ComplianceToArchitecture.com
Compliance-to-Architecture™ · 5-Tier Maturity Model

Where do you sit on the maturity model?

Pick your honest tier. Each tier names the artefacts you should have today + the gap to the tier above. ReguNav typically takes a team from L1/L2 to L3/L4 in a quarter.

1. Self-assessBe honest, not aspirational2. Pick a targetOne tier up is enough3. Book a roadmap session30-min, free
Read the tiersBook a POC walkthrough
/maturity-model

5-Tier Maturity Model

The canonical maturity model for Compliance-to-Architecture. Five tiers, scored across six dimensions: control library, evidence capture, crosswalk method, enforcement, audit-pack assembly, and regulator scaling.

  1. L1

    Ad-hoc

    Compliance lives in PDFs and people's heads.

    Characteristics
    • No central control library
    • Evidence collected only for audits, not continuously
    • Each framework treated as a separate project
    • No machine-readable compliance artefacts
    Typical artefacts
    • Spreadsheet control matrices
    • Shared drive folders of PDFs
    • Audit-time scramble
  2. L2

    Documented

    Controls are written down but disconnected from systems.

    Characteristics
    • Central control library exists (often in a GRC tool)
    • Each control has a written description and an owner
    • Crosswalks between frameworks are manual and partial
    • Evidence is still mostly screenshots and tickets
    Typical artefacts
    • GRC tool registers (Drata / Vanta / etc.)
    • Manual crosswalk spreadsheets
    • Quarterly evidence reviews
  3. L3

    Mapped

    Controls are crosswalked and tied to system capabilities.

    Characteristics
    • Every control maps to one or more authority clauses
    • Every control maps to a system capability (architecture)
    • Evidence kinds are defined per control
    • Crosswalks are machine-readable
    Typical artefacts
    • Machine-readable control library
    • Architecture-capability matrix
    • Evidence-kind catalogue
  4. L4

    Enforced

    Policies are enforced at runtime; evidence is captured continuously.

    Characteristics
    • Policy-as-code (Cerbos / OPA / Cedar) enforces controls in production
    • Evidence is emitted as a byproduct of normal operations
    • Drift / staleness alerts wake an on-call engineer, not an auditor
    • Audit packs assemble themselves from the graph
    Typical artefacts
    • Policy bundles in production
    • Continuous evidence pipeline
    • Self-assembling audit packs
  5. L5

    Generative

    Compliance is a derived property — adding a regulation is a config change.

    Characteristics
    • New regulation? Map to existing reusable controls. No code change.
    • New jurisdiction? Compose existing Rule Packs + dictionaries.
    • Audit packs are differential — show only what changed since last cycle
    • Compliance graph is the canonical source of truth for the org
    Typical artefacts
    • Composable Rule Packs
    • Differential audit packs
    • Single-graph SSOT

Where most organisations sit today

Industry surveys (IAPP, ISACA, ENISA 2024-2026 cohorts) consistently place the median organisation at L2 (Documented). Adopting CtA shifts that ceiling: a team that lands at L2 with conventional GRC tooling can plausibly reach L4 (Enforced) within 12-18 months using the open framework. L5 (Generative) remains the long-term target — only achievable when the compliance graph becomes the canonical org SSOT.

Take the 6-question self-assessment →