Assessment questionnaire for measuring maturity. Answer each question honestly based on current, implemented practices.
v3.0 canonical source:
../practices/SA-Processes-OnePager.md. Outcome metrics, activities, and success criteria are verbatim from that document. Subject rule (§12.1): the AI is what is being secured, not a tool performing security tasks.
Practice: Secure Architecture (SA) Domain: Processes Purpose: Assess organizational maturity in publishing and operationalizing reference architectures for every AI/HAI-embedded workflow archetype the organization operates Scoring Model: Evidence + Outcome Metrics (see Scoring Methodology below)
| Tier | Score | Criteria |
|---|---|---|
| Fully Mature | 1.0 | Evidence complete + 3 or more outcome metrics meet targets |
| Implemented | 0.67 | Evidence complete + 2 outcome metrics meet targets |
| Partial | 0.33 | Evidence partially complete + fewer than 2 metrics meet targets |
| Not Implemented | 0.0 | No evidence of the practice |
Level Score = average of the three question scores for that level. Overall SA-Processes Score = weighted average: L1 × 0.5 + L2 × 0.3 + L3 × 0.2.
Objective: Publish reference architectures per AI/HAI workflow archetype and an anti-pattern catalog derived from real incidents; link each pattern to SR-Processes requirements and TA-Processes threats.
Q1.1: Has the organization published a reference architecture pattern for each of the seven AI/HAI workflow archetypes it operates, decision pipeline, customer-facing flow, HITL chain, back-office augmentation, approval/review workflow, content-generation workflow, and knowledge-management workflow, with each pattern including a labeled workflow diagram, oversight design, disclosure mechanism, logging specification, and explicit row-by-row mapping to SR-Processes requirements and TA-Processes threats with HAI TTP tags and applicable MITRE ATLAS mitigation IDs, accessible within one click of the SM inventory record?
Evidence Required: - [ ] Architecture registry listing all seven workflow archetype reference patterns with version and publication date - [ ] Each pattern document includes a labeled workflow diagram covering scope, data boundary, oversight design (HITL gate placement, review depth, override authority, fallback), disclosure mechanism (Art. 50 implementation point), logging spec, SR mapping, and threat mapping - [ ] HAI TTP tags (EA / AGH / TM / RA) and applicable MITRE ATLAS mitigation IDs present in each pattern - [ ] SM inventory records link to the applicable reference pattern within one click of the workflow record - [ ] Deviation-review path documented with a named reviewer population and a stated SLA (target: ≤5 business days) - [ ] 100% of customer-facing AI workflows verified (via IR spot-check) to place Art. 50 disclosure at the point of first AI interaction, not only in terms of service
Outcome Metrics: | Metric | Baseline | Target | Source | Met? | Notes | |--------|----------|--------|--------|------|-------| | Reference patterns published per archetype (decision pipeline, customer-facing flow, HITL chain, back-office augmentation, approval/review workflow, content-generation workflow, knowledge-management workflow) | 0 / 7 | 7 / 7 | Architecture registry | ☐ | | | % active AI/HAI-embedded workflows in the SM inventory using a named reference pattern or documented deviation | measure | ≥85% | Inventory × pattern metadata | ☐ | | | % of customer-facing flows with Art. 50 disclosure placed at the point of first AI interaction (not only in terms) | measure | 100% | IR spot-check | ☐ | | | Pattern-to-SR requirement mapping coverage | measure | 100% of pattern controls tagged to SR requirement | Pattern metadata | ☐ | |
Metric Collection Guidance: - Patterns published: Count published patterns with all required skeleton elements present including HITL gate placement and disclosure mechanism for applicable archetypes. Source: architecture registry. Reviewed quarterly. - Inventory workflow adoption: Query SM inventory for each active workflow's pattern-adoption field. Count workflows classified as "on pattern" or "deviation with review" divided by total active workflows. Source: SM inventory export. - Art. 50 disclosure at interaction point: For each customer-facing AI workflow, run an IR spot-check confirming that the disclosure component is present at the point of first AI interaction (not only in terms of service or privacy policy). Count compliant workflows divided by total customer-facing AI workflows. Source: IR spot-check records. - SR mapping coverage: For each pattern, count controls with a SR requirement tag divided by total controls. Aggregate across all seven patterns. Source: pattern metadata.
