AMIVADIS · AI Maturity Index · Methodology Brief v1.0

The AI Governance
Rating Standard

How AMIVADIS measures, scores, and rates enterprise AI maturity

Boards are now legally accountable for AI oversight under the EU AI Act — yet no common language exists to measure whether they are actually governing it. AMIVADIS is the AI Maturity Index: a structured, evidence-weighted assessment across nine governance, execution, and strategic dimensions that produces a single composite score (0–100) and a rated band (Foundation through Platinum) readable by a board member or PE investor in five minutes. This document describes the methodology behind that score.

9 dimensions

54 questions

0–100 composite score

5 rating bands

EU AI Act anchored

ISO/IEC 42001 aligned

NIST AI RMF referenced

§ 1 · Context

The Governance Gap

Three forces converged in 2025 to make a rated AI governance standard both necessary and commercially viable.

Regulatory Obligation

The EU AI Act (Regulation 2024/1689) entered into force on 1 August 2024. Article 4 — AI Literacy — became legally binding in February 2025, requiring organisations to ensure appropriate AI competency across all staff involved in AI. High-risk AI provider and deployer obligations phase in through 2025–2026, covering risk management systems (Art. 9), data governance (Art. 10), transparency (Art. 13), human oversight (Art. 14), and post-market monitoring (Art. 72). Boards are accountable for these obligations — not just management. A supervisory board that cannot demonstrate it has evaluated AI governance compliance is exposed.

Board Accountability Without a Measuring Instrument

Existing frameworks — ISO/IEC 42001, NIST AI RMF, OECD AI Principles — are implementation standards or reference architectures. They specify how to build AI governance systems; they do not produce a score. A board member cannot take an ISO 42001 standard document into a governance review and ask "are we at the 60th percentile for companies at our stage?" AMIVADIS fills this gap: it translates implementation depth into a single comparable number that a board chair, audit committee member, or PE operating partner can read and act on without technical translation.

The Uncontested Category

ESG governance had no common measurement standard until a rated score was created — and procurement mandates followed. The AI governance equivalent of that moment is now. Nearest existing instruments (Cisco AI Readiness Index, BCG AI Maturity model, Rational Partners diagnostics) target IT/CIO audiences, produce reports rather than rated scores, and lack direct EU AI Act mapping. AMIVADIS is the first AI governance standard explicitly designed for boards and PE investors, anchored in regulatory obligations, and structured to produce a single investable number.

§ 2 · Architecture

The Nine Dimensions

AMIVADIS measures AI maturity across nine dimensions, covering the full scope of an organisation's AI program — from board-level strategy and governance to execution depth, cultural embeddedness, and financial accountability. Governance & Risk carries the highest weight (15%) because EU AI Act obligations create the legal floor; removing this dimension collapses regulatory defensibility. Financial Impact carries the lowest (9%) because early-stage organisations should not be penalised for an AI program that is still building toward measurable returns.

#	Dimension	Weight	Primary Regulatory Anchor	Core Question
D1	AI Strategy	12%	Board ownership, investment mandate, competitive narrative	Does the board own and fund AI as a strategic priority?
D2	Governance & Risk	15%	EU AI Act Art. 9 (RMS) · Art. 13 (transparency) · Art. 14 (oversight) · Art. 17 (QMS)	Is AI governed, risk-classified, and documented?
D3	Data & Infrastructure	11%	EU AI Act Art. 10 (data governance) · ISO/IEC 42001 Clause 8	Is AI data governed, lineaged, and bias-monitored?
D4	Execution & Human Oversight	13%	EU AI Act Art. 14 (human oversight) · Art. 15 (accuracy, robustness) · Art. 26 (deployer obligations)	Are AI deployments tested, monitored, and human-overseen?
D5	Org Maturity & AI Literacy	12%	EU AI Act Art. 4 (AI literacy — in force Feb 2025)	Does the organisation have the AI competency it legally requires?
D6	Deployment Breadth	10%	Production pipeline maturity · use case register	How widely and systematically is AI deployed across the business?
D7	Culture & Leadership	8%	Executive AI ownership · board agenda discipline · OKR integration	Is AI embedded in how leaders lead and how the board governs?
D8	Foresight & Defensibility	10%	EU AI Act Art. 72 (post-market monitoring) · AI IP protection · competitive intelligence	Can the organisation monitor, protect, and extend its AI advantage?
D9	Financial Impact	9%	AI investment tracking · EBITDA attribution · investor reporting	Is AI creating measurable, board-reportable financial value?

Floor Rules — Anti-Gaming Mechanism

A composite score alone can be gamed through selective excellence in easy dimensions while neglecting governance fundamentals. AMIVADIS applies minimum dimension score requirements to gate higher rating bands. A company must achieve D2 (Governance & Risk) ≥ 25 and D3 (Data & Infrastructure) ≥ 20 to qualify for Silver, regardless of composite score. Gold and Platinum apply progressively stricter minimums across D1–D4. A company failing a floor rule is rated one band below its composite score. This ensures that a Gold or Platinum AMIVADIS rating always reflects genuine governance depth, not a selective performance across favourable dimensions.

