Planet 9 · Business Aviation flavor
IT Maturity Map
Assessed 2026-07-05 · 18 domains × 5 levels
Target 88/100 (+38 to close the gap)
AI capability is outrunning AI governance
AI capability (AI-Augmented Ops at L4) is running ahead of AI governance (L1). Close the governance gap before scaling autonomous AI ops — capability without governance is unsafe.
Domain heat strip (current level)
Top 3 gaps — where to invest next
Data Protection & Resilience
Reach L3: 3-2-1 backups with defined RPO/RTO, restores tested on schedule, immutable/air-gapped copies, DLP policies deployed.
Charter / VIP Data Confidentiality & Flight-Tracking Privacy
Reach L3: Need-to-know controls on passenger/VIP data with labels & DLP; flight-tracking privacy (LADD/PIA) managed; confidentiality in contracts.
AI Governance, Risk & Data Readiness
Reach L2: Draft acceptable-use guidance; some awareness; a sanctioned tool or two; data ownership emerging but no AI-specific controls.
Domains × maturity levels — current state & next move
Strategy, Governance & KPIs
Core ITIT strategy aligned to business objectives, an IT operating model, policies/standards, risk register, and KPIs/reporting to leadership. (Reconciled from the ForIT fractional-CTO framework — Strategy + Governance & KPIs.)
Now — L3 Defined / Standardized
IT strategy is aligned to business goals and reviewed on a cadence; a policy set + IT operating model are defined; a KPI dashboard reports to leadership.
Next move
Strategy is outcome/metric-driven with a governed portfolio and risk register; KPIs/OKRs tie IT to business results; investments prioritised on measured value.
Identity & Access
Core ITSSO, MFA, conditional access, joiner/mover/leaver lifecycle, PAM, least-privilege.
Now — L3 Defined / Standardized
SSO across core apps, conditional access policies, automated JML from an HR source.
Next move
Risk-based/adaptive access, access reviews on cadence, PAM for admins, metrics on stale access.
Endpoint & Device Management (ITAM)
Core ITMDM (Jamf/Intune), zero-touch enrollment, patch compliance, device trust, asset lifecycle (ITAM).
✈ EFB iPads (ForeFlight/Jeppesen) enrolled in MDM; cockpit devices held to the same trust posture.
Now — L4 Proactive / Measured
Patch/compliance SLAs measured, config drift auto-remediated, hardware/OS lifecycle tracked, risk-scored posture gates access.
Next move
Self-healing endpoints, autonomous patch/config remediation, AI predicts device failure and pre-empts it, near-zero manual imaging.
Data Protection & Resilience
Core ITBackup/DR, tested restores, retention, encryption, DLP, immutability.
✈ Retention meets aviation hold periods for airworthiness, crew, flight & training records.
Now — L2 Managed / Foundational
Scheduled backups exist, occasional manual restore checks, basic retention, encryption at rest.
Next move
3-2-1 backups with defined RPO/RTO, restores tested on schedule, immutable/air-gapped copies, DLP policies deployed.
Security & Threat Management
Core ITEDR/MDR, SIEM, vuln mgmt, phishing defense, tested incident response.
Now — L3 Defined / Standardized
EDR/MDR + SIEM with detection use-cases, vulnerability management with SLAs, phishing simulations, a documented and tested IR plan.
Next move
Threat-informed detections measured (MTTD/MTTR), risk-based vuln remediation, purple-team exercises, SOAR playbooks.
Cloud, Infrastructure & IT Finance
Core ITIaC, cloud posture management, cost governance (FinOps) + license cost-effectiveness, resilience/HA. (IT Finance folded in from the ForIT framework.)
Now — L4 Proactive / Measured
Everything-as-code with policy-as-code guardrails, FinOps with unit economics, license spend optimised on metrics, resilience tested (chaos/failover).
Next move
Self-optimizing infrastructure, AI-driven capacity & cost optimization, autonomous license/right-sizing, near-zero manual provisioning.
Collaboration & Productivity
Core ITM365/Google governance, records/retention, external-sharing control, productivity & business apps.
✈ Flight-doc distribution (ARINCDirect, Flightdocs) governed; ops manuals version-controlled & retained.
Now — L4 Proactive / Measured
Adoption & governance measured, auto-expiring guest access, DLP + labels enforced with metrics, lifecycle automation for teams/sites.
Next move
At or above target — sustain.
Network & Connectivity
Core ITSegmentation, ZTNA/SASE, redundancy, monitored performance.
✈ FBO / hangar / line-station connectivity and OT segmentation are in scope.
Now — L3 Defined / Standardized
Segmented zones, ZTNA/SASE rollout begun, redundant links, performance monitored with alerting.
Next move
Micro-segmentation, ZTNA/SASE enforced org-wide, SD-WAN with measured performance/SLA, automated failover.
IT Service Management & Operations
Core ITService desk, monitoring/observability, asset/CMDB, runbook automation.
Now — L4 Proactive / Measured
SLAs measured & met, observability (metrics/logs/traces), change success rate tracked, runbook automation, proactive problem management.
Next move
Self-healing operations, AIOps correlates & auto-remediates, agentic resolution of routine tickets under guardrails, predictive incident avoidance.
AI Governance, Risk & Data Readiness
AI EraAcceptable-use policy, data-boundary/DLP for AI, model-risk review, vendor/model inventory, shadow-AI discovery, and data readiness (quality, access control, RAG-ready knowledge base).
Now — L1 Reactive / Ad-hoc
No AI policy; shadow AI in pockets; corporate data pasted into public tools; no inventory of AI use; data ungoverned and siloed.
Next move
Draft acceptable-use guidance; some awareness; a sanctioned tool or two; data ownership emerging but no AI-specific controls.
AI-Augmented Operations & Workforce Enablement
AI EraCopilots deployed + adopted, AIOps in the monitoring/triage loop, agentic automation of routine IT work under guardrails, and measured workforce uplift (training program, adoption %, toil reduction). (Training folded in from the ForIT framework.)
✈ Bizav-relevant AI: AIOps for flight-ops uptime; AI safety-report triage (for-sms).
Now — L4 Proactive / Measured
AIOps in monitoring/triage/routing loops; measured workforce uplift (adoption %, toil reduction); role-based AI training; automation coverage measured.
Next move
Agentic automation of routine IT work under guardrails; agents execute & remediate; continuously measured productivity uplift; an AI-native operating model.
Flight Operations & EFB
IndustryScheduling/dispatch (FOS, Leon, Flightdocs, ARINCDirect), flight planning, weight & balance, Electronic Flight Bags on managed iPads (ForeFlight/Jeppesen).
Now — L4 Proactive / Measured
Ops KPIs measured (on-time, dispatch reliability); EFB compliance reported; integrations monitored with alerting; offline-capable EFB tested.
Next move
Self-optimising ops (AI-assisted scheduling/dispatch), predictive disruption management, EFB content pushed & verified autonomously.
Maintenance & Airworthiness IT
IndustryMRO / maintenance tracking (CAMP, Flightdocs, Traxxall), airworthiness records, parts & inventory, AD/SB compliance.
Now — L3 Defined / Standardized
Maintenance tracking integrated with ops/scheduling; digital airworthiness records with controlled access; parts inventory managed.
Next move
Predictive/condition-based maintenance metrics; due-list SLAs measured; records audited; parts stock optimised on data.
Crew Records & Training / Currency
IndustryCerts, currency, duty/rest tracking (FAR Part 135 / 117), training records, qualifications. Overlaps for-CrewRecords / AVHR.
Now — L3 Defined / Standardized
Currency & duty/rest integrated with scheduling so ineligible crew cannot be assigned; training compliance reported.
Next move
Currency/fatigue risk measured; automated expiry & training reminders; qualification coverage optimised against the schedule.
Safety Management System (SMS)
IndustryHazard/safety reporting maturity, risk register, SPI tracking, IS-BAO / ARGUS / WYVERN readiness. Directly overlaps for-sms.
Now — L3 Defined / Standardized
SMS live with hazard register, risk assessment & mitigation tracking, safety KPIs/SPIs; IS-BAO Stage I / ARGUS / WYVERN achieved.
Next move
Predictive safety metrics (SPIs trended), just-culture reporting rates measured, mitigations verified; IS-BAO Stage II+ / audit-ready.
Aviation Regulatory & Data Retention
IndustryFAA Part 91/135, DOT, TSA, IS-BAO audit evidence, and aviation-specific record retention (airworthiness, crew, flight, training).
Now — L2 Managed / Foundational
Key regs & audit dates listed; evidence collected per audit; basic retention periods written down.
Next move
Compliance calendar with owners; audit evidence maintained continuously; retention policies applied to aviation records with legal-hold.
FBO / Hangar Site IT & OT
IndustryRemote-site & hangar connectivity, fuel/OT systems, physical security and access control at FBOs and line stations.
Now — L3 Defined / Standardized
Site networks segmented from OT; fuel/access/camera systems inventoried & patched; standardised remote-site build.
Next move
Site uptime & OT security measured; OT segmentation enforced & monitored; remote support with SLAs; redundancy at key sites.
Charter / VIP Data Confidentiality & Flight-Tracking Privacy
IndustryPassenger PII, VIP confidentiality, tail-number / flight-tracking privacy (ADS-B blocking, LADD/PIA), need-to-know handling.
Now — L2 Managed / Foundational
Passenger data access restricted to ops; NDAs in place; LADD/tail-blocking requested; basic handling rules.
Next move
Need-to-know controls on passenger/VIP data with labels & DLP; flight-tracking privacy (LADD/PIA) managed; confidentiality in contracts.