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)
Evidence Location: __ Validation Date: __ Notes: ___
Q1.2: Has the organization published an anti-pattern catalog with a minimum of 8 entries, each naming the pattern, explaining why it is dangerous, citing a real-incident pattern, and linking to the reference pattern element that replaces it, linked from the AI Acceptable Use Policy, the SM intake gate, and EG-Processes training, and are 100% of customer-facing AI workflows verified via IR spot-check to place Art. 50 disclosure at the point of first AI interaction?
Evidence Required: - [ ] Anti-pattern catalog document with at least 8 named entries covering the L1 mandatory set (rubber-stamp HITL, autonomous decisions affecting persons without override path, back-office AI with unbounded tool scope, content-generation without review for material outputs, knowledge-base without provenance, HITL gate that silently becomes auto-approve on queue overflow, decision-distribution monitor never established, Art. 50 disclosure buried in terms) - [ ] Each entry includes: description, why dangerous, real-incident pattern, and the reference pattern element that replaces it - [ ] Catalog linked from the AI Acceptable Use Policy (with a dated link) - [ ] Catalog linked from the SM intake gate (verified by IR spot-check) - [ ] Catalog referenced in EG-Processes training materials with a dated curriculum link - [ ] IR spot-check records confirming Art. 50 disclosure at interaction point for all customer-facing AI workflows
Outcome Metrics: | Metric | Baseline | Target | Source | Met? | Notes | |--------|----------|--------|--------|------|-------| | Anti-patterns catalog published and linked from intake / SM inventory | n/a | Yes | Document registry | ☐ | | | % of customer-facing AI workflows with Art. 50 disclosure at the point of first AI interaction confirmed by IR spot-check | measure | 100% | IR spot-check | ☐ | | | Anti-pattern catalog entries with a real-incident-pattern citation | measure | 100% of entries | Catalog metadata | ☐ | | | Time from new IM-Processes incident classification to anti-pattern catalog entry | measure | ≤30 days | Catalog change log | ☐ | |
Metric Collection Guidance: - Catalog published: Binary check, catalog exists, is versioned, and links are present from the three required touchpoints. Source: document registry audit. - Art. 50 disclosure confirmation: IR spot-check for each customer-facing AI workflow. Confirm disclosure is present at the interaction point by testing the live workflow (not only reviewing UX screenshots). Count compliant workflows divided by total customer-facing AI workflows. Source: IR spot-check records. - Incident citation coverage: Count anti-pattern entries with an incident-pattern citation field populated divided by total entries. Source: catalog metadata. - Catalog update lead time: From IM-Processes incident classification timestamp to catalog-entry publication timestamp. Source: IM-Processes log and catalog change log.
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)
Evidence Location: __ Validation Date: __ Notes: ___
Q1.3: Is a repeat-deviation signal operational, such that three deviations in the same direction for the same archetype automatically queue a pattern-update review with SA ownership, and are 85% or more of active AI/HAI-embedded workflows in the SM inventory classified as "on pattern" or "deviation with review" with no silent deviations?
Evidence Required: - [ ] SM inventory fields for pattern-adoption status populated for all active AI/HAI-embedded workflows - [ ] Repeat-deviation signal wired: a query, report, or automation that detects three or more deviations in the same direction for the same workflow archetype and generates a pattern-update queue item - [ ] Pattern-update queue items traceable to deviation records with SA ownership assigned - [ ] New-archetype lead-time SLA documented (target: 30 days from first intake in a new workflow archetype category to pattern publication) - [ ] Pattern quarterly review schedule with change-log entries maintained - [ ] Zero workflows with unreviewed/silent deviations confirmed by audit
Outcome Metrics: | Metric | Baseline | Target | Source | Met? | Notes | |--------|----------|--------|--------|------|-------| | % active AI/HAI-embedded workflows in the SM inventory using a named reference pattern or documented deviation | measure | ≥85% | Inventory × pattern metadata | ☐ | | | Repeat-deviation signal operational (three deviations in same direction queue pattern-update review) | measure | Yes, operational and tested | Deviation-review log | ☐ | | | New-archetype lead time (days from first intake to pattern publication) | measure | ≤30 days | Architecture registry change log | ☐ | | | Silent-deviation count (workflows with no pattern classification) | measure | 0 | SM inventory audit | ☐ | |
Metric Collection Guidance: - Inventory adoption: Same query as Q1.1 outcome metric 2. Reported monthly. - Repeat-deviation signal: Demonstrate by showing at least one instance of the trigger firing and a resulting pattern-update queue item. Source: deviation-review log and pattern-update queue. - New-archetype lead time: For each new workflow archetype category added to the inventory in the review period, measure elapsed days from first intake record to published pattern date. Source: SM inventory and architecture registry. - Silent deviations: Export SM inventory and count workflows where pattern-adoption field is null, empty, or unclassified. Target is zero. Source: SM inventory export.
