What happened
The Cloud Security Alliance (CSA) released the AI Security Maturity Model (AISMM) version 1.0 on 19 May 2026, with a blog post on 20 May 2026. The AISMM is a 12-category, 5-level CMM-aligned maturity model designed to help enterprise security programmes measure and improve their ability to safely adopt and secure AI. It covers three domains across twelve categories — including AI asset visibility, AI identity and access management, AI supply chain security, prompt and output governance, model risk management, and agentic AI oversight. Unlike the CSA AI Controls Matrix (AICM), which answers 'what controls should be in place for a given AI project?', the AISMM answers 'what does the security programme managing all enterprise AI look like at each maturity level?' It directly aligns with the AICM and incorporates deployment-type fields for self-hosted, PaaS, and API/SaaS AI patterns. The framework was released with an invitation for public feedback on its control objectives.
Why it matters
The AISMM fills a genuine gap: most organisations have AI security controls mapped at the project level but lack a programme-level benchmark to assess their overall readiness. The 5-level CMM structure makes it directly usable as a board-ready maturity assessment, comparable to how the NIST CSF serves general cybersecurity programmes. The AICM-alignment means organisations already invested in CSA's AI Controls Matrix can extend upward without duplication. Consultants can use this as a diagnostic framework for AI security maturity assessments with enterprise clients today.
Action needed
Download the AISMM workbook from cloudsecurityalliance.org and run a preliminary self-assessment against the twelve categories. Identify which maturity level your programme currently sits at and surface the two or three highest-gap categories to leadership as a structured AI security improvement roadmap. Use the framework as a proposal structure for AI security gap-assessment engagements with clients.