What Is the AI Adoption Maturity Model?
Carnegie Mellon University’s Software Engineering Institute (SEI) and Accenture released the AI Adoption Maturity Model v1.0 on June 8, 2026. The SEI is the organization behind CMM and CMMI, the maturity models that gave enterprise software development a shared yardstick for three decades. That lineage matters: this model applies software-engineering maturity discipline to AI adoption, and it carries an institutional weight the consulting-deck maturity matrices of the last two years never had.
The methodology is heavier than the genre norm. The model rests on a systematic review of more than 100 existing AI maturity efforts, roughly 25 executive interviews, a survey of about 600 practitioners, and intensive pilots with Fortune 500 organizations. The launch announcement frames the goal as scaling AI with predictable outcomes, and the SEI’s preliminary report from December 2025 named generative AI and agentic AI implementations as a key driver behind the model. The full model is available from the SEI Digital Library.
It defines five maturity levels. Read by an engineering leader, they translate cleanly:
- Exploratory AI — individual engineers run their own experiments; no shared tooling, standards, or mandate.
- Implemented AI — AI is deployed in specific workflows; assistants sit in the IDE, but practice varies team by team.
- Aligned AI — AI use conforms to organizational strategy and standards; agents are expected to follow the same rules engineers do.
- Scaled AI — AI operates across the organization under repeatable, measured processes; governance can no longer be hand-carried.
- Future-Ready AI — the organization absorbs new AI capabilities without redesigning its controls each time.
The Eight Dimensions, Read by an Engineering Leader
The model assesses organizations across eight core dimensions: Organizational Strategy; Workforce and Culture; Workflow Re-engineering; Risk and Governance; Data; Engineering; Operations and Sustainment; and Ecosystem. Most belong to the executive layer. Two sit squarely with engineering teams: Risk and Governance, and Engineering itself.
Risk and Governance covers the policies, standards, and controls that bound AI use — who may deploy what, against which data, under which review. Engineering covers how AI-enabled systems get built, tested, and maintained. At every maturity level, assessing those two dimensions reduces to one practical question: when an agent writes code, do the organization’s rules reach it?
Workflow Re-engineering deserves more attention than its name invites, because it is where coding agents live. Redesigning a development workflow around agents — intent to diff to review to production — is process redesign, and Accenture’s launch research shows how rare that is. 86% of C-suite leaders plan to increase AI spending in 2026, yet only 21% of organizations are redesigning end-to-end processes with AI at the core. Most organizations are bolting agents onto workflows designed for humans typing, then scoring the result as adoption.
Aligned AI Is Where Governance Gets Hard
Alignment in an enterprise codebase is specific. An agent is aligned when its output conforms to the architecture, the security standards, the team’s engineering practices, and the decisions already recorded in ADRs and review threads. An agent that ships a working feature while violating last quarter’s layering decision is unaligned no matter how clean the diff looks — that is architectural drift with better throughput.
Ipek Ozkaya, Technical Director of AI-native Software Engineering at the SEI, framed the launch this way: “True AI maturity is not measured by how much AI an organization deploys, but by its ability to build trustworthy and resilient capabilities...” Trustworthy is the load-bearing word. For an engineering team, trusting an agent means trusting that architectural governance holds when no reviewer is watching the prompt.
The jump from Level 3 to Level 4 changes the problem class. At Aligned AI, a strong team can hold the line with review culture and a few senior engineers who remember every decision. At Scaled AI, that stops working. Dozens of teams. Hundreds of agent sessions a day. Decisions made in one repository that bind twelve others. Governance becomes a systems problem: infrastructure has to produce alignment, because attention does not replicate.
The Governance Execution Gap
The model treats governance as a capability dimension — something an organization builds and scores. That is the right framing for assessment, and it still leaves the hardest engineering question unanswered: how do architectural and governance decisions propagate into the AI agents doing the work? A maturity score tells you the policies exist. Governance propagation is whether they arrive.
Take a concrete case. Policy: all customer-data access goes through the approved service layer. The policy is written, the architecture diagram shows the layer, security signed off on it eighteen months ago. A developer asks an agent to add a churn-report feature. The agent generates a direct SQL query against the customer table. The query is correct, the tests pass, the diff is small. Policy exists. Governance exists. Architecture exists. Execution does not.
Multiply that small failure across an enterprise and the launch statistics look less mysterious. Nearly half of executives report that AI has so far delivered little impact on profit. Part of that gap is the distance between deploying AI and deploying AI that follows the organization’s own decisions — the same distance security teams spent a decade closing, which is why governance by design is now retracing the security-by-design playbook.
A maturity assessment measures whether governance exists. It does not test whether a recorded decision survives contact with an agent at generation time. That test happens in the diff, and most organizations have never run it.
From Documentation to Execution
Governance capability moves through five stages, and the model’s level language maps onto them. Most organizations today sit at the first two. Level 3 demands the third. Levels 4 and 5 are unreachable without the last two.
| Stage | What it looks like | How it scales with agents |
|---|---|---|
| Documentation | Write policies: ADRs, standards, wiki pages | Agents do not read the wiki |
| Awareness | Train teams on the policies | Trains the humans; the agent was never in the room |
| Review | Check compliance manually in pull requests | Capped by reviewer hours; agents outproduce them |
| Automation | Verify compliance automatically in CI | Catches violations after the code already exists |
| Execution | Enforce decisions during generation | The constraint travels with the agent |
The first three stages share a failure mode: they target humans. The agent never read the wiki, never attended the training, and produces diffs faster than the reviewer can hold the standard. This is the difference between documentation and decision memory — prose describes a decision; memory makes it retrievable and checkable at the moment code is generated. Automation closes part of the gap by checking output in CI. Execution closes the rest by enforcing decisions while the code is being written, the one stage where the agent itself is governed rather than merely audited.
What Level 4 and Level 5 Organizations Will Need
Scaled AI and Future-Ready AI assume governance that runs without a human in every loop. Four capabilities follow from that assumption:
- Decision memory. Architectural and governance decisions stored as structured, versioned records a system can query — ADRs as data, with scope and constraints attached.
- Governance retrieval. The decisions relevant to a given change surfaced into the agent’s context at generation time. Static rule files plateau here; retrieval-backed memory scales with the decision count.
- Automated verification. Every agent-produced change checked against the recorded decisions it touches — verification contracts instead of reviewer recollection.
- Auditable agent behavior. For any landed change, the organization can show which decisions were checked, when, and with what verdict.
The pressure behind all four is arithmetic. The 86% of C-suite leaders increasing AI spending in 2026 are buying more agent output, and none of them are growing senior-review capacity at the same rate. The reviewer who holds alignment at Level 3 becomes the bottleneck that blocks Level 4. Human review stops scaling long before compliance requirements do, and the organizations that climb past Aligned AI will be the ones that moved enforcement off the reviewer’s plate and into the toolchain.
The SEI and Accenture have given engineering leaders a credible ladder. The execution layer — memory, retrieval, verification, audit — is the part you still have to build.