ForIT · General Business flavor
IT Maturity Map
Assessed 2026-07-01 · 11 domains × 5 levels
Target 95/100 (+25 to close the gap)
Domain heat strip (current level)
Top 3 gaps — where to invest next
Data Protection & Resilience
Reach L4: RPO/RTO measured against SLA, automated restore drills, immutability enforced, DLP tuned with metrics, DR runbook exercised.
Strategy, Governance & KPIs
Reach L5: Continuous, data-driven strategy with real-time KPI/OKR telemetry; AI assists portfolio prioritisation and scenario planning; governance keeps pace with autonomous delivery.
Identity & Access
Reach L5: Continuous access evaluation, just-in-time elevation, AI anomaly detection auto-revokes risky sessions.
Domains × maturity levels — current state & next move
Strategy, Governance & KPIs
Core ITIT strategy aligned to business objectives, an IT operating model, policies/standards, risk register, and KPIs/reporting to leadership. (Reconciled from the ForIT fractional-CTO framework — Strategy + Governance & KPIs.)
Now — L4 Proactive / Measured
Strategy is outcome/metric-driven with a governed portfolio and risk register; KPIs/OKRs tie IT to business results; investments prioritised on measured value.
Next move
Continuous, data-driven strategy with real-time KPI/OKR telemetry; AI assists portfolio prioritisation and scenario planning; governance keeps pace with autonomous delivery.
Identity & Access
Core ITSSO, MFA, conditional access, joiner/mover/leaver lifecycle, PAM, least-privilege.
Now — L4 Proactive / Measured
Risk-based/adaptive access, access reviews on cadence, PAM for admins, metrics on stale access.
Next move
Continuous access evaluation, just-in-time elevation, AI anomaly detection auto-revokes risky sessions.
Endpoint & Device Management (ITAM)
Core ITMDM (Jamf/Intune), zero-touch enrollment, patch compliance, device trust, asset lifecycle (ITAM).
Now — L4 Proactive / Measured
Patch/compliance SLAs measured, config drift auto-remediated, hardware/OS lifecycle tracked, risk-scored posture gates access.
Next move
Self-healing endpoints, autonomous patch/config remediation, AI predicts device failure and pre-empts it, near-zero manual imaging.
Data Protection & Resilience
Core ITBackup/DR, tested restores, retention, encryption, DLP, immutability.
Now — L3 Defined / Standardized
3-2-1 backups with defined RPO/RTO, restores tested on schedule, immutable/air-gapped copies, DLP policies deployed.
Next move
RPO/RTO measured against SLA, automated restore drills, immutability enforced, DLP tuned with metrics, DR runbook exercised.
Security & Threat Management
Core ITEDR/MDR, SIEM, vuln mgmt, phishing defense, tested incident response.
Now — L4 Proactive / Measured
Threat-informed detections measured (MTTD/MTTR), risk-based vuln remediation, purple-team exercises, SOAR playbooks.
Next move
AI-driven detection & triage, autonomous containment under guardrails, continuous threat hunting, self-tuning detections.
Cloud, Infrastructure & IT Finance
Core ITIaC, cloud posture management, cost governance (FinOps) + license cost-effectiveness, resilience/HA. (IT Finance folded in from the ForIT framework.)
Now — L4 Proactive / Measured
Everything-as-code with policy-as-code guardrails, FinOps with unit economics, license spend optimised on metrics, resilience tested (chaos/failover).
Next move
Self-optimizing infrastructure, AI-driven capacity & cost optimization, autonomous license/right-sizing, near-zero manual provisioning.
Collaboration & Productivity
Core ITM365/Google governance, records/retention, external-sharing control, productivity & business apps.
Now — L4 Proactive / Measured
Adoption & governance measured, auto-expiring guest access, DLP + labels enforced with metrics, lifecycle automation for teams/sites.
Next move
At or above target — sustain.
Network & Connectivity
Core ITSegmentation, ZTNA/SASE, redundancy, monitored performance.
Now — L3 Defined / Standardized
Segmented zones, ZTNA/SASE rollout begun, redundant links, performance monitored with alerting.
Next move
Micro-segmentation, ZTNA/SASE enforced org-wide, SD-WAN with measured performance/SLA, automated failover.
IT Service Management & Operations
Core ITService desk, monitoring/observability, asset/CMDB, runbook automation.
Now — L4 Proactive / Measured
SLAs measured & met, observability (metrics/logs/traces), change success rate tracked, runbook automation, proactive problem management.
Next move
Self-healing operations, AIOps correlates & auto-remediates, agentic resolution of routine tickets under guardrails, predictive incident avoidance.
AI Governance, Risk & Data Readiness
AI EraAcceptable-use policy, data-boundary/DLP for AI, model-risk review, vendor/model inventory, shadow-AI discovery, and data readiness (quality, access control, RAG-ready knowledge base).
Now — L4 Proactive / Measured
AI use inventoried & risk-tiered; shadow-AI discovery running; model-risk & vendor review on cadence; data quality measured; a RAG-ready governed knowledge base; human-in-the-loop controls.
Next move
Continuous AI governance (automated policy enforcement, drift/misuse monitoring); auditable model lifecycle; data readiness continuously scored; governance keeps pace with autonomous agents.
AI-Augmented Operations & Workforce Enablement
AI EraCopilots deployed + adopted, AIOps in the monitoring/triage loop, agentic automation of routine IT work under guardrails, and measured workforce uplift (training program, adoption %, toil reduction). (Training folded in from the ForIT framework.)
Now — L4 Proactive / Measured
AIOps in monitoring/triage/routing loops; measured workforce uplift (adoption %, toil reduction); role-based AI training; automation coverage measured.
Next move
Agentic automation of routine IT work under guardrails; agents execute & remediate; continuously measured productivity uplift; an AI-native operating model.