Audrey, the CIO, is reviewing the quarterly AI audit.

The CAIPM governance maturity model describes a progression from informal, unstructured practices to fully automated and optimized enforcement mechanisms. The key indicator in this scenario is the gap between defined policy and enforced control.

The organization has clearly moved beyond Stage 1 (Ad Hoc), as it has centralized accountability and established formal policies such as the "Green List." This indicates that governance structures and standards are in place. However, the enforcement of these policies is still manual and dependent on human behavior, rather than being embedded into technical systems such as network controls or automated compliance checks.

This situation aligns with Stage 3: Established, where organizations have well-defined policies, governance frameworks, and oversight mechanisms, but lack full automation and technical enforcement. At this stage, compliance is often reliant on awareness, training, and manual processes, creating scalability and reliability challenges.

Stage 2 (Foundational) would indicate earlier-stage governance with less formalization. Stage 4 (Optimized) would require automated enforcement, such as blocking unapproved tools through system-level controls and providing measurable assurance of compliance.

CAIPM emphasizes that true maturity is achieved when policies are not only defined but also technically enforced and continuously monitored. The described gap—policy without enforceable control—is a hallmark of the Established stage.

Therefore, the correct answer is Stage 3: Established, as it best reflects a mature governance structure that has not yet achieved automated enforcement.