AEGIS · Diagnostic
Artifact D.3
6-Layer Gap Assessment Framework
Structured maturity scoring across thirty dimensions spanning all six AEGIS layers. Produces the prioritized gap register that drives the 90-Day Governance Roadmap.
- Client
- [CLIENT NAME]
- Engagement
- [ENGAGEMENT ID]
- Version
- v1.0
- Issued
- 2026-05-18
Delivered by TechFides under the AEGIS Governance Operating Services engagement. This document is proprietary to the client named above. Redistribution beyond the engagement steering committee requires written consent.
Purpose and Scope
Intent — Convert Diagnostic inputs — interviews, Shadow AI scan, document review — into a defensible numeric posture. Scoring is the consultant's synthesis, not the client's self-assessment.
The Gap Assessment scores the organization on thirty dimensions, five per AEGIS layer. Each dimension carries a maturity score from 0 to 4. Scores are evidence-backed; every dimension cites the source that justifies its score. The resulting posture picture is the backbone of the Diagnostic readout and the sequencing logic of the 90-Day Governance Roadmap.
Maturity Scale
Intent — The 0–4 scale is deliberately compressed. Most enterprises score between 1 and 3 on most dimensions. Avoid grade inflation.
Absent
No policy, no process, no ownership. AI activity is uncontrolled and undocumented.
Ad hoc
Individual actors make individual choices. No shared standard exists. Outcomes depend on who is in the room.
Defined
Written policy or process exists. Awareness is partial; enforcement is inconsistent.
Operating
Policy is enforced, ownership is clear, logs or artifacts demonstrate active operation.
Managed
Metrics are reported, reviewed, and drive continuous improvement. Audit-ready.
Scoring Procedure
Intent — Four steps, applied to every dimension. No dimension is scored without evidence.
- Collect — gather the required evidence from stakeholder interviews, document review, and the Shadow AI Scan. If evidence is absent, note the absence; do not imagine.
- Score — apply the maturity scale. Default to the lower of two adjacent levels when uncertain.
- Cite— record the evidence source(s). Every score must survive the question "how do you know?"
- Triangulate — for any dimension scored 3 or 4, confirm with a second stakeholder or a document artifact. Self-reported high scores without triangulation drop one level.
Dimensions by Layer
Intent — Thirty dimensions across six layers. Every dimension is scored; no dimension is skipped. Omitted evidence is documented as such.
Layer
Governance · AEGIS Policy Core
| Code | Dimension | Assessment Question | Required Evidence | Score |
|---|---|---|---|---|
| G1 | Acceptable use policy | Is there a current, published AI Acceptable Use Policy that covers generative, predictive, and agentic AI? | Policy document with issuance date, applicability statement, and acknowledgment trail. | [0-4] |
| G2 | Decision rights | Is there a documented RACI for AI decisions — tool approval, data class authorization, model selection, incident response? | RACI matrix reviewed by executive committee in last 12 months. | [0-4] |
| G3 | Risk register inclusion | Do AI-specific risks appear in the enterprise risk register with named owners and mitigation plans? | Risk register with AI entries, last review date, owner sign-off. | [0-4] |
| G4 | Board-level reporting | Does the board receive a regular AI posture report? Quarterly minimum. | Board deck excerpts from the last two reporting cycles. | [0-4] |
| G5 | Policy enforcement | When policy is breached, is there a documented enforcement path and at least one recorded enforcement action? | Enforcement log or exception register with outcomes. | [0-4] |
Layer
Security, Trust & Resilience · AEGIS Shield
| Code | Dimension | Assessment Question | Required Evidence | Score |
|---|---|---|---|---|
| S1 | Data classification coverage | Is every data class (public, internal, confidential, regulated) mapped to permitted AI tools and prohibited AI tools? | Data classification and AI permission matrix. | [0-4] |
| S2 | Vendor risk assessment | Does each sanctioned AI vendor have a completed risk assessment covering data handling, model training posture, sub-processors, and contractual protections? | Vendor file with assessment, DPA, and annual review date. | [0-4] |
| S3 | Identity and access | Are AI tools integrated into identity management with SSO, MFA, and offboarding automation? | IDP grant list for AI category. | [0-4] |
| S4 | Incident response | Is there an AI-specific incident response runbook, with defined incident types (prompt injection, data leakage, hallucination reliance, model outage)? | Runbook with scenario walk-throughs and escalation tree. | [0-4] |
| S5 | Logging and audit | For sanctioned AI tools processing confidential or regulated data, are prompts, outputs, and access events logged and retained per policy? | Sample log extract and retention statement. | [0-4] |
Layer
Intelligence · AEGIS Signal
| Code | Dimension | Assessment Question | Required Evidence | Score |
|---|---|---|---|---|
| I1 | AI inventory accuracy | Is there a current, comprehensive inventory of AI tools in use — sanctioned, discretionary, and discovered? | Inventory with last-updated date, owner, data class, cost. | [0-4] |
| I2 | Shadow AI visibility | Does leadership have a defensible view of unsanctioned AI activity, updated at least quarterly? | Most recent Shadow AI Scan Report. | [0-4] |
| I3 | Value tracking | For each material AI investment, is there a measured value outcome (hours saved, quality improvement, revenue impact)? | Value & Spend Tracker populated for top 5 tools. | [0-4] |