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)
Evidence Location: __ Validation Date: __ Notes: ___
Objective: Extend reference patterns to multi-region/sector-specific complexity; add HITL-capacity patterns that auto-throttle decision volume to reviewer capacity; encode patterns as IaC where workflows are code-defined; update the anti-pattern catalog from IM-Processes incidents.
Q2.1: Are the tier-conditional extended patterns, Critical overlay, High overlay, sector-specific overlays, multi-region, and HITL-capacity auto-throttle, published as forkable workflow templates with conformance test suites, and are 80% or more of Critical and High-tier AI/HAI-embedded workflows running on template-encoded patterns?
Evidence Required: - [ ] Five or more tier-conditional pattern variants documented and published: Critical overlay (class-shift monitor with per-protected-class segmentation, DPIA/FRIA evidence hook, kill-switch design, EU AI Act Art. 9/15 controls), High overlay (HITL-capacity monitoring modules, queue-depth signal, auto-throttle trigger), sector-specific overlays (employment, credit, clinical, financial), multi-region pattern, and HITL-capacity auto-throttle pattern - [ ] Each variant encoded as a forkable workflow definition template (Temporal / Camunda / Argo Workflows or equivalent) for code-defined workflows - [ ] Each template ships with a conformance test suite testing: HITL gate present for required tier, override audit trail wired, disclosure mechanism present for customer-facing flows, queue-cap logic present for HITL chain patterns, scoped tool list declared for back-office augmentation - [ ] HITL-capacity auto-throttle implemented as a first-class workflow property (queue cap wired in orchestrator, not only in policy): confirmed by a test record showing auto-throttle firing when queue depth exceeds the cap - [ ] 100% of Critical-tier workflows with EU AI Act Art. 9 and Art. 15 controls explicitly mapped in the pattern documentation
Outcome Metrics: | Metric | Baseline | Target | Source | Met? | Notes | |--------|----------|--------|--------|------|-------| | Tier-conditional pattern variants published (Critical overlay, High overlay, sector-specific overlays, multi-region, HITL-capacity) | 0 / 5+ | ≥5 | Architecture registry | ☐ | | | % Critical and High-tier AI/HAI-embedded workflows using an IaC-encoded or template-encoded pattern | measure | ≥80% | IaC/workflow registry × SM inventory | ☐ | | | Conformance test coverage across template-encoded workflow deployments | measure | 100% of template-encoded deployments | CI/workflow conformance test pipeline | ☐ | | | % Critical-tier workflows with EU AI Act Art. 9 and Art. 15 controls explicitly mapped in the pattern | measure | 100% | Pattern metadata | ☐ | |
Metric Collection Guidance: - Tier-conditional variants: Count published variants with workflow template and conformance test suite present. Source: architecture registry. Reviewed quarterly. - Template adoption rate: Cross-reference workflow registry against SM inventory for all Critical and High-tier AI/HAI-embedded workflows. Divide template-encoded count by total Critical/High count. Source: workflow registry and SM inventory export. - Conformance test coverage: Count template-encoded workflow deployments with a passing conformance test run in the last 30 days divided by total template-encoded deployments. Source: CI/workflow conformance test pipeline report. - EU AI Act mapping: Count Critical-tier workflows whose pattern document includes Art. 9 and Art. 15 control-mapping section divided by total Critical-tier workflows. Source: pattern metadata.
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)
Evidence Location: __ Validation Date: __ Notes: ___
Q2.2: Has the anti-pattern catalog been updated from three or more real IM-Processes incidents in the last 12 months, with new entries surfaced at intake time rather than stored only in a reference document, and is conformance testing covering 100% of template-encoded workflow deployments with findings tracked to resolution?