§ 3 · Scoring

The Scoring Engine

AMIVADIS scores are calculated in three stages: per-question scoring on a 0–4 Likert scale, P-A-R evidence weighting applied per question, and weighted composition across dimensions to produce the composite AMI Score.

Stage 1 — The 0–4 Maturity Scale

Score	Label	What it means
0	Not Started	No activity; topic not yet addressed
1	Initial	Ad-hoc activity; no documentation or ownership
2	Developing	Partially implemented; inconsistent application
3	Defined	Fully documented and implemented; consistently applied
4	Optimized	Verified, audited, and reported; continuously improved

Stage 2 — P-A-R Evidence Weighting

Standard maturity assessments treat all questions equally, which means a company with comprehensive policies but no execution scores the same as one with verified, measurable results. AMIVADIS corrects this by categorising each question by the type of evidence it requires — Policy, Action, or Results — and applying a differential multiplier. Words are easy; proof is not.

Policy / Intent

Strategy documents, board-approved policies, declared plans

0.80×

Action / Execution

Implemented processes, org structures, tools deployed, training delivered

1.00×

Results / Evidence

Measurable outcomes, audit reports, KPI trend data, certifications, board-reported metrics

1.30×

The P-A-R structure means an organisation that scores 4/4/4 across all question types will always outperform one that scores 4/4/0. A mature AI governance program must be evidenced, not merely declared.

Stage 3 — Composite Score & Rating Bands

Each dimension's score (0–100) is computed as the P-A-R-weighted sum of its question scores divided by the P-A-R-weighted maximum, multiplied by 100. The composite AMI Score is the sum of each dimension score multiplied by its weight.

          Dimension score (0–100) = Σ(question score × P-A-R multiplier) / Σ(4 × P-A-R multiplier) × 100

          AMI Score = Σ(dimension scorei × dimension weighti)

Foundation

0 – 19

AI activity exists but is ad-hoc, undocumented, and ungoverned. Regulatory exposure is high.

Bronze

20 – 39

Initial governance structures in place; execution is partial and inconsistent. Risk is being acknowledged.

Silver

40 – 59

Defined frameworks implemented; AI delivers measurable value in selected areas. Governance floor met.

Gold

60 – 79

Mature, board-governed AI program; measurable financial impact; EU AI Act compliant across core obligations.

Platinum

80 – 100

AI-first organisation; verifiable competitive advantage; externally benchmarked; externally auditable governance.

§ 4 · Regulatory Anchoring

EU AI Act Alignment & Framework Integration

AMIVADIS is directly anchored in the EU AI Act (Regulation 2024/1689) and cross-validated against ISO/IEC 42001:2023 and NIST AI RMF 1.0. This section provides the traceability map for each dimension and positions AMIVADIS relative to other established standards.

Dimension	EU AI Act	ISO/IEC 42001	NIST AI RMF
D1 AI Strategy	Art. 5 prohibited uses Art. 6–7 risk classification	Clause 4 context Clause 6 planning	GOVERN 1 MAP 1
D2 Governance & Risk	Art. 9 risk management Art. 13 transparency Art. 14 oversight Art. 17 QMS	Clause 6 risk Clause 8 operation Clause 9 evaluation	GOVERN 2–6 MAP 2–5
D3 Data & Infrastructure	Art. 10 data governance	Clause 8.4 data	MAP 3 MEASURE 2
D4 Execution & Oversight	Art. 14 human oversight Art. 15 accuracy & robustness Art. 26 deployer obligations	Clause 8.5 lifecycle Clause 8.6 testing	MANAGE 1–4 MEASURE 3–4
D5 Org Maturity & Literacy	Art. 4 AI literacy ★ in force Feb 2025	Clause 7.2 competence Clause 7.3 awareness	GOVERN 5–6
D6 Deployment Breadth	Operational scope — no direct article	Clause 8.3 AI use case	MAP 5 MANAGE 2
D7 Culture & Leadership	Art. 4 organisational culture	Clause 5 leadership	GOVERN 1
D8 Foresight & Defensibility	Art. 72 post-market monitoring Art. 27 FRIA for deployers	Clause 9.1 monitoring Clause 10 improvement	MEASURE 4 MANAGE 4
D9 Financial Impact	Financial governance — no direct article	Clause 7.1 resources	GOVERN 4

How AMIVADIS Relates to ISO 42001, NIST AI RMF, and Other Standards

	AMIVADIS	ISO/IEC 42001:2023	NIST AI RMF 1.0
Primary output	0–100 score + rated band	Certification (pass / fail)	Framework compliance profile
Target audience	Board, PE investors, procurement	Technical / compliance teams	Risk / technical teams
Time to complete	~20 minutes	3–12 months (certification process)	Months (full implementation)
Peer benchmarking	Planned — cohort database	Not designed for comparison	Not designed for comparison
EU AI Act direct mapping	Yes — article-level	Aligned (not article-mapped)	Referenced (not article-mapped)
Can certifications be used as evidence?	Yes — accepted as R-tier evidence	— (is the certification)	— (is the framework)
Relationship to AMIVADIS	—	ISO 42001 certification scores as a 4 on relevant questions	NIST implementation evidence scores as A/R evidence

AMIVADIS is not a replacement for ISO 42001 certification or NIST AI RMF implementation. It is the measurement and rating layer on top of them — translating implementation depth into a single comparable score in the language boards and investors understand. A company that holds ISO 42001 certification will score very highly on the dimensions that certification covers.

