The maturity ladder.

Every HI-AAF control is graded on a five-level maturity ladder. An agent's overall maturity at certification is the lowest level achieved across all required controls in scope. This is deliberately conservative: a chain of trust is no stronger than its weakest link.

Level 1

Ad hoc

Controls exist informally; documentation is incomplete; no consistent review.

Level 2

Documented

Controls are written down; ownership is assigned; review cadence is defined.

Level 3

Operated

Controls are followed in practice; evidence is collected; deviations are tracked.

Level 4

Measured

Control effectiveness is measured against documented thresholds; trends are reported.

Level 5

Continuously Improved

Controls evolve based on incident learning; maturity gains are evidenced over time.