v3.0 · May 2026

HAIAMM

The Human Assisted Intelligence Assurance Maturity Model, an AI assurance framework for governing, building, verifying, and operating the AI/HAI systems an organization builds, consumes, and operates. The OpenSAMM / BSIMM analogue for AI.

12Practices
6Domains
3Maturity Levels
216Canonical Cells
72One-Pagers

What's new in v3.0

Released 2026-05-14

v3.0 reframes HAIAMM around a single, sharper subject: the AI/HAI systems, data, infrastructure, workflows, endpoints, and vendor tools the organization builds, consumes, or operates. The AI is what's being secured, not a tool being used to secure. Frameworks for AI-augmented security operations (AI-SOC, AI-DLP) now sit outside scope.

216 canonical cells

Every (domain × practice × level) cell authored to the canonical template, 72 one-pagers at full conformance across all six domains.

HAI-specific TTPs

Excessive Agency (EA), Agent Goal Hijack (AGH), Tool Misuse (TM), Rogue Agents (RA), tagged in TA, mitigated in SA, tested in ST, detected in ML.

Vendors as first-class domain

Full 12-practice, 3-level treatment for vendor-provided AI and AI-embedded SaaS. Shadow AI reduction is the primary L1 outcome.

Outcome metrics by default

Every level prescribes outcome metrics with baseline, target, and source. Activity counts aren't metrics, outcomes are.

MITRE ATLAS canonical

ATLAS elevated to the canonical adversarial-ML reference. Tactic/technique IDs (TA00xx, AML.M00xx) threaded through every threat-relevant practice.

Risk-tier calibration at L2

SM L2 produces a risk-tier rubric and tier-treatment matrix; every other L2 cell inherits the rubric, Critical AI gets the full program, Low gets the fast track.

Download v3.0 Handbook (PDF) → Read full v3.0 change log →

How HAIAMM Works

A 2-dimensional matrix model with progressive maturity.

1

Assess a Domain

Select from 6 assurance domains that map to your technology stack, Software, Data, Infrastructure, Vendors, Processes, or Endpoints.

2

Apply Security Practices

Each domain is assessed across 12 security practices organized into 4 business functions, from strategy through monitoring.

3

Grow Your Maturity

Progress through 3 maturity levels per practice. Each level has concrete objectives, activities, metrics, and success indicators.

HAIAMM's Business Functions

HAIAMM organizes its 12 practices into 4 business functions, each grouping 3 related practices.

6 Assurance Domains

Every practice is applied across all 6 technology domains. Each domain represents a layer of your AI technology stack.

3 Maturity Levels

Progressive capability building, each level builds on the one before.

Level 1 Foundational, essential basics everyone needs
Level 2 Comprehensive, structured, metrics-driven practices
Level 3 Industry-Leading, optimized for security-conscious orgs

Practice-Domain Matrix

Explore the full 12×6 grid, every practice mapped across all six domains. Click any cell to dive into the practice-domain detail.

View the Matrix →

Start Your HAI Security Journey

Download markdown templates to track your own Human Assisted Intelligence Assurance Maturity using the HAIAMM framework.

Download Templates →

Target Audience

HAIAMM is designed for everyone involved in AI security.

Security Leaders

CISOs and Security Directors planning HAI security programs.

Security Engineers

Teams building and operating AI security systems (SAST, DAST, CSPM, EDR, DLP, SOAR).

AI/ML Engineers

Teams developing AI models for security applications.

Risk & Compliance

Teams ensuring AI security meets regulatory requirements.

AI Governance

Teams governing AI efforts across the organization.

IT Leaders & Vendors

Teams managing infrastructure and vendors implementing AI-powered capabilities.