Evidence Required: - [ ] IM-Processes incident log showing at least 3 incidents in the last 12 months classified to an anti-pattern (existing or new) - [ ] Anti-pattern catalog change log showing entries added from IM-Processes classifications with incident references - [ ] Anti-patterns surfaced at intake time: SM intake gate shows current anti-patterns alongside approved archetype selection (not only in a reference document) - [ ] Conformance test failure log for the last 90 days showing findings with assigned owners and resolution timestamps - [ ] Template version-pinned with template update notification operational (workflow owners notified of updates requiring remediation) - [ ] Template change log maintained with dated entries
Outcome Metrics: | Metric | Baseline | Target | Source | Met? | Notes | |--------|----------|--------|--------|------|-------| | Anti-pattern catalog additions fed from IM-Processes incidents in last 12 months | measure | ≥3 additions | Anti-pattern change log | ☐ | | | Conformance test coverage across template-encoded workflow deployments | measure | 100% of template-encoded deployments | CI/workflow conformance test pipeline | ☐ | | | Conformance test findings tracked to resolution (no open findings >30 days without an owner) | measure | 100% of findings have an owner and resolution timeline | Conformance finding tracker | ☐ | | | Template update notification SLA | measure | ≤10 business days | Template change log + notification records | ☐ | |
Metric Collection Guidance: - Anti-pattern additions from incidents: Count catalog entries added in the last 12 months that carry an IM-Processes incident reference. Source: anti-pattern catalog change log. - Conformance test coverage: Same as Q2.1. Reviewed monthly. - Finding resolution tracking: Export conformance test findings. Count findings with no assigned owner or with age >30 days and no resolution timestamp. Target is zero. Source: conformance finding tracker. - Template notification SLA: For each template update in the review period, calculate elapsed days from template version-bump to last workflow-owner notification confirmation. Source: template change log and notification records.
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)
Evidence Location: __ Validation Date: __ Notes: ___
Q2.3: Are 100% of Critical-tier workflows carrying explicit EU AI Act Art. 9 and Art. 15 control mappings in the pattern documentation, and does the HITL-capacity auto-throttle pattern enforce queue capping in the workflow orchestrator definition (not only in policy), verified by conformance test?
Evidence Required: - [ ] Tier-treatment matrix from SM-Processes L2 documented and linked from the SA-Processes pattern selection guide - [ ] Evidence that Critical-tier workflows are using the Critical overlay template including class-shift monitor and kill-switch design (confirmed by workflow registry query) - [ ] Evidence that High-tier workflows are using the High overlay template including HITL-capacity monitoring modules (confirmed by workflow registry query) - [ ] HITL-capacity auto-throttle confirmed enforced in the workflow orchestrator definition by conformance test: a test record demonstrating the queue cap fires and holds new workflow items in the staging queue (not routes to auto-approve) when capacity is exhausted - [ ] DPIA/FRIA evidence hook confirmed operational for at least one Critical-tier workflow sample - [ ] Quarterly reconciliation record of Critical/High workflow list against template-encoded pattern adoption
Outcome Metrics: | Metric | Baseline | Target | Source | Met? | Notes | |--------|----------|--------|--------|------|-------| | % Critical-tier workflows with EU AI Act Art. 9 and Art. 15 controls explicitly mapped in the pattern | measure | 100% | Pattern metadata | ☐ | | | HITL-capacity auto-throttle enforced in workflow orchestrator (not only in policy), verified by conformance test | measure | 100% of HITL chain and decision pipeline workflows at Critical/High tier | Conformance test pipeline | ☐ | | | % Critical-tier workflows confirmed on the Critical overlay template | measure | 100% | Workflow registry × SM inventory | ☐ | | | Quarterly tier-treatment matrix reconciliation completed on schedule | measure | 4 of 4 quarters completed | Reconciliation log | ☐ | |
Metric Collection Guidance: - Art. 9/15 mapping coverage: Count Critical-tier workflows whose pattern document includes Art. 9 and Art. 15 control-mapping section divided by total Critical-tier workflows. Source: pattern metadata audit. - HITL auto-throttle enforcement: For each HITL chain and decision pipeline workflow at Critical/High tier, verify a conformance test record exists confirming queue cap enforcement. Count workflows with a passing enforcement test divided by total such workflows. Source: conformance test pipeline. - Critical overlay adoption: Cross-reference SM inventory (Critical-tier workflows) against workflow registry (template ID used). Count workflows using the Critical overlay template divided by total Critical-tier workflows. Source: workflow registry and SM inventory. - Reconciliation cadence: Count reconciliation records completed in the last 12 months. Target is 4. Source: reconciliation log.
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)
Evidence Location: __ Validation Date: __ Notes: ___
Objective: Publish reference patterns as open industry artifacts; contribute process-level architecture patterns to OECD AI, ISO/IEC 42005, and sector standards bodies; engage regulators on AI workflow architecture norms.
Q3.1: Have five or more reference patterns been published as open artifacts under a recognized open license via at least one industry or sector body, OECD AI, ISO/IEC 42005 community guidance, OWASP AI, CSA AI Safety Initiative, or equivalent, and have two or more of those patterns been cited or forked by recognized industry or sector bodies, with documented adoption evidence and internal practice aligned to the published version?
