How scoring works

The 5-level rubric

Every scoring question is rated against the same 5-level rubric. Level 3 is intentionally the most common reality — "we have it, but it's not really being used." Levels 4 and 5 always involve some combination of governance, frequency, accountability, and visibility.

The four executive questions

37 scoring questions grouped under the four questions every executive asks. Plus 6 context questions that inform the AI CTO and the report narrative without rolling into the score.

• 5 Q
  Are we positioned to win?

  Strategy, ambition, competitive position, time horizons.
• 7 Q
  Is it actually working?

  Outcomes, ROI, adoption depth, measurable productivity gains.
• 13 Q
  What could go wrong?

  Risk, governance, data exposure, regulatory, vendor, brand.
• 12 Q
  Can we keep up?

  People, capability, tooling provision, speed of execution.

The score formula

Each pillar score is calculated on a 0–100 scale that maps level 1 → 0, level 3 → 50, and level 5 → 100. The overall AI Maturity Score is the simple average of the four pillar scores.

pillar_score = sum((level - 1) × weight) / sum(4 × weight) × 100
overall_score = average(pillar_scores)

"Is it actually working?" carries fewer scoring questions than the capability-heavy "Can we keep up?" or "What could go wrong?". That's deliberate — each outcomes question naturally carries more weight in its pillar score, reinforcing that actual outcomes matter more than process maturity.

Skip logic and N/A handling

Two upfront filter questions adjust which questions you see:

• Do you develop software in-house? If no, the AI-in-software-development question is skipped.
• Do you have a customer-facing product? If no, the AI-in-customer-experience question is skipped.

Skipped questions are excluded from both the numerator and denominator, so they don't drag the score down. Same for "Not applicable" answers on department questions — the department is simply not scored.

"Don't know" answers

Every scoring question includes a "Don't know" option. This is deliberately distinct from "Not applicable":

• Not applicable means the question doesn't structurally apply (e.g. "we don't have a Marketing function"). These are excluded from scoring entirely.
• Don't know means the respondent can't vouch for the capability. These are scored as level 1 - a gap, the same as if the capability genuinely isn't present.

We score "Don't know" as a gap because maturity assessments measure demonstrable capability - absence of evidence is treated the same way auditors treat unproven SOC 2 or ISO controls. Excluding them would create a loophole where respondents could dodge hard questions to inflate their score. If a "Don't know" is really a visibility gap rather than a capability gap, invite the right colleague to firm it up and re-take the assessment.

Named maturity levels

Your overall score maps to one of four named levels.

AI Risk Rating

The AI Risk Rating is a secondary callout — not co-headline with the maturity score. It's the average rubric level (1–5) across these seven risk-flavoured questions:

• D1Do you have AI-specific data protection policies in place?
• D5How are customer and sensitive data handled when AI tools are involved?
• D6Is intellectual property protection embedded in your AI tool usage?
• RG1Do you have a formal AI Acceptable Use Policy?
• RG3How do you assess and manage third-party AI vendor risk?
• RG5Do you have incident response procedures for AI-related issues?
• RG6How do you monitor AI outputs for accuracy and bias?

The average rubric subscore maps to a band:

AI by department heatmap

Six function-specific questions (Marketing, Sales, Finance, HR, Operations, Technology) score each department on the same 5-level rubric. Department scores are not rolled into the overall AI Maturity Score — they're a parallel diagnostic cut. Choose "Not applicable" for any function your organisation doesn't have, and that department is excluded from the heatmap entirely.