Vendor Risk
2.8/5L3 · Defined
2.8/5
L3 · Defined
People & AI Literacy
3.0/5L3 · Defined
3.0/5
L3 · Defined
Processes & Lifecycle
2.0/5L2 · Emerging
2.0/5
L2 · Emerging
Metrics & Monitoring
2.5/5L3 · Defined
2.5/5
L3 · Defined
Your score
Target (L3)

Strengths to maintain

People & AI Literacy
3.0

Your AI literacy programme and cultural foundations represent a genuine compliance strength under Art. 4.

Third-Party & Vendor Risk
2.8

Your vendor risk management shows supply-chain awareness that goes beyond the average for your peer group.

Priority gaps

AI & SaaS Inventory
1.8

Run a full shadow-AI census. Target L3 in 4–6 weeks.

Risk Mgmt & Compliance
2.0

Classify all AI against Annex III. Target L3 in 6–8 weeks.

Processes & Lifecycle
2.0

AI incident response playbook. Target L3 in 3–5 weeks.

Remediation roadmap

Calibrated to current resourcing. Reorder, defer, or assign.

Demo preview

Phase 1 — 0–3 months

PhaseActionDetailEffortOwner
P1Deploy AI and SaaS discovery toolingImplement automated discovery via SSO logs, browser extension, or network monitoring to identify all AI tools in use.MediumIT Director / CISO
P1Classify all AI systems by EU AI Act risk tierReview each AI system against Annex III categories. Document classification decisions. Prioritise high-risk systems for Art. 9 risk management.MediumDPO / Legal
P1Document an AI incident response playbookDefine escalation paths, notification timelines (NIS2: 24h early warning; DORA: 4h initial notification), and responsible parties.MediumCISO

Phase 2 — 3–6 months

PhaseActionDetailEffortOwner
P2Formalise the AI governance policyEstablish a formal, board-endorsed AI governance policy with a named accountable owner and cross-functional authority.LowCEO / Board
P2Update RoPA to include all AI processing activitiesAdd all AI data processing to your Art. 30 record. Include data sources, transfer mechanisms, retention periods, and legal basis.LowDPO

Phase 3 — 6–12 months · Sustain & optimise

PhaseActionDetailEffortOwner
P3Sustain AI literacy programme with refresher training✓ At targetAnnual refresher modules for all staff. Track completion rates.LowHR / L&D