Evidence Required: - [ ] At least 5 patterns published under Apache 2.0 or equivalent open license in a public repository (OECD AI, ISO/IEC 42005 community, OWASP AI, CSA, FS-ISAC, H-ISAC, or equivalent) - [ ] Publication link, license declaration, and publication date on file for each published pattern - [ ] At least 2 patterns with documented external citations or forks (citation in published work, fork count, documented adopter organization, or formal inclusion in a community standard) - [ ] Pattern adoption telemetry report (forks, citations in published work, documented adopters) covering the last 12 months - [ ] Internal-external alignment audit showing zero unexplained divergences between internal pattern versions and published external versions - [ ] New archetypes or overlays developed internally proposed for external inclusion within 90 days of internal publication (process documented)
Outcome Metrics: | Metric | Baseline | Target | Source | Met? | Notes | |--------|----------|--------|--------|------|-------| | Reference patterns externally published (open license) | 0 | ≥5 patterns published | External repository | ☐ | | | Patterns cited or forked by recognized industry or sector bodies | 0 | ≥2 cited or forked | External telemetry / citation tracking | ☐ | | | Internal practice aligned to published external version | n/a | 100%, zero unexplained internal deviations | Pattern diff audit | ☐ | | | New internal workflow archetypes proposed for external inclusion within 90 days | measure | 100% of new internal archetypes | Architecture registry change log | ☐ | |
Metric Collection Guidance: - Patterns published: Count patterns with a public repository URL, open-license declaration, and publication date. Source: external repository and architecture registry. - External citations/forks: Count external citations and forks. Source: external telemetry report. - Internal-external alignment: Run a quarterly diff between internal pattern version and published external version. Count unexplained divergences. Source: pattern diff audit. - External proposal lead time: For each new internal workflow archetype, measure elapsed days from internal publication to external proposal submission. Source: architecture registry and external contribution log.
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)
Evidence Location: __ Validation Date: __ Notes: ___
Q3.2: Have two or more contributions been accepted to the MITRE ATLAS mitigation library or ISO/IEC 42005 community guidance, traceable to specific SA-Processes pattern controls, including HITL-capacity gating as a mitigation for TA0043 Impact (availability of oversight), decision-distribution monitoring as a mitigation for silent-decision-drift, and injection-defense in review UI as a mitigation for TA0004 Execution, and is there an active contribution cadence of at least one contribution or validation per six months?
Evidence Required: - [ ] ATLAS or ISO/IEC 42005 contribution log with at least 2 entries showing proposed, validated, or accepted contributions traceable to SA-Processes pattern controls - [ ] Priority contributions: HITL-capacity gating (TA0043 Impact mitigation, availability of oversight), decision-distribution monitoring (TA0043, silent-decision-drift mitigation), injection-defense in review UI (TA0004 Execution mitigation) - [ ] OECD AI Principles working-group engagement records: SA-Processes decision-pipeline and HITL-chain patterns submitted as concrete examples of Art. 14 and Art. 50 implementation - [ ] ISO/IEC 42005 AIMS community guidance contribution record covering human oversight design patterns and decision-logging requirements - [ ] Traceability table linking each contribution to the specific SA-Processes pattern control it corresponds to - [ ] At least 1 contribution or validation completed in each 6-month period over the last 12 months
Outcome Metrics: | Metric | Baseline | Target | Source | Met? | Notes | |--------|----------|--------|--------|------|-------| | MITRE ATLAS or ISO/IEC 42005 contributions from SA-Processes patterns | 0 | ≥2 accepted contributions | Contribution log | ☐ | | | Contributions traceable to SA-Processes pattern controls | 0 | 100% of contributions have pattern traceability | Contribution log + traceability table | ☐ | | | Contribution or validation cadence | measure | ≥1 per 6-month period | Contribution log | ☐ | | | OECD AI / ISO / ATLAS community engagement events or submissions | measure | ≥2 per year | Engagement records | ☐ | |
Metric Collection Guidance: - Contributions accepted: Count ATLAS or ISO/IEC 42005 entries in the contribution log with a status of "proposed," "validated," or "accepted." Source: contribution log. - Pattern traceability: For each contribution, verify that a traceability row linking to a specific SA-Processes pattern control is present. Source: traceability table. - Contribution cadence: Divide the last 12 months into two 6-month periods. Count contributions or validations in each period. Source: contribution log timestamps. - Community engagement: Count OECD AI / ISO / ATLAS community-engagement events, comment submissions, or working-group participation records. Source: engagement records.
