Skip to main content
June 9, 2026Anthropic Launches Claude Fable 5 with Runtime Fallback Safeguards and Mandat...

OPERATIONAL FRAMEWORKS

The Governance Readiness Matrix

Two axes. Agent count versus authorization coverage. One number tells you where you are. Most organizations cannot produce either number.

The reconciliation problem typically surfaces at the worst possible moment, during examination prep, when the team that deployed the original agents has turned over and nobody owns the registry. The matrix exists because most organizations discover their agent count by asking the wrong people.

v1.0 · April 2026Sougata Roy, sougataroy.com

Free to read and cite with attribution to Sougata Roy and sougataroy.com. Do not republish, rebrand, or claim authorship of any framework, term, or model as your own.

Explore all frameworks

Governance Readiness Matrix

v1.0
Four readiness quadrants4 items
1

High count / high coverage

Governed at Scale

High deployment velocity and high governance maturity. Every new...

2

Low count / high coverage

Pre-Authorization Discipline

Low deployment velocity and high governance maturity. Few deploym...

3

High count / low coverage

Agent Sprawl

High deployment velocity and low governance maturity. This is whe...

4

Low count / low coverage

Pilot Exposure

Low deployment velocity and low governance maturity. Few deployme...

Version 1.0, Published April 2026

Before deployment

Readiness means knowing both what exists and what is governed.

In this framework, governance readiness is not a policy statement. It is the organization's ability to produce an actual AI system count and a current authorization coverage ratio before an incident forces the question.

Use this section to frame the meeting: the goal is to calculate current state, not to debate whether the policy sounds mature.

Why this framework exists

The governance gap in enterprise AI is not a technology problem. It is a velocity problem. Organizations are deploying AI systems faster than they are building the organizational structures to govern them. The result is a gap between what is deployed and what is governed that grows with every new deployment and compresses with every remediation effort.

McKinsey's 2026 AI Trust Maturity Survey, conducted across approximately 500 organizations between December 2025 and January 2026, found the average enterprise governance maturity score at 2.3 out of 4. Only one-third of organizations reached maturity level 3 or higher in governance and agentic AI controls. Those are not organizations that ignored governance. They are the ones that responded to a governance survey, which means they are likely more governance-aware than the broader enterprise population.

Governance question

For each AI system currently operating in your environment, can your organization produce a documented authorization record, a named accountable owner who knows they own it, and evidence of a compliance review conducted before deployment?

Editorial governance illustration showing reconciled AI system inventory and authorization evidence converging into an institutional readiness record.

Readiness record

One trusted current-state answer

The matrix starts by reconciling what exists with what is governed, so leadership can see count and coverage together.

Using this in a room

Use the matrix as a diagnostic, not a checklist.

The matrix has two axes. Understanding what each one measures is the prerequisite for placing your organization accurately on it.

Ask for the two numbers. If either number cannot be produced, that is the finding and the first remediation task.

Editorial two-axis governance readiness matrix with agent count, authorization coverage, four quadrants, and current placement.

Two-axis diagnostic

Count and coverage determine placement

The quadrant is not a maturity opinion. It comes from actual agent count and authorization coverage evidence.

01

Agent Count

The horizontal axis is Agent Count. This is the actual count of AI systems operating in the environment, including systems deployed without formal approval. Velocity is what IT thinks is deployed. Count is what a cross-functional inquiry produces. These are not the same number.

02

Authorization Coverage

The vertical axis is Authorization Coverage. This is the percentage of deployed AI systems with all four governance artifacts verifiably in place. This is not a tier score or a policy commitment. It is a ratio. It can be calculated from two numbers. If you cannot calculate it today, that inability is the finding.

The matrix

Two diagnostic dimensions produce one placement.

The Governance Readiness Matrix gives organizations a precise, calculable way to understand where they are. Not as an abstract self-assessment. Not as a maturity model that requires expert scoring. As a ratio, calculated from two numbers your organization either has or cannot produce - and the inability to produce them is itself a finding.

Start with the dimension cards, then place the organization in the quadrant that matches count and coverage.

Editorial evidence math illustration showing authorization coverage as complete authorization artifacts divided by actual AI system count.

Coverage math

Authorization coverage is evidence math

Complete artifacts form the numerator. The reconciled AI system count forms the denominator. Missing evidence is the finding.

Agent Count

How many AI systems are actually operating in the environment, including systems deployed without formal approval?

Pass / fail signal

Pass: a reconciled cross-functional count exists. Fail: each function reports a different number.

Authorization Coverage

What percentage of deployed AI systems have all required governance artifacts verifiably in place?

Pass / fail signal

Pass: the ratio can be calculated today. Fail: the organization cannot produce the numerator or denominator.

High count / high coverage

Governed at Scale

High deployment velocity and high governance maturity. Every new deployment goes through an established governance process. The organization can produce authorization records for its AI systems on demand, as a routine operational capability, not in response to a triggering event. The shadow agent population is low and declining. The intake process is enforced consistently, including for urgent deployments. This is the destination. It is currently occupied by a small minority of enterprises. The organizations that are there did not arrive by accident. They built the intake process before they needed it.

Next action

Maintain the intake process and keep the ratio current.