| I4 | Spend discipline | Is AI spend consolidated under a single owner with budget authority, or is it scattered across cost centers? | Spend roll-up by tool, department, and month. | [0-4] |
| I5 | Executive dashboarding | Does the executive team have a standing AI dashboard covering adoption, risk, spend, and value? | Dashboard with current metrics and documented review cadence. | [0-4] |
Layer
Execution · AEGIS Deploy
| Code | Dimension | Assessment Question | Required Evidence | Score |
|---|---|---|---|---|
| E1 | Workflow inventory | Are the top AI-augmentable workflows identified, prioritized, and owned? | Workflow catalog with owner, status, expected outcome. | [0-4] |
| E2 | Governed automation patterns | Do workflow automations that use AI have consistent governance wrappers (approvals, human-in-loop, logging, rollback)? | Automation inventory with control checklist applied. | [0-4] |
| E3 | Prompt and template standards | Is there a centralized prompt and template library with versioning and review? | Prompt library with at least one templated prompt per core workflow. | [0-4] |
| E4 | SOP alignment | For AI-augmented workflows, do Standard Operating Procedures reflect the AI role, its limits, and the human checkpoints? | Revised SOPs for top 3 AI-augmented workflows. | [0-4] |
| E5 | Quality controls | Is there a defined quality check for AI-produced work before it reaches a client, customer, or regulator? | QA protocol for AI-produced output in at least one material process. | [0-4] |
Layer
Operations · AEGIS Cadence
| Code | Dimension | Assessment Question | Required Evidence | Score |
|---|---|---|---|---|
| O1 | Governance review cadence | Is there a standing governance review at quarterly or faster cadence, with documented agenda and outcomes? | Last two review meeting minutes with attendance and actions. | [0-4] |
| O2 | Adoption metrics | Is adoption of sanctioned AI tools measured at the team level, with reasons-for-non-adoption understood? | Adoption dashboard with segmentation by team. | [0-4] |
| O3 | Training program | Is there a role-based AI literacy curriculum, with completion tracked and content refreshed on a known cadence? | Training roster with completion rates and last-refreshed date. | [0-4] |
| O4 | Change management | Are AI-driven role and process changes managed through a change framework, with HR and employee-relations involvement? | Change log for the last two AI-driven changes. | [0-4] |
| O5 | Continuous improvement loop | Are learnings, incidents, and near-misses captured and folded back into policy, training, and tooling? | Closed-loop register with at least three cycles. | [0-4] |
Layer
Leadership · AEGIS Brief
| Code | Dimension | Assessment Question | Required Evidence | Score |
|---|---|---|---|---|
| L1 | Strategic AI narrative | Can the CEO articulate the company's AI posture, ambition, and guardrails in a three-minute board-level narrative? | Most recent board communication on AI. | [0-4] |
| L2 | Executive alignment | Is there measurable alignment across the C-suite on AI priorities, risk appetite, and investment? | Alignment assessment from interviews — CEO, COO, CIO, CFO, CISO. | [0-4] |
| L3 | Customer-facing posture | Does the company have a defensible public position on AI — how it is used, what data touches it, what protections exist? | Customer-facing AI statement, website disclosure, or contract language. | [0-4] |
| L4 | Roadmap discipline | Is there a 12-month AI roadmap with named outcomes, owners, and investment levels? | Current roadmap reviewed by executive committee. | [0-4] |
| L5 | Board fluency | Does the board have sufficient AI fluency to exercise oversight, or is education and briefing part of the operating rhythm? | Board education plan, last briefing date, materials. | [0-4] |
Layer Posture Rollup
Intent — Aggregate scores by layer to produce the six posture numbers that anchor the executive readout.
| Layer | Dimensions Scored | Average | Posture |
|---|---|---|---|
| Governance | 5 / 5 | [score] | [Absent | Ad hoc | Defined | Operating | Managed] |
| Security, Trust & Resilience | 5 / 5 | [score] | [Absent | Ad hoc | Defined | Operating | Managed] |
| Intelligence | 5 / 5 | [score] | [Absent | Ad hoc | Defined | Operating | Managed] |
| Execution | 5 / 5 | [score] | [Absent | Ad hoc | Defined | Operating | Managed] |
| Operations | 5 / 5 | [score] | [Absent | Ad hoc | Defined | Operating | Managed] |
| Leadership | 5 / 5 | [score] | [Absent | Ad hoc | Defined | Operating | Managed] |
| Composite posture | 30 / 30 | [score] | [Posture label] |
Gap Prioritization
Intent — Not every gap is equal. Prioritize by lift — the distance to the next level — weighted by layer criticality for this client's industry and regulatory posture.
Default layer criticality
- Regulated industries (healthcare, financial services, legal): Governance and Shield weighted 1.5×.
- Operationally complex (multi-site, multi-BU): Execution and Operations weighted 1.5×.
- Board-sensitive (public, PE-backed, investor-scrutinized): Leadership and Governance weighted 1.5×.
Prioritization formula
For each dimension: Priority = (3 − current score) × layer weight. Dimensions with the top ten priorities become the input set for the 90-Day Governance Roadmap.
Evidence Log
Intent — Maintain a single evidence log that lists every source cited in scoring. This is the artifact an auditor asks to see.
| Dimension | Evidence Source | Date Collected | Triangulation |
|---|---|---|---|
| [G1, S2, etc.] | [Document, interview, scan result] | [YYYY-MM-DD] | [Second source confirmation] |