Automated Governance Maturity Model

The Automated Governance Maturity Model (AGMM) is a framework for assessing and improving how organizations approach governance automation. Co-authored within the CNCF community, it defines a progression from manual, document-based governance at one end to continuously automated, machine-verified compliance at the other. The model operates at Gemara Layer 1 — the definition layer — framing how an organization identifies and classifies the risks that governance is meant to address before any specific controls or tools are introduced.

The AGMM gives organizations a shared vocabulary for talking about where they are and where they are going. It describes maturity in terms of observable, measurable practices rather than subjective assessments: not "how mature do you feel?" but "which of these specific capabilities do you have, and how consistently do you apply them?" That precision matters when organizations need to demonstrate governance progress to regulators, auditors, or boards.

Most organizations starting a compliance automation programme face the same problem: they do not know what "done" looks like at any intermediate stage. Full automation is the eventual goal, but it is not achievable in one step, and the steps between here and there are not well defined. Without a maturity model, progress is invisible and every governance initiative looks like an eternal project.

The AGMM solves this by breaking the journey into discrete, verifiable stages. An organization can assess where they sit today, identify the specific practices that would advance them to the next stage, and measure progress in terms that make sense to a board or a regulator. It also makes conversations between GRC, engineering, and executive teams more productive — everyone is using the same map.

Meridian co-authored the AGMM within the CNCF TAG Security community. Our contribution was grounded in practical experience: the maturity stages in the model reflect the real progression we have observed across organisations at different points in their governance automation journey, from large financial institutions managing decades of legacy process to fintechs building compliance into new pipelines from day one.

The AGMM is governed by CNCF, not Meridian. Like our other open contributions, it exists to serve the industry rather than a single vendor's interests. Meridian uses it as a shared reference point when engaging with prospective customers — it is a useful, neutral tool for understanding where an organisation sits before scoping what Meridian needs to do.

The AGMM informs how Meridian Chancery is configured for a given organisation. Before policy authoring begins, understanding the organisation's current governance maturity determines which controls are realistic to automate immediately and which require process work first. An organisation at an early maturity stage may start with Meridian Chancery pre-seeded with a narrow control catalog and expand as their capability develops. An organisation at a higher stage can move directly to full policy automation across multiple frameworks.

Practically, the AGMM is most relevant at the start of a Meridian engagement. It structures the Proof of Value process — helping Meridian and the customer agree on a shared baseline before deployment, so that ROI can be measured against a defined starting point rather than a vague before-and-after.