TL;DR: We built the AI Compliance Readiness Framework (ACRF) to give organizations a clear, honest picture of where they stand on AI governance. Five stages: Exposed, Reactive, Patchwork, Structured, Hardened. Most companies sit at Stage 1 or 2. The ones who've made headlines for AI failures were all below Stage 3. Here's how to find your stage and what to do about it.
Nobody Knows Where They Stand
Ask a CEO whether their company is "AI compliant" and you'll get one of three responses: a confident yes (almost always wrong), a nervous shrug, or "compliant with what?"
That third answer is the most honest one. There is no single AI compliance standard in the US. No unified federal framework. No checkbox you can tick. Instead, there's a rapidly expanding web of state laws, federal agency guidance, court rulings, and industry-specific regulations, all moving at different speeds and often contradicting each other.
So when we advise clients, the first question we need to answer is simple: where are you right now? Not where you think you are. Where you actually are.
We built the AI Compliance Readiness Framework to answer that question. Five stages. Clear criteria. No ambiguity.
The Five Stages
Stage 1: Exposed
Characteristics: No AI governance policy. No approved tool list. No data classification. Employees use whatever AI tools they want, for whatever purpose, with whatever data they have access to. Nobody is tracking usage. Nobody is reviewing outputs.
What this looks like in practice: The paralegal pastes client communications into ChatGPT to draft responses. The CFO uses Claude to analyze financial projections that include MNPI. The HR director uses an AI tool to screen resumes with no bias testing. Nobody told them to do this. Nobody told them not to.
Risk profile: Maximum. A single incident could trigger regulatory investigation, litigation, or public embarrassment. You don't know what you're exposed to because you're not tracking anything.
How many companies are here: More than half of all mid-market businesses, based on our assessments. The number is higher in industries that haven't yet faced a high-profile AI failure.
Stage 2: Reactive
Characteristics: Some awareness of AI risk, usually triggered by a news story, a board question, or a near-miss incident. Initial policies are ad hoc: a memo from legal, an IT email about approved tools, maybe a clause in the employee handbook.
What this looks like in practice: After reading about Mata v. Avianca (the lawyers who submitted AI-hallucinated case citations), the managing partner sends an email saying "don't use ChatGPT for client work." Six months later, everyone is still using it. The email had no enforcement mechanism, no alternative tools, and no follow-up.
Risk profile: Still high. Awareness without infrastructure just creates liability documentation. You've now demonstrated that you knew about the risks and failed to implement adequate controls. That's worse in litigation than pure ignorance.
The trap: Many companies get stuck at Stage 2 because the initial reactive measures create the illusion of governance. The email went out. The box was checked. Nothing actually changed operationally.
Stage 3: Patchwork
Characteristics: Multiple AI governance initiatives exist but they're disconnected. IT has an approved tool list. Legal has a usage policy. Compliance has started tracking high-risk AI applications. But these efforts don't connect to each other. There's no unified framework. Gaps exist between departments.
What this looks like in practice: IT approved Microsoft Copilot for the organization. Legal drafted an AI usage policy that prohibits using AI for client-facing work without partner review. But the policy doesn't mention Copilot specifically. Nobody's sure whether Copilot embedded in Outlook counts as "using AI for client-facing work." The compliance team is tracking AI usage in underwriting but not in customer service. The right hand doesn't know what the left hand is doing.
Risk profile: Moderate to high. You have coverage in some areas but gaps in others. The gaps are where incidents will occur. And because you have documented policies in some areas, the absence of policies in others is more conspicuous.
Progress indicator: You're doing real work at Stage 3. The problem is coordination, not effort.
Stage 4: Structured
Characteristics: A unified AI governance framework exists and is implemented across the organization. All five layers of the compliance stack are in place (Data Classification, Tool Authorization, Output Verification, Audit Trail, Incident Response). Policies are consistent across departments. Training is regular. Compliance is measured and reported.
What this looks like in practice: Every employee completes AI compliance training during onboarding and annually thereafter. A centralized tool authorization process evaluates every AI tool before deployment. Data classification guides determine what information can flow through which tools. Output review protocols exist for every AI-assisted workflow. Audit logs capture interaction metadata. An incident response playbook sits in a shared drive and has been tested.
Risk profile: Managed. You've identified your risks, implemented controls, and established monitoring. Incidents can still occur, but you detect them faster, contain them better, and have documentation to demonstrate due diligence.
How many companies are here: Very few. In our assessments, roughly 5-10% of mid-market companies have reached Stage 4. Most are in regulated industries (financial services, healthcare) where existing compliance infrastructure provided a foundation to build on.
