Cardinal AI Systems · Proprietary Framework
Cardinal AI Governance
Maturity Model for Legal
CAGML v1.0 · © 2026 Cardinal AI Systems · Whitehall Strategic Alliance Ltd
Intellectual PropertyThis framework is the proprietary IP of Cardinal AI Systems.
Licensed for use by client organisations under engagement terms.
The only maturity model built specifically for law firms navigating AI governance in 2026.

The CAGML maps AI governance capability across six domains from Level 0 (Unaware) to Level 4 (Autonomous Governance). It provides law firms with a shared language, a measurable baseline, and a clear roadmap for governance maturity. Most firms operating in 2026 sit at Level 0–1. The regulatory expectation for EU AI Act and SRA compliance is Level 2 by August 2026 and Level 3 by December 2026. This framework is the lens through which all Cardinal AI Systems governance engagements are measured and reported.

0
Unaware
1
Reactive
2
Defined
3
Managed
4
Autonomous
Domain Level 0 — Unaware Level 1 — Reactive Level 2 — Defined Level 3 — Managed Level 4 — Autonomous
Domain 1
Policy & Compliance
No AI policy exists. AI use is entirely ungoverned. No awareness of SRA or EU AI Act obligations.
Basic AI policy drafted but not implemented. Fee earners unaware of obligations. Policy not reviewed against SRA guidance.
AI Acceptable Use Policy implemented, SRA-aligned, EU AI Act referenced. Mandatory training delivered. Annual review scheduled.
Comprehensive policy suite — AUP, governance charter, incident response, disclosure protocol. Quarterly review. Board-level accountability.
Policy suite auto-updates with regulatory changes. Real-time compliance monitoring. Automated policy breach detection and escalation.
Domain 2
Tool Management & Procurement
Fee earners using any AI tool without approval. No inventory. No vendor assessment. Shadow AI widespread.
Informal approval process. Some tools logged. DPAs incomplete. Shadow AI partially identified but not controlled.
Formal AI tool register (Approved / Conditional / Rejected). DPAs executed. Vendor due diligence questionnaire deployed. Shadow AI policy enforced.
Full EU AI Act risk classification for all tools. Provider documentation (Art 11, Art 47) obtained. Ongoing vendor monitoring. Quarterly tool register review.
Automated vendor monitoring with real-time alerts on changes to terms, security posture, or regulatory status. AI tool lifecycle management system.
Domain 3
Data Governance
Client data input into AI tools without controls. No DPIA. No data classification. Model training risk unassessed.
Basic data handling guidance issued. DPIAs initiated but incomplete. Some data classification in place.
DPIAs completed for all AI tools. Data classification policy implemented. AI output retention policy. Model training prohibition clauses in all DPAs.
Data flows fully mapped for all AI integrations. Real-time monitoring of data access. Automated DPIA trigger on new tool adoption. Quarterly data audit.
AI-powered data governance. Automated detection of sensitive data entry into AI tools. Real-time DPA compliance verification. Continuous data flow monitoring.
Domain 4
Human Oversight & Supervision
AI outputs used directly without review. No verification protocol. No hallucination awareness. Supervising partner unaware of AI use on matters.
Informal expectation of review. No documented protocol. Verification inconsistent. Agentic AI supervision not considered.
Mandatory AI output verification checklist. Role-based oversight requirements. Agentic AI supervision framework deployed. Human-in-the-loop checkpoints defined by task type.
Matter-level AI use logs maintained. Supervision documented on all AI-assisted work. Audit trail available for regulatory inspection. Incident log in place.
Automated oversight system flags AI outputs requiring human review before use. Real-time matter-level AI audit trail. Predictive risk scoring on AI output quality.
Domain 5
Client Transparency
No client disclosure. AI use on matters not disclosed. Engagement letters silent on AI. Clients have no knowledge of AI use.
Informal disclosure at fee earner discretion. No standard language. No consent mechanism for sensitive matters.
AI disclosure clause in all engagement letters. Client-facing AI use statement available. Matter-level AI log maintained. Consent workflow for sensitive matter types.
Proactive AI governance reporting to key clients. AI use included in matter reporting. Client-specific AI use preferences accommodated. Annual transparency report.
Real-time client-accessible AI use dashboard per matter. Automated consent management. AI governance as competitive differentiator in business development.
Domain 6
Incident & Audit Readiness
No incident reporting. No awareness of SRA/ICO notification thresholds. No audit trail for AI use. Not prepared for regulatory inspection.
Basic incident log started. SRA notification thresholds partially understood. Audit trail incomplete.
AI incident reporting template deployed. SRA/ICO notification thresholds documented and trained. AI audit trail maintained. Quarterly incident review.
Real-time incident detection and escalation. Full audit trail for regulatory inspection. Annual governance audit. Board reporting on AI incidents. Post-incident review process.
Predictive incident detection using AI. Automated regulatory notification system. Continuous audit readiness. AI governance audit available on-demand for regulators and clients.
What Each Level Looks Like In Practice
Level 0
Unaware
  • No AI policy document exists
  • Fee earners using personal AI accounts on client matters
  • No one knows which AI tools are in use
  • EU AI Act never discussed at management level
  • No DPAs with any AI vendor
Level 1
Reactive
  • Policy drafted after an incident or regulator prompt
  • Some tools approved informally
  • Training delivered once, not ongoing
  • EU AI Act on the radar but no action taken
  • DPAs started but incomplete
Level 2
Defined
  • AI Acceptable Use Policy live and trained
  • AI tool register published and maintained
  • DPAs executed with all AI vendors
  • EU AI Act compliance programme underway
  • Client disclosure clauses in engagement letters
Level 3
Managed
  • Full governance programme operational
  • Matter-level AI audit trails maintained
  • Board reporting on AI governance quarterly
  • Incident reporting system active
  • EU AI Act fully compliant
Level 4
Autonomous
  • AI governs AI — automated compliance monitoring
  • Real-time audit trail available on-demand
  • Governance as competitive differentiator
  • Clients request firm's governance model
  • Regulatory inspection readiness: always-on
Quick Self-Assessment
Select your firm's current level across each domain to see your overall maturity score.
Domain 1 — Policy & Compliance
Domain 2 — Tool Management
Domain 3 — Data Governance
Domain 4 — Human Oversight
Domain 5 — Client Transparency
Domain 6 — Incident & Audit
Your Overall CAGML Score
0 / 24 — Level 0
Select your levels above to see your maturity score and recommended next steps.
Book a Full CAGML Assessment →
Ready to move from Level 0 to Level 2 in 90 days?
Ronke Jegede · Cardinal AI Systems · AI Governance Architect for UK Law Firms
Book Gap Review → Free Diagnostic Tools
CAGML v1.0 · Cardinal AI Governance Maturity Model for Legal · © 2026 Cardinal AI Systems Whitehall Strategic Alliance Ltd · Registered in England & Wales · cardinalaisystems.com