← All clients

Planet 9 · Business Aviation flavor

IT Maturity Map

Assessed 2026-07-05 · 18 domains × 5 levels

50/ 100

Target 88/100 (+38 to close the gap)

AI capability is outrunning AI governance

AI capability (AI-Augmented Ops at L4) is running ahead of AI governance (L1). Close the governance gap before scaling autonomous AI ops — capability without governance is unsafe.

Domain heat strip (current level)

3
Strategy
3
Identity
4
Endpoint
2
Data
3
Security
4
Cloud/Fin
4
Collab
3
Network
4
ITSM
1
AI Gov
4
AI Ops
4
Flight Ops
3
Maint/MRO
3
Crew
3
SMS
2
Reg/Retention
3
FBO/OT
2
VIP Privacy
L1 Reactive / Ad-hocL2 Managed / FoundationalL3 Defined / StandardizedL4 Proactive / MeasuredL5 Optimized / Autonomous

Top 3 gaps — where to invest next

#1L2 → L5

Data Protection & Resilience

Reach L3: 3-2-1 backups with defined RPO/RTO, restores tested on schedule, immutable/air-gapped copies, DLP policies deployed.

#2L2 → L5

Charter / VIP Data Confidentiality & Flight-Tracking Privacy

Reach L3: Need-to-know controls on passenger/VIP data with labels & DLP; flight-tracking privacy (LADD/PIA) managed; confidentiality in contracts.

#3L1 → L4

AI Governance, Risk & Data Readiness

Reach L2: Draft acceptable-use guidance; some awareness; a sanctioned tool or two; data ownership emerging but no AI-specific controls.

Domains × maturity levels — current state & next move

Strategy, Governance & KPIs

Core IT

IT strategy aligned to business objectives, an IT operating model, policies/standards, risk register, and KPIs/reporting to leadership. (Reconciled from the ForIT fractional-CTO framework — Strategy + Governance & KPIs.)

1234target5

Now — L3 Defined / Standardized

IT strategy is aligned to business goals and reviewed on a cadence; a policy set + IT operating model are defined; a KPI dashboard reports to leadership.

Next move

Strategy is outcome/metric-driven with a governed portfolio and risk register; KPIs/OKRs tie IT to business results; investments prioritised on measured value.

Identity & Access

Core IT

SSO, MFA, conditional access, joiner/mover/leaver lifecycle, PAM, least-privilege.

1234target5

Now — L3 Defined / Standardized

SSO across core apps, conditional access policies, automated JML from an HR source.

Next move

Risk-based/adaptive access, access reviews on cadence, PAM for admins, metrics on stale access.

Endpoint & Device Management (ITAM)

Core IT

MDM (Jamf/Intune), zero-touch enrollment, patch compliance, device trust, asset lifecycle (ITAM).

EFB iPads (ForeFlight/Jeppesen) enrolled in MDM; cockpit devices held to the same trust posture.

12345target

Now — L4 Proactive / Measured

Patch/compliance SLAs measured, config drift auto-remediated, hardware/OS lifecycle tracked, risk-scored posture gates access.

Next move

Self-healing endpoints, autonomous patch/config remediation, AI predicts device failure and pre-empts it, near-zero manual imaging.

Data Protection & Resilience

Core IT

Backup/DR, tested restores, retention, encryption, DLP, immutability.

Retention meets aviation hold periods for airworthiness, crew, flight & training records.

12345target

Now — L2 Managed / Foundational

Scheduled backups exist, occasional manual restore checks, basic retention, encryption at rest.

Next move

3-2-1 backups with defined RPO/RTO, restores tested on schedule, immutable/air-gapped copies, DLP policies deployed.

Security & Threat Management

Core IT

EDR/MDR, SIEM, vuln mgmt, phishing defense, tested incident response.

12345target

Now — L3 Defined / Standardized

EDR/MDR + SIEM with detection use-cases, vulnerability management with SLAs, phishing simulations, a documented and tested IR plan.

Next move

Threat-informed detections measured (MTTD/MTTR), risk-based vuln remediation, purple-team exercises, SOAR playbooks.

Cloud, Infrastructure & IT Finance

Core IT

IaC, cloud posture management, cost governance (FinOps) + license cost-effectiveness, resilience/HA. (IT Finance folded in from the ForIT framework.)

12345target

Now — L4 Proactive / Measured

Everything-as-code with policy-as-code guardrails, FinOps with unit economics, license spend optimised on metrics, resilience tested (chaos/failover).

Next move

Self-optimizing infrastructure, AI-driven capacity & cost optimization, autonomous license/right-sizing, near-zero manual provisioning.

Collaboration & Productivity

Core IT

M365/Google governance, records/retention, external-sharing control, productivity & business apps.

Flight-doc distribution (ARINCDirect, Flightdocs) governed; ops manuals version-controlled & retained.

1234target5

Now — L4 Proactive / Measured

Adoption & governance measured, auto-expiring guest access, DLP + labels enforced with metrics, lifecycle automation for teams/sites.

Next move

At or above target — sustain.

Network & Connectivity

Core IT

Segmentation, ZTNA/SASE, redundancy, monitored performance.

FBO / hangar / line-station connectivity and OT segmentation are in scope.

1234target5

Now — L3 Defined / Standardized

Segmented zones, ZTNA/SASE rollout begun, redundant links, performance monitored with alerting.

Next move

Micro-segmentation, ZTNA/SASE enforced org-wide, SD-WAN with measured performance/SLA, automated failover.

IT Service Management & Operations

Core IT

Service desk, monitoring/observability, asset/CMDB, runbook automation.

12345target

Now — L4 Proactive / Measured

SLAs measured & met, observability (metrics/logs/traces), change success rate tracked, runbook automation, proactive problem management.

Next move

Self-healing operations, AIOps correlates & auto-remediates, agentic resolution of routine tickets under guardrails, predictive incident avoidance.

AI Governance, Risk & Data Readiness

AI Era

Acceptable-use policy, data-boundary/DLP for AI, model-risk review, vendor/model inventory, shadow-AI discovery, and data readiness (quality, access control, RAG-ready knowledge base).

1234target5

Now — L1 Reactive / Ad-hoc

No AI policy; shadow AI in pockets; corporate data pasted into public tools; no inventory of AI use; data ungoverned and siloed.

Next move

Draft acceptable-use guidance; some awareness; a sanctioned tool or two; data ownership emerging but no AI-specific controls.

AI-Augmented Operations & Workforce Enablement

AI Era

Copilots deployed + adopted, AIOps in the monitoring/triage loop, agentic automation of routine IT work under guardrails, and measured workforce uplift (training program, adoption %, toil reduction). (Training folded in from the ForIT framework.)

Bizav-relevant AI: AIOps for flight-ops uptime; AI safety-report triage (for-sms).

12345target

Now — L4 Proactive / Measured

AIOps in monitoring/triage/routing loops; measured workforce uplift (adoption %, toil reduction); role-based AI training; automation coverage measured.

Next move

Agentic automation of routine IT work under guardrails; agents execute & remediate; continuously measured productivity uplift; an AI-native operating model.

Flight Operations & EFB

Industry

Scheduling/dispatch (FOS, Leon, Flightdocs, ARINCDirect), flight planning, weight & balance, Electronic Flight Bags on managed iPads (ForeFlight/Jeppesen).

12345target

Now — L4 Proactive / Measured

Ops KPIs measured (on-time, dispatch reliability); EFB compliance reported; integrations monitored with alerting; offline-capable EFB tested.

Next move

Self-optimising ops (AI-assisted scheduling/dispatch), predictive disruption management, EFB content pushed & verified autonomously.

Maintenance & Airworthiness IT

Industry

MRO / maintenance tracking (CAMP, Flightdocs, Traxxall), airworthiness records, parts & inventory, AD/SB compliance.

1234target5

Now — L3 Defined / Standardized

Maintenance tracking integrated with ops/scheduling; digital airworthiness records with controlled access; parts inventory managed.

Next move

Predictive/condition-based maintenance metrics; due-list SLAs measured; records audited; parts stock optimised on data.

Crew Records & Training / Currency

Industry

Certs, currency, duty/rest tracking (FAR Part 135 / 117), training records, qualifications. Overlaps for-CrewRecords / AVHR.

1234target5

Now — L3 Defined / Standardized

Currency & duty/rest integrated with scheduling so ineligible crew cannot be assigned; training compliance reported.

Next move

Currency/fatigue risk measured; automated expiry & training reminders; qualification coverage optimised against the schedule.

Safety Management System (SMS)

Industry

Hazard/safety reporting maturity, risk register, SPI tracking, IS-BAO / ARGUS / WYVERN readiness. Directly overlaps for-sms.

12345target

Now — L3 Defined / Standardized

SMS live with hazard register, risk assessment & mitigation tracking, safety KPIs/SPIs; IS-BAO Stage I / ARGUS / WYVERN achieved.

Next move

Predictive safety metrics (SPIs trended), just-culture reporting rates measured, mitigations verified; IS-BAO Stage II+ / audit-ready.

Aviation Regulatory & Data Retention

Industry

FAA Part 91/135, DOT, TSA, IS-BAO audit evidence, and aviation-specific record retention (airworthiness, crew, flight, training).

1234target5

Now — L2 Managed / Foundational

Key regs & audit dates listed; evidence collected per audit; basic retention periods written down.

Next move

Compliance calendar with owners; audit evidence maintained continuously; retention policies applied to aviation records with legal-hold.

FBO / Hangar Site IT & OT

Industry

Remote-site & hangar connectivity, fuel/OT systems, physical security and access control at FBOs and line stations.

1234target5

Now — L3 Defined / Standardized

Site networks segmented from OT; fuel/access/camera systems inventoried & patched; standardised remote-site build.

Next move

Site uptime & OT security measured; OT segmentation enforced & monitored; remote support with SLAs; redundancy at key sites.

Charter / VIP Data Confidentiality & Flight-Tracking Privacy

Industry

Passenger PII, VIP confidentiality, tail-number / flight-tracking privacy (ADS-B blocking, LADD/PIA), need-to-know handling.

12345target

Now — L2 Managed / Foundational

Passenger data access restricted to ops; NDAs in place; LADD/tail-blocking requested; basic handling rules.

Next move

Need-to-know controls on passenger/VIP data with labels & DLP; flight-tracking privacy (LADD/PIA) managed; confidentiality in contracts.