§ 5 · Assurance

The Three-Tier Assurance Model

AMIVADIS is designed to grow in trust alongside the AI governance rating market. Three distinct assurance tiers provide a clear progression from rapid self-assessment to independently audited certification. Each tier carries a distinct badge, ensuring that recipients of a score can immediately identify its assurance level.

Tier 1

Self-Assessed

Available Now

Completed by the organisation using the AMIVADIS browser-based tool. Scores reflect self-declared maturity. No data leaves the browser. All responses are confidential to the assessor. Output: "AMIVADIS Self-Assessed" scorecard with band, dimension radar, and improvement roadmap.

→

Tier 2

AMIVADIS Verified

2026 — Planned

Evidence submission + Plansix analyst review. The assessor uploads artifacts (board minutes, policy documents, audit reports, KPI data) that substantiate their self-declared scores. An AMIVADIS-trained analyst reviews and validates the evidence before issuing a Verified badge. Scores may be adjusted. Output: "AMIVADIS Verified" scorecard with analyst confirmation note.

→

Tier 3

AMIVADIS Audited

Future

Third-party accredited review by a licensed AMIVADIS auditor. On-site or remote evidence review, management interviews, and technical inspection. Equivalent rigour to an ISO certification audit. Output: "AMIVADIS Audited" certificate with auditor attestation, suitable for investor due diligence and regulatory reporting.

Evidence Standards — What Qualifies

Acceptable: Board-approved documents (max 3 years old) · KPI trend data (minimum 2 reporting periods) · ISO 42001 / SOC 2 certificates (max 18 months old, AI scope confirmed) · LMS completion records · Management accounts with AI investment line · Board pack excerpts with AI reporting · Penetration test reports (AI systems in scope).

Not acceptable: Undated documents · Draft policies without board approval · Expired certifications · Point-in-time snapshots without trend · Self-declared completion without system record · Projections presented as actuals.

§ 6 · Applications

How to Use the AMIVADIS Score

The AMIVADIS score is designed to be used in four primary contexts. In each case, the score functions as a structured starting point for a governance conversation — not an endpoint.

⬡

Board AI Governance Reporting

Present the score as part of the annual AI governance review. The dimension radar identifies which areas require board-level attention. The floor rules status signals whether EU AI Act obligations are met at the governance layer. Use the 30/90/12-month improvement roadmap as the basis for a board-approved AI governance action plan.

⬡

PE Due Diligence & Portfolio Monitoring

Add AMIVADIS to the DD checklist as a standardised AI governance assessment. Benchmark the target company's score against sector comparables. For portfolio companies, track score progression across the hold period as a value-creation governance KPI. A score trajectory from Bronze to Gold over a 3-year hold period is a demonstrable exit-readiness signal.

⬡

Enterprise AI Vendor Qualification

Require AMIVADIS Self-Assessed (or Verified, for high-risk AI vendors) as a procurement qualification criterion. The score replaces lengthy bespoke questionnaires with a standardised, comparable number. D2 (Governance & Risk) and D4 (Execution & Oversight) scores are the most relevant signals for a vendor's AI risk posture.

⬡

Annual AI Strategy Review

Score annually — the year-over-year delta is as valuable as the absolute score. Dimension scores that have not improved despite stated investment are a signal of execution gap. The P-A-R breakdown reveals whether the programme is policy-heavy (intent without execution) or execution-led (delivery without board visibility or measured returns).

Reading the score in board context: A score below 40 (Foundation or Bronze) indicates that AI governance obligations — including those now legally binding under EU AI Act Art. 4 — are not being met systematically. A score between 40–59 (Silver) indicates the governance infrastructure is in place but is not yet consistently executed or measured. Scores of 60 and above (Gold) indicate a program that is board-governed, executed, and delivering measurable value. Platinum (80+) indicates a program suitable for external benchmarking and investor-level disclosure.

AMIVADIS — AI Maturity Index (AMI) is a proprietary standard of Board-Agents by Plansix GmbH. Framework v1.0 — 2026. Anchored in EU AI Act (Regulation 2024/1689), cross-validated against ISO/IEC 42001:2023 and NIST AI RMF 1.0. AMIVADIS and AI Maturity Index (AMI) are proprietary trademarks of Plansix GmbH. All rights reserved. Unauthorised reproduction or commercial use of the AMIVADIS scoring methodology, question bank, or rating architecture is prohibited.

Board-Agents by Plansix GmbH · Dr. Christian Schlögel · amivadis.com · board-agents.com · Impressum · Datenschutz

The AI GovernanceRating Standard