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)
Evidence Location: __ Validation Date: __ Notes: ___
Q3.3: Is there at least one documented reference to SA-Processes patterns in a regulatory implementing-act, sector guidance document, or published standards text, and is the regulatory engagement calendar maintained with active items, target timelines, and evidence of substantive (not declaratory) participation in EU AI Act implementing-act consultations, NIST AI RMF Playbook successor, or sector-specific regulatory processes (CFPB, EEOC, FDA, FINRA)?
Evidence Required: - [ ] At least 1 documented reference to SA-Processes patterns in a regulatory implementing-act, sector guidance document, or published standards text - [ ] Regulatory engagement calendar with active items listing the body, engagement type, submission status, and target timeline - [ ] EU AI Act implementing-act consultation submissions where SA-Processes patterns were submitted as evidence of "state of the art" under Art. 9 (Annex III high-risk AI workflow use cases) - [ ] NIST AI RMF Playbook successor engagement record with SA-Processes pattern mappings to GOVERN / MAP / MEASURE / MANAGE - [ ] Sector-specific engagement record: CFPB, EEOC, FDA, or FINRA submission with a sector-relevant pattern variant - [ ] Evidence that engagement is substantive: the submission text or contribution artifact includes SA-Processes pattern content (not only a letter of participation)
Outcome Metrics: | Metric | Baseline | Target | Source | Met? | Notes | |--------|----------|--------|--------|------|-------| | Regulatory or standards-body references to SA-Processes patterns | 0 | ≥1 documented reference | Regulatory engagement log | ☐ | | | Regulatory engagement calendar maintained with active items | measure | Yes, maintained with ≥2 active items at all times | Regulatory engagement calendar | ☐ | | | External contribution pipeline (pattern items in-flight: draft, in-review, or in-publication) | measure | ≥2 items in-flight at all times | External contribution pipeline log | ☐ | | | Internal-external alignment audit completed quarterly | measure | 4 of 4 quarters completed | Pattern diff audit log | ☐ | |
Metric Collection Guidance: - Regulatory references: Search implementing-act consultation responses, published guidance, and standards text for citations of SA-Processes patterns. Count distinct documented references. Source: regulatory engagement log and external citation tracking. - Engagement calendar health: Review the calendar. Count active items with a named target body, engagement type, and target timeline. Source: regulatory engagement calendar. - Contribution pipeline: Count items in the external contribution pipeline with a status of draft, in-review, or in-publication. Source: external contribution pipeline log. Reviewed monthly. - Alignment audit cadence: Count quarterly diff audits completed in the last 12 months. Target is 4. Source: pattern diff audit log.
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence)
Evidence Location: __ Validation Date: __ Notes: ___
| Level | Q1 Score | Q2 Score | Q3 Score | Level Score |
|---|---|---|---|---|
| L1, Publish reference architectures and anti-pattern catalog | ___/1.0 | ___/1.0 | ___/1.0 | ___/1.0 |
| L2, Template-encoded patterns with HITL-capacity auto-throttle | ___/1.0 | ___/1.0 | ___/1.0 | ___/1.0 |
| L3, Open artifacts, ATLAS/ISO contributions, regulatory engagement | ___/1.0 | ___/1.0 | ___/1.0 | ___/1.0 |
Overall SA-Processes Score (L1×0.5 + L2×0.3 + L3×0.2): ___/1.0
Maturity Statement: - Score 0.0–0.32: Pre-L1, reference patterns and anti-pattern catalog are not yet published; no vetted green path exists for AI/HAI workflow design teams. - Score 0.33–0.65: L1 Partial, some reference patterns published but Art. 50 disclosure, catalog linkage, or deviation tracking is incomplete. - Score 0.66–0.79: L1 Achieved, all seven workflow archetypes have reference patterns; anti-pattern catalog published; Art. 50 disclosure confirmed at interaction point; deviation-review path operational. - Score 0.80–0.89: L2 Achieved, tier-conditional workflow templates operational; HITL-capacity auto-throttle enforced in orchestrator; incident-informed catalog updates in place. - Score 0.90–1.0: L3 Achieved, patterns published as open industry artifacts; ATLAS/ISO contributions accepted and traceable; regulatory engagement substantive.
Document Version: HAIAMM v3.0 Practice: Secure Architecture (SA) Domain: Processes Questionnaire Version: v3.0 Publication Date: 2026-05-15 Author: Verifhai
Instructions: