Training
Featured CourseView All Courses

SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

SEC595Cyber Defense, Artificial Intelligence
SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
View course detailsRegister
Get a Free Hour of SANS Training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
NEW - AI Security Training
Can't find what you are looking for?

Let us help.

Contact us
Free Resources

SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

Customer Case Studies

Discover how organizations and individual cyber practitioners use SANS training and GIAC certifications

AI Risk & Readiness

Explore expert-driven guidance, training, and tools to help defend against AI-powered threats and adopt AI securely

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations

Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Group Purchasing
Group Purchasing

Self-Assessment Tool

NAV SCREEN 0: INTRO
SANS Institute — Self-Assessment Tool

How mature is your
AI security posture?

15 questions across three pillars. Takes about 10 minutes. You'll receive a weighted maturity stage with a full scoring breakdown and priority guidance.

AI Security Maturity Model — five stages from Unaware to Optimizing

© 2026 SANS Institute. All rights reserved.  |  sans.org

SCREEN 1: PROTECT
Pillar 1 of 3  ·  Protect

Securing AI Implementations

How well do you control, verify, and harden the AI systems and agents running in your environment?

0 / 5 answered
Maturity requires evidence: Self-reported capabilities without documented evidence should be capped at Stage 2. If you can describe what you do but cannot point to a document, policy, or metric, score yourself at most 2.
SCREEN 2: UTILIZE
Pillar 2 of 3  ·  Utilize

Using AI for Security

To what extent is your security team actively deploying AI to detect, investigate, and respond to threats?

0 / 5 answered
Maturity requires evidence: Self-reported capabilities without documented evidence should be capped at Stage 2. If you can describe what you do but cannot point to a document, policy, or metric, score yourself at most 2.
SCREEN 3: GOVERN
Pillar 3 of 3  ·  Govern

AI Policy, Risk & Oversight

Do your policies, governance structures, and training programs keep pace with your AI usage?

0 / 5 answered
Maturity requires evidence: Self-reported capabilities without documented evidence should be capped at Stage 2. If you can describe what you do but cannot point to a document, policy, or metric, score yourself at most 2.
SCREEN 4: INDUSTRY
Step 4 of 5  ·  Industry Profile

What best describes your organization?

The right maturity target isn't universal — it depends on your AI adoption pattern, industry, regulatory environment, and risk tolerance.

Why this matters: Each industry profile adjusts the relative weight of the three pillars. Protect and Govern are weighted higher than Utilize in most profiles because foundational failures in either create cascading risk that advanced Utilize capabilities cannot offset. Select the profile that best reflects your actual risk landscape.
SCREEN 5: RESULTS
Your AI Security Maturity Stage
AI Security Maturity Model
Protect
Utilize
Govern
Scoring breakdown
Industry profile
Weighted raw score
Raw stage (before caps)
Cap rules

The AI Security Maturity Model uses two cap rules to prevent a strong pillar from masking a critical weakness. An organization with excellent AI-powered threat detection but no governance structure is not genuinely mature — it is structurally exposed. These rules surface those imbalances so they cannot be hidden behind a high overall average.

Without governance as the foundation, advancement is a structural risk. Severe imbalances in any pillar represent vulnerability regardless of strength elsewhere.

Governance Floor Rule

Your overall stage cannot exceed your Govern pillar stage by more than one. If your Govern pillar scores at Stage 2, your overall maturity caps at Stage 3 regardless of how well you score on Protect and Utilize. Governance is the policy, risk, and oversight foundation that enables and constrains both other pillars. Without it, Utilize becomes uncontrolled experimentation and Protect lacks policy authority.

Minimum Pillar Rule

Your overall stage cannot exceed your lowest individual pillar score by more than one. A program that is highly optimized in two pillars but severely underdeveloped in a third has a structural vulnerability. This rule ensures that imbalance is reflected in the final stage rather than averaged away.

What does this mean for your organization?

Go deeper with the full framework — or talk with a SANS expert about your results.

Free Resource
Download the AI Security Maturity Model eBook
The full framework explains what each stage looks like in practice, what it takes to advance, and how to align your progress with NIST AI RMF, the EU AI Act, and ISO 42001.
Download the eBook →
Expert Guidance
Talk with a SANS AI Security Specialist
Not sure what your scores mean or where to start? A SANS advisor can walk you through your results, identify your highest-leverage gaps, and map a training path to close them.
Contact SANS →

© 2026 SANS Institute. All rights reserved.  |  sans.org

PRINT OVERLAY