Low count / high coverage

Pre-Authorization Discipline

Low deployment velocity and high governance maturity. Few deployments, but each one is fully governed. The organization has built governance discipline before scaling. This is the right starting position for an enterprise that has not yet deployed AI broadly. The risk here is specific and worth naming: governance processes designed for low volume often do not survive the transition to scale. Organizations in this quadrant should redesign their governance process for the velocity they expect, not the velocity they currently have.

Next action

Stress-test governance before the deployment count rises.

High count / low coverage

Agent Sprawl

High deployment velocity and low governance maturity. This is where most enterprises are in 2026. Deployment has outpaced governance. Many AI systems are operating without authorization records, without named accountable owners, or without compliance review. The organization knows it has AI systems running. It does not know the complete count, and it cannot produce governance artifacts for a significant portion of them on demand. The signal for this quadrant is the gap between what leadership thinks is deployed and what a discovery exercise reveals. The shadow agent population grows with every passing quarter in which no intake process exists.

Next action

Run discovery and retroactive authorization in parallel.

Low count / low coverage

Pilot Exposure

Low deployment velocity and low governance maturity. Few deployments, and governance is not yet in place. The organization is in an AI pilot phase. This quadrant is only genuinely low-risk if two conditions hold simultaneously: the pilots remain genuinely limited in scope and data access, and governance infrastructure is being built before scale begins. Most organizations in this quadrant believe they have more time than they do. The transition from pilot to production happens faster than governance programs develop.

Next action

Build governance infrastructure before pilots become production dependencies.

Interpreting results

The score is a current-state ratio, not an aspiration.

The ratio is not a target. It is a current state. The work of governance is maintaining it at a level that reflects the organization's regulatory obligations and risk tolerance, and improving it consistently over time.

Leave the room with three things: total AI system count, authorization coverage rate, and the next workstream assigned to an owner.

Editorial governance workflow showing agent sprawl remediation through retroactive governance and a new deployment intake process.

Remediation workflow

Two workstreams after a low score

Existing deployments need retroactive governance while new deployments enter through a governed intake process.

Editorial quarterly review ledger showing changing agent count, authorization coverage, expired reviews, owner changes, and recalculation.

Quarterly rhythm

The ratio changes, so the review repeats

New systems, expired reviews, and owner changes all feed back into the matrix as recurring evidence.

Above 80 percent

Maintain readiness

Your governance coverage rate is above 80 percent and is being actively maintained. Every new deployment goes through the intake process before it goes live. The organization can produce authorization records for deployed AI systems on demand, not in response to an incident, but as a routine operational capability. When the velocity count changes, the coverage rate is recalculated within a defined time window and the result is reported to the person accountable for the organization's AI governance posture.

Below 50 percent

Treat it as sprawl

Step 3 is identifying your quadrant. Plot your velocity count against your coverage rate. A coverage rate below 50 percent places you in Agent Sprawl or Pilot Exposure regardless of what your formal AI policy describes. A policy that explains what governance should look like does not count toward coverage unless it has been applied to specific deployed systems with verifiable artifacts.

Low score response

Run two workstreams

Step 4 is defining the governance intake process. Organizations in Agent Sprawl must run two parallel workstreams: retroactive governance of existing deployments, prioritized by risk, and a governance intake process that applies to every new deployment going forward. The intake process defines what documentation is required before a deployment is authorized. Without a defined intake process, new deployments continue entering the environment without governance artifacts, and the coverage ratio declines even as remediation work proceeds on the existing backlog.

Quarterly rhythm

Step 5 is measuring the ratio quarterly. The governance coverage rate is a metric, not a one-time assessment. As deployment velocity increases and as existing governance artifacts expire without review, the ratio changes. Organizations that measure quarterly can identify when governance maturity is declining relative to deployment velocity before the gap becomes a regulatory or legal event. Organizations that measure once and assume the ratio is stable are making an assumption their regulators will not share.

Primary sources

The research basis for the matrix.

The page grounds the readiness gap in external research on enterprise AI trust, agentic AI governance, and governance maturity.

Use these references when the matrix result needs to be explained to leadership, audit, or risk stakeholders.

mckinsey.com

Source: McKinsey and Company, "State of AI Trust in 2026: Shifting to the Agentic Era," March 25, 2026. Survey of approximately 500 organizations, December 2025 to January 2026.

View source

deloitte.com

Source: Deloitte, "The State of AI in the Enterprise 2026," January 2026. Survey of 3,235 senior leaders across 24 countries, August to September 2025.

View source

deloitte.com

Source: Deloitte, "From Ambition to Activation: Organizations Stand at the Untapped Edge of AI's Potential," January 21, 2026.

View source

Connected frameworks

Where the matrix turns into remediation.

The matrix tells you where you are. These connected frameworks tell you how to discover the count, improve coverage, and reduce accumulated governance debt.

Use these cards after scoring the matrix to assign the next practical remediation path.

Connected framework

The Authorization Coverage Lifecycle

Defines the stages an organization moves through as authorization coverage changes over time.

Open framework

Connected framework

The Tenant Agent Reconciliation Framework

Provides the discovery process needed to establish the actual agent count before the matrix can be scored.

Open framework

Connected framework

Governance Debt

Names the accumulated design work that appears when deployed systems outpace authorization records.

Open framework