advanta

Framework / Maturity Stack

Where does your legal function stand on AI?

Five Maturity Bands. Four lenses. One OS Score — and an evidence rule that separates the maturity a function has from the maturity it can defend. A legal-specific model for describing where a legal function stands on AI, and for directing the next investment.

The Maturity Stack of the Legal AI OSDefined in the Legal AI OS framework, methodology v2026.1. Five bands enumerate the journey from no structured AI programme to defensible operating posture: Band 1 Foundational (OS Score 0.0–2.0), Band 2 Operational (OS Score 2.0–2.7), Band 3 Integrated (OS Score 2.7–3.4), Band 4 Optimised (OS Score 3.4–4.2), Band 5 Defensible (OS Score 4.2+). Methodology version v2026.1. A Defensibility Gate marks the threshold between Band 4 (Optimised) and Band 5 (Defensible) — capability under governance.THE MATURITY STACK · LEGAL AI OSV2026.1BAND 1Foundational0.0–2.0BAND 2Operational2.0–2.7BAND 3Integrated2.7–3.4BAND 4Optimised3.4–4.2BAND 5Defensible4.2+DEFENSIBILITY GATECapability under governance — the threshold to Defensible.

What is the Legal AI OS Maturity Stack?

The Legal AI OS Maturity Stack is a structured model for describing where a legal function stands on AI. It is a legal-specific synthesis that organises established governance standards — such as the NIST AI Risk Management Framework and ISO/IEC 42001 — and professional-conduct duties into a single operating model. Five bands — Foundational, Operational, Integrated, Optimised, Defensible — describe the operating state of the function across four lenses: Adoption, Sophistication, Defensibility, and Autonomy. The lens weights of 25 / 25 / 30 / 20 are designed defaults that reflect a legal-sector emphasis on Defensibility; they are a design choice, not an empirically validated weighting. Band placement is expressed as an OS Score on a 1.0 to 5.0 scale, with composite thresholds at 2.0, 2.7, 3.4, and 4.2. The Stack answers two distinct questions: placement (where a function sits) and the band a function can defend with evidence. When the two differ, the defensible band is the lower of them. The Defensible band is a framework-defined assessment outcome that rests on an approved Defensibility Posture Statement. The framework's independent certification and attestation pathway exists within the model but is not currently offered as a service; the Diagnostic returns a placement, not an issued certification.

It does two distinct jobs. First, it places a function — an OS Score maps to a Maturity Band. Second, it identifies the band a function can defend — a separate rule establishes the highest band the function can substantiate with evidence. The two answers are often the same. When they differ, the defensible band is the lower of the two.

Placement vs Certification

The Stack gives two answers, not one.

Placement

Where a function sits — its OS Score, mapped to a band. It answers how far the function has come.

Certification

The band a function can defend with evidence. It answers what the function can stand behind.

The two are often the same. When they diverge, the defensible band is the lower of the two: a function can defend the band it can substantiate, not the band it aspires to. The sections that follow show how each is determined.

On certification

“Certification” here names a framework concept — the band a function can defend with evidence. It is a framework-defined assessment outcome, not a regulatory approval, an industry accreditation, or a legal compliance determination. The independent certification and attestation capabilities the framework defines exist within the model and are not currently offered as part of this service; the Diagnostic returns a placement.

The Four-Lens Model

One band. Four lenses.

Band placement is a weighted average across four lenses. The weighting is a design choice: Defensibility carries the largest share because evidence and accountability are the framework’s organising emphasis.

LensDefault weightWhat it measures

Adoption

25%

How broadly AI is in use across the legal function — tools deployed, training received, integrations live, use cases shipped.

Sophistication

25%

How advanced the use cases and operating model are — policy depth, measurement framework, governance maturity, vendor-scoring rigour.

Defensibility

30%

Whether governance, evidence, and risk controls are board-grade. The highest-weighted lens by design, and the lens that gates certification.

Autonomy

20%

How much agentic or autonomous behaviour is in operation, and how well governed — tier matrix, charter coverage, oversight cadence.

The default weights of 25 / 25 / 30 / 20 are a designed default reflecting a legal-sector operating model — Defensibility is weighted highest by design. They are not an empirically validated weighting, and they may be configured per engagement. Defensibility is the highest-weighted lens and the lens that gates certification; this is an architectural decision about evidence, not a claim about measured value or return.

The Free Baseline Diagnostic surfaces the Adoption and Sophistication lenses alongside the OS Score. Diagnostic Pro and the Executive Diagnostic score all four lenses, including Defensibility — the requirement for a certified band.

How Maturity Is Assessed

Lenses to a score, score to a band.

The OS Score is a weighted average across the four lenses, normalised to a 1.0–5.0 scale. The Diagnostic scores each lens from evidence supplied by the function; the lens scores combine at their default weights to produce the composite OS Score, which maps to a Composite Maturity Band using fixed thresholds.

BandOS Score
Foundational< 2.0
Operational2.0 – 2.7
Integrated2.7 – 3.4
Optimised3.4 – 4.2
Defensible≥ 4.2

This composite is the placement. It answers where the function sits. It is not, on its own, a certification — certification applies the Defensibility gate described next.

Certification Logic

Certification is never higher than placement.

Placement asks where a function sits on the composite OS Score. Certification asks which band the function can defend with evidence. Certification is capped by the Defensibility Lens.

Certification Band

= the lower of:

  1. the Composite Maturity Band — from the OS Score, and
  2. the highest band supported by the Defensibility Lens.
Maturity Certification — placement and certificationA crop of the Legal AI OS Relationship Map showing how the defensible band is determined. The Composite Band gives the Placement Result — where the function sits. The Composite Band also passes through the Defensibility Gate, which is fed by the qualitative Defensibility posture (baseline, established, mature, attested) and, for the Defensible band, the Defensibility Posture Statement. The Gate yields the Certification Band — the lower of the composite band and the band supported by the Defensibility Lens — which gives the Certified Result, what the function can defend. The three diagnostic instruments set the placement depth each can reach: the Free Baseline returns an indicative placement only, the Diagnostic Pro scores the Defensibility Lens for a placement up to Optimised, and the Defensible band rests on a Defensibility Posture Statement — a framework pathway not currently offered as a service. Numeric thresholds are methodology and are not shown.PLACEMENT vs CERTIFICATION · A CROP OF D15placescompositequalifiesattestscertifiesComposite Bandplacement, from the four LensesPlacement Resultwhere the function sitsDefensibility posturebaseline · established · mature · attestedDefensibility GateDefensibility Posture Statementrequired for the Defensible bandCertification Bandthe lower of the twoCertified Resultwhat the function can defendDIAGNOSTIC INSTRUMENTS · CERTIFICATION CEILINGFree Baseline — indicative placement only (no certified band)Diagnostic Pro — certified up to OptimisedExecutive Diagnostic — certified Defensible (via the DPS)
Placement is where a function sits; certification is the band it can defend. The Certification Band is the lower of the two. A crop of the Legal AI OS Relationship Map (D15); numeric thresholds are methodology and are not shown.

A band cannot be certified unless the Defensibility Lens meets the requirement for that band. A function whose composite reads Optimised but whose Defensibility evidence supports only Integrated certifies at Integrated. The composite describes capability; certification describes what that capability can withstand under scrutiny. Certification here is a framework-defined assessment outcome — not a regulatory approval, an industry accreditation, or a legal compliance determination.

Defensibility Thresholds

A rising requirement at every band.

Each band sets a rising minimum on the Defensibility Lens. A band is certifiable only when the function’s Defensibility evidence meets that band’s requirement.

BandDefensibility requirement to certify
FoundationalNone
OperationalA baseline Defensibility posture
IntegratedAn established Defensibility posture
OptimisedA mature Defensibility posture
DefensibleAn attested posture — an approved Defensibility Posture Statement

The precise lens thresholds are part of the Diagnostic methodology and are returned in the Diagnostic output. The public model defines the rule; the Diagnostic applies the cut-points.

Worked Example

When placement and certification diverge.

Composite OS Score3.8→ within the Optimised range. Composite Maturity Band = Optimised (Band 4).
Defensibility Lensqualifies only at the Integrated tier. Highest band supported = Integrated (Band 3).
Certification Bandthe lower of the two = Integrated (Band 3).

The function has the adoption and sophistication of an Optimised programme, but its governance and evidence base substantiates only an Integrated claim — so it certifies at Integrated, not Optimised. The composite reflects how far the function has come; certification reflects what it can defend today. The Diagnostic names the gap: the Defensibility evidence required to move certification up to meet the placement.

Why Defensibility Matters

Defensible is different in kind from Optimised.

Defensibility describes whether a function operates AI with governance, documented evidence, structured risk controls, and named accountability — the posture a board, regulator, auditor, or insurer would expect to see.

It is weighted highest among the lenses by design, and it is the only axis that gates certification. The reason is architectural. Adoption and sophistication describe what a function does; defensibility describes whether it can evidence it. The Stack is built so that the band a function certifies at is a band it can stand behind.

This is why Defensible is different in kind from Optimised. Optimised is a high composite score. Defensible is an evidenced posture: it rests on an approved Defensibility Posture Statement — a framework-defined construct, not an external accreditation. The framework’s independent certification and attestation pathway is not currently offered as a service. Optimised is reached by performance; Defensible is reached by evidence.

Read the Defensibility Standard →

Relationship to the Diagnostic System

The Stack is the model. The Diagnostic is the instrument.

The Diagnostic is the instrument that places a function on the Stack. Three depths return results calibrated to the placement depth each can reach.

DiagnosticWhat it scoresWhat it returns
Free BaselineAdoption + SophisticationAn indicative placement. It does not score Defensibility, so it returns placement only.
Diagnostic ProAll four lenses, including DefensibilityA placement up to Optimised, with the Defensibility Lens scored.
Executive DiagnosticAll four lenses + stakeholder interviews + evidence auditThe Defensibility Posture Statement the framework defines for the Defensible band — a pathway not currently offered as a service.

The Diagnostic outputs a Band placement that anchors the advisory conversation.Find the right Diagnostic →

Place Your Function

Now place your function on the Stack.

The Maturity Stack is the model; the Diagnostic is the instrument. Start with the Free Baseline for an indicative placement, or run the Diagnostic Pro to assess the Defensibility Lens and the band you can defend.