Stage 5: Hardened
Characteristics: AI governance is embedded in organizational culture. Compliance is proactive, not reactive. The organization anticipates regulatory changes and adapts before deadlines. Regular red-team exercises test AI systems for vulnerabilities. Continuous improvement cycles refine policies based on incident data, regulatory developments, and emerging best practices.
What this looks like in practice: The compliance team monitors proposed AI legislation across all operating jurisdictions. Risk assessments are updated quarterly. New AI tools undergo a formal evaluation process before any employee accesses them. AI-generated outputs are subject to statistical quality monitoring in addition to individual review. The organization contributes to industry working groups on AI governance standards.
Risk profile: Minimal residual risk. You've done everything reasonably possible. If an incident occurs, your defense posture is strong.
How many companies are here: Almost none. Some large financial institutions and defense contractors. A handful of Big Tech companies. That's about it.
The Case Studies That Prove This Matters
Every high-profile AI failure we've analyzed maps to a specific stage on the ACRF.
Mata v. Avianca (2023): Stage 1
Two attorneys used ChatGPT to draft a legal brief without any organizational policy, any review process, or any verification protocol. The AI fabricated six case citations. The attorneys submitted the brief to the court without checking whether the cases existed.
This is pure Stage 1. No governance. No oversight. No review. The attorneys weren't violating a policy because there was no policy to violate.
The result: sanctions, fines, and career damage that followed both attorneys into every subsequent engagement. Judge Castel's opinion became the most-cited AI case in legal history.
The Wisconsin DA (2026): Stage 2
A district attorney's office used AI to draft filings in a 74-count criminal case. Someone presumably knew AI was being used. But the review process was either nonexistent or insufficient. The AI hallucinated case law. The court caught the fabricated citations. The case was dismissed.
Seventy-four criminal counts. Dismissed. Because the office had perhaps some awareness of AI (Stage 2 awareness) but no systematic verification process (needed Stage 3+ output verification).
The defendant walked. The victims got no justice. The DA's office became a national embarrassment. All because the output layer of the compliance stack didn't exist.
US v. Heppner (2026): Stage 1
An attorney used Claude for privileged client work through a consumer account with no data processing agreement, no enterprise terms, and no awareness that Anthropic's privacy policy effectively waived privilege.
Pure Stage 1. No data classification (the attorney didn't distinguish between privileged and non-privileged work). No tool authorization (consumer Claude was never evaluated for privilege safety). No audit trail. No incident response plan.
The result: privileged communications potentially exposed, a precedent-setting ruling on AI and privilege, and a scramble to contain the damage.
Finding Your Stage
Here's a quick diagnostic. Answer honestly:
Do you have a written AI usage policy? If no: Stage 1.
Is that policy enforced with technical controls (not just a memo)? If no: Stage 2.
Do you have all five compliance stack layers (Data Classification, Tool Authorization, Output Verification, Audit Trail, Incident Response)? If some but not all: Stage 3. If all: Stage 4.
Are your AI governance practices proactive, regularly tested, and continuously improved? If yes to all: Stage 5.
Most readers just landed at Stage 1 or 2. That's the honest answer for most organizations.
Moving Up the Framework
The good news: movement between stages is achievable in weeks, not years. The compliance stack layers are buildable. The policies are draftable. The training is deliverable.
From Stage 1 to Stage 2: Write and distribute an AI usage policy. Identify the AI tools currently in use. Acknowledge the risk formally.
From Stage 2 to Stage 3: Implement at least three of the five compliance stack layers. Create an approved tool list. Start data classification. Establish output review protocols.
From Stage 3 to Stage 4: Fill the gaps. Connect the disconnected initiatives. Unify the framework. Implement all five layers. Train the organization. Measure compliance.
From Stage 4 to Stage 5: Shift from reactive to proactive. Add red-team testing. Monitor regulatory developments. Contribute to industry standards. Continuously improve.
The critical move is from Stage 1 to Stage 3. That's where you go from "unaware and exposed" to "covered with gaps." Stages 4 and 5 are refinements. Stages 1 and 2 are danger zones.
Why This Framework Exists
We built the ACRF because our clients needed a way to talk about AI compliance maturity without pretending the problem was simpler than it is.
The CEOs who say "we're compliant" are usually at Stage 2 at best. The CEOs who say "we don't know" are usually being more honest. The ACRF gives both groups a shared vocabulary and a clear path forward.
Want to know exactly where your organization falls on the ACRF? Take our free AI Compliance Readiness Assessment. It takes 10 minutes and gives you a scored report with specific recommendations for your stage.
Take the assessment: acra.kaizenailab.com
Learn more: kaizenailab.com
Book a call: cal.com/dhoesq/kaizen