The Human Assisted Intelligence Assurance Maturity Model, an AI assurance framework for governing, building, verifying, and operating the AI/HAI systems an organization builds, consumes, and operates. The OpenSAMM / BSIMM analogue for AI.
v3.0 reframes HAIAMM around a single, sharper subject: the AI/HAI systems, data, infrastructure, workflows, endpoints, and vendor tools the organization builds, consumes, or operates. The AI is what's being secured, not a tool being used to secure. Frameworks for AI-augmented security operations (AI-SOC, AI-DLP) now sit outside scope.
Every (domain × practice × level) cell authored to the canonical template, 72 one-pagers at full conformance across all six domains.
Excessive Agency (EA), Agent Goal Hijack (AGH), Tool Misuse (TM), Rogue Agents (RA), tagged in TA, mitigated in SA, tested in ST, detected in ML.
Full 12-practice, 3-level treatment for vendor-provided AI and AI-embedded SaaS. Shadow AI reduction is the primary L1 outcome.
Every level prescribes outcome metrics with baseline, target, and source. Activity counts aren't metrics, outcomes are.
ATLAS elevated to the canonical adversarial-ML reference. Tactic/technique IDs (TA00xx, AML.M00xx) threaded through every threat-relevant practice.
SM L2 produces a risk-tier rubric and tier-treatment matrix; every other L2 cell inherits the rubric, Critical AI gets the full program, Low gets the fast track.
A 2-dimensional matrix model with progressive maturity.
Select from 6 assurance domains that map to your technology stack, Software, Data, Infrastructure, Vendors, Processes, or Endpoints.
Each domain is assessed across 12 security practices organized into 4 business functions, from strategy through monitoring.
Progress through 3 maturity levels per practice. Each level has concrete objectives, activities, metrics, and success indicators.
HAIAMM organizes its 12 practices into 4 business functions, each grouping 3 related practices.
Strategy, policy & training
Threats, requirements & design
Reviews & security testing
Harden, manage & monitor
Every practice is applied across all 6 technology domains. Each domain represents a layer of your AI technology stack.
Progressive capability building, each level builds on the one before.
Explore the full 12×6 grid, every practice mapped across all six domains. Click any cell to dive into the practice-domain detail.
View the Matrix →Download markdown templates to track your own Human Assisted Intelligence Assurance Maturity using the HAIAMM framework.
Download Templates →HAIAMM is designed for everyone involved in AI security.
CISOs and Security Directors planning HAI security programs.
Teams building and operating AI security systems (SAST, DAST, CSPM, EDR, DLP, SOAR).
Teams developing AI models for security applications.
Teams ensuring AI security meets regulatory requirements.
Teams governing AI efforts across the organization.
Teams managing infrastructure and vendors implementing AI-powered capabilities.