内容来源：https://blog.n8n.io/ai-maturity-the-5-level-framework/

内容总结：

企业AI成熟度五级模型：从影子IT到全面转型的关键跃迁

最新研究报告提出了一套企业AI成熟度框架，将组织划分为五个发展阶段，并从使用范围、任务复杂度、治理水平和技术基础设施四个维度进行评估。该框架特别指出两个最关键的转型节点——这正是多数企业陷入停滞的"死亡之谷"。

零级：认知阶段（影子AI）
这是最危险的阶段。员工私自使用公共AI服务处理信息检索、文本摘要等简单任务，但管理层对此毫无觉察。企业承担数据泄露、合规风险等全部代价，却无法获得任何战略收益。研究表明，问题不在于企业是否存在"影子AI"，而在于其泛滥程度。

第一次关键转型：从零级到一级（从影子AI到受管控试点）
这本质上是领导力与政策挑战，而非技术难题。企业需要完成三件事：第一，审计员工使用的AI工具与共享数据；第二，提供企业级替代方案而非简单封禁；第三，建立基础治理框架，包括工具注册、使用政策和轻量监控。转型成功的关键在于管理变革——领导者必须将AI定位为战略优先项，而非岗位威胁，通过高层支持和内部标杆改变员工行为。

一级：实验阶段（试点期）
此时AI使用从个人扩展到孤立团队，如营销部门试用内容生成工具、IT部门尝试代码助手。但各试点相互割裂，治理呈被动响应状态，基础设施仅通过企业级SaaS堵住最直接的数据泄露风险。这正是"试点炼狱"的高发区——IDC数据显示88%的AI概念验证无法投入生产。

二级：运行阶段（集成期）
AI首次从新鲜事物转变为实际业务工具。自主智能体工作流在多部门落地，如客服分流、HR流程自动化、发票处理等。关键在于引入"编排层"中间件，将AI模型与企业现有系统（通常为10-20年历史的ERP/CRM平台）打通。摩根大通已实现LLM Suite在20万日常用户中的部署，涵盖450个生产级用例。企业级治理正式建立，包括基于角色的访问控制和自动合规检查。德勤报告显示，达到该阶段的企业可实现26%-55%的生产力提升。

第二次关键转型：从二级到三级（从部门级到企业级）
这是最艰难的跃迁。波士顿咨询研究显示：60%企业是"滞后型"，35%是"扩张型"，仅5%是"未来型"。二级的成功依赖部门级部署，而三级要求跨部门的数据共享与系统协同。这不是技术问题，而是组织问题：治理需从部门政策升级为企业框架，基础设施需实现弹性扩展，文化需从团队推动转为战略驱动。Klarna的教训颇具代表性：其AI客服处理量相当于853名全职员工，但因无法处理复杂问题遭用户投诉，最终被迫引入人工监督。

三级：系统阶段（规模化期）
AI成为关键基础设施——若系统故障将造成业务中断。多智能体系统自主协作，人类监督从审批单个决策转向监控系统绩效。治理实现持续化，自动质量控制系统（如"大模型评审"机制）大规模验证输出。基础设施包含自托管大模型处理敏感数据、向量数据库维持组织记忆、企业级可观测工具追踪每个决策。

四级：变革阶段（AI原生期）
麦肯锡报告显示仅约1%企业达到此水平。AI驱动战略制定，商业模式因AI能力而重塑。自适应智能体生态实现最小化人工干预，治理实现实时动态化，技术栈完全AI原生。联邦学习允许跨部门协作而不集中数据，边缘计算将AI能力推向业务一线。波士顿咨询研究发现，这类"未来型"企业正创造新收入流，重塑行业定位，构建持续扩大的竞争护城河。

关键启示
在每个阶段，技术从未成为真正瓶颈。哈佛商业评论研究指出，阻碍AI规模化的主因不是技术集成或预算，而是组织设计——文化阻力与僵化流程即使在技术先进的公司也会导致项目失败。云安全联盟报告证实，治理成熟度是预测企业AI准备度的最强单一指标。真正取得进展的组织，无一不是在治理、人才准备和流程重塑上投入同样精力，确保AI安全规模化运行。

中文翻译：

以下框架可帮助领导者从五个不同阶段评估其所在组织的AI成熟度。每个层级均从四个维度进行衡量：使用情况（哪些人使用AI及使用范围有多广）、成熟度（AI处理何种类型的任务）、治理（设有何种管控措施与政策）以及基础设施（有何技术基础支撑AI运行）。

下表提供了快速参考概览。后续的叙述将聚焦于组织最常陷入停滞的关键转折阶段。
[图：AI成熟度阶梯——展示0-4层级的五级演进图，其中两个关键转折点（L0到L1、L2到L3）被标记为"鸿沟"。请设计团队制作。]

第0级：认知（"影子AI"阶段）
无论企业领导层是否意识到，大多数企业都存在员工在此层级运作的情况。员工使用个人账户接入公共AI服务，组织对正在使用哪些工具、由谁使用、以及使用了哪些数据毫无可见性。AI的使用仅限于简单的独立任务，例如信息检索、文本摘要和草稿撰写，既无相关政策，也无审计追踪，更未与企业系统集成。
这是最危险的阶段，因为组织承担了采用AI的所有风险（数据泄露、合规风险、不受管控的决策），却未能获得任何战略收益。正如Cyberhaven的研究所示，对大多数企业而言，问题不在于企业内部是否存在影子AI，而在于其规模有多大。

第一个关键转折点：从影子AI到受控试点（第0级到第1级）
从第0级过渡到第1级主要是一个领导力和政策层面的挑战，而非技术问题，这一转变需要满足三个条件：
可见性。组织必须首先了解未经授权使用AI的规模。这意味着要审计员工正在使用哪些工具、他们共享了哪些数据，以及最高风险暴露点在哪里。
受控替代方案。员工之所以使用影子AI，是因为它能提升生产力。如果禁止AI却不提供受控的替代方案，只会使使用行为进一步转入地下。组织需要提供企业级实例，既能带来同等的生产力提升，又能实施适当的数据管控。
基础治理。包括经批准工具的登记册、基本的使用政策以及轻度监控。这些措施在此阶段无需面面俱到，但必须存在。
关键的一点是，这一转变既关乎政策，也关乎变革管理。
员工隐瞒AI的使用，是因为担心AI会被拿走，或者害怕被视为可被替代的人。领导层需要重新构建关于AI采用的叙事，将其定位为战略优先事项，而非对任何人职位的威胁。高管的支持、能够示范AI有效使用的内部倡导者、以及明确传达AI旨在增强而非取代岗位的信息，这些才能将政策公告转化为实际的行为转变。

第1级：试验（试点阶段）
在此层级，AI的使用从零散的个人转向孤立的团队。市场部测试文案生成工具，IT部门尝试代码辅助工具，客户支持部门试点聊天机器人。这些实验是受控的，但各自为政。
AI的成熟度仍然有限。AI处理部门内部的单项任务，但未与其他系统或工作流连接。治理是被动反应式的，通常是事件发生后才制定政策，而非主动设计。基础设施通过企业级SaaS堵住了最直接的数据泄露风险，但与业务系统的深度集成仍然缺失。
陷阱。这正是"试点困境"开始的地方。IDC发现88%的AI概念验证未能进入生产阶段，主要就发生在这个层级。组织运行着有趣的实验，但缺乏将其任何一个投入生产工作流所需的基础设施和治理。每个试点都是独立构建的，从而造成了随时间推移而不断累积的技术债务。AI虽然拥有一位倡导者——通常是中层领导或创新团队——但尚未成为高管层的战略优先事项。

第2级：运营（集成阶段）
第2级是AI从新奇事物转变为业务工具的阶段，也是组织首次获得真实、可衡量的投资回报率的阶段。自主AI工作流被部署到多个业务职能中，例如客户支持分类、HR入职流程自动化、发票处理和异常检测。AI的使用情况得到衡量和追踪。
正是在这个阶段，自主工作流首次出现。AI系统处理跨多个工具和数据源的多步骤任务。对于任何具有重要业务影响的决策，人机回环协议是标准配置。AI负责提议和执行，而人类则在既定的检查点进行审核和批准。
治理在此阶段正式化。实施基于角色的访问控制，以便处理HR数据的AI代理无法访问财务系统，反之亦然。合规检查自动运行，使用日志记录每个代理的操作内容、所访问的数据以及做出的决策。
关键的架构转变在此发生，并且需要引入一个编排层。组织不再将AI部署为独立的聊天界面，而是构建中间件，将AI模型与企业系统连接起来——从传统数据库和采购平台，到工单系统和文档存储库——从而使代理能够在其自身基础设施内获取实时数据、执行操作并维护业务逻辑。
正是在这里，遗留系统集成成为一个真正的障碍。大多数企业的核心运营都在使用了10到20年的ERP和CRM平台上运行，这些平台带有自定义配置、过时的API以及脆弱的集成，它们从未被设计为支持实时AI交互。编排层必须在无需全面重新平台化的情况下弥合这一差距，将现代AI能力与业务实际运行所依赖的系统（而非其理想中希望拥有的系统）连接起来。
实践案例：摩根大通将其LLM套件部署给了20万日活用户，并拥有超过450个生产用例，涵盖运营、风险管理和客户服务。该银行在编排基础设施上的投资——将AI模型在正式治理下连接到内部系统——使其能够实现如此规模的部署，而不是停留在孤立的试点集合。
德勤报告称，达到这一集成阶段的公司实现了26%至55%的生产力提升。然而，这同时也是最艰难转型阶段的开始。

第二个关键转折点：从部门级到企业级AI（第2级到第3级）
这是该框架中最艰难的转型阶段，也是大多数组织停滞不前的阶段。波士顿咨询集团的研究证实了这一挑战的规模：60%的公司是"落后分子"，未能产生实质性的AI价值；35%是"规模扩大者"，仅在局部取得成果；只有5%是"未来型"企业，AI能力已嵌入整个组织。
第2级和第3级之间的差距不是技术问题，而是组织问题。第2级之所以成功，是因为单个团队可以在自己的领域内、使用自己的数据、在自己的监督下部署AI。而第3级则要求根本不同的东西：跨越部门边界运作、共享数据和上下文、并协调规模化行动的AI系统。
这一转型需要在治理（从部门政策到组织级框架）、基础设施（从孤立的集成到有韧性、可扩展的平台）和文化（从团队级的倡导者到领导力驱动的战略）方面进行变革。这两个层级之间的编排鸿沟意义重大，值得进行专门的分析，这将在本系列的下一篇文章中呈现。
实践案例：Klarna部署了一个AI客服代理，其工作量相当于853名全职代理，并预计每年可节省6000万美元。但客户抱怨回答过于笼统，无法处理细微差别的问题，于是该公司重新引入人工监督来处理复杂案例。这恰恰说明了为什么从部门级部署（第2级）到企业级规模化（第3级）的跃升需要的远不止技术。治理、质量框架和劳动力规划必须与AI本身同步扩展。Klarna最初的方案取代了数百个支持岗位，却没有为剩余员工如何处理AI无法处理的复杂问题制定明确计划，随之而来的质量差距正是其直接后果。

第3级：系统化（规模化阶段）
在第3级，AI是关键任务型的，如果AI系统离线，业务将经历严重的运营中断。多智能体系统自主协调复杂任务。不再是单个AI处理一个工作流，而是专门的智能体相互协作：一个智能体负责数据检索，另一个负责分析，第三个负责执行，并由一个编排器进行协调。人工监督从批准单个决策转变为监控系统性能和处理异常情况。
治理持续运作，组织级政策针对偏见、幻觉和对抗性攻击。自动化质量控制体系，例如"LLM作为评判者"的评估，可大规模验证智能体的输出。基础设施变得具有韧性，包括用于处理不能离开组织的敏感数据的自托管LLM、用于长期组织记忆的向量数据库，以及用于监控每个智能体决策以进行调试和性能优化的企业级可观测性工具。
在此层级，领导力驱动AI战略，持续的技能提升计划是标准配置，组织在设计新流程和工作流时遵循"AI优先"的思维。

第4级：变革（AI原生阶段）
目前很少有组织能运作在第4级。麦肯锡报告称，只有约1%的组织认为已实现真正的AI成熟度。这一层级代表了一种战略愿景，被纳入框架是为了指明前进方向，并帮助组织今天做出不会阻碍其未来达到此目标的架构决策。
在此层级，AI驱动战略，商业模式发生转变，以利用AI所实现的能力。自适应智能体生态系统在常规运营中几乎无需人工干预，而人类则专注于战略决策、异常处理和系统改进。治理变得动态且实时，合规实现自动化并持续运行。技术栈是完全AI原生的，联邦学习使得各业务部门能够在无需集中敏感数据的情况下进行协作，边缘计算则将AI能力带到更接近行动点的地方。
对于达到此层级的组织而言，AI从成本优化工具转变为收入引擎。BCG的研究发现，"未来型"公司正在创造新的收入来源，重新定义其行业定位，并构建随时间推移而不断加宽的竞争护城河。

在框架中前进
从一个层级到下一个层级的路径并非纯粹技术性的；每一次转型都需要治理、基础设施和文化变革的不同组合。从第0级到第1级主要是一个领导力决策：审计影子AI的使用情况，提供受控的替代方案，并建立基础政策。从第1级到第2级的转变是一个集成挑战：通过编排层将AI工具连接到企业系统，并正式化人机回环协议，以便自主工作流能在单个部门内可靠运行。最艰难的跨越——从第2级到第3级——是组织层面的而非技术层面的问题；它需要跨职能的数据共享、企业级的治理框架，以及将AI视为核心基础设施（而非部门级实验）的高管支持。达到第4级则要求战略性的重塑，即AI能力从根本上改变商业模式本身。
在每个阶段，一条共同的线索是：技术本身很少成为瓶颈。《哈佛商业评论》关于AI组织障碍的研究发现，区分能够规模化AI的公司和停滞不前的公司的决定性因素，并非集成或预算，而是组织设计：文化、对变革的抵触以及僵化的工作流程，即使在拥有先进工具的公司中也会使计划偏离轨道。云安全联盟的《AI安全与治理状况》报告强化了这一发现，表明治理成熟度是企业AI就绪度最有力的单一预测指标。那些取得进步的组织，是那些在治理、员工就绪度和流程再造方面进行了同等投入，从而使AI能够安全且大规模运行的组织。

下一步是什么
您的组织目前处于哪个位置？确定您当前所处的层级是起点，而非终点。
本系列的下一篇文章将剖析最棘手的问题：您究竟如何跨越第2级与第3级之间（即大多数企业停滞不前之处）的那个编排鸿沟？它将涵盖从取得部门级AI成功到建立可靠、规模化运行的企业级系统所需的具体基础设施、治理和组织变革。

英文来源：

The following framework allows leadership to benchmark their organization across five distinct stages. Each level is assessed across four dimensions: Usage (who is using AI and how broadly), Sophistication (what types of tasks AI handles), Governance (what controls and policies are in place), and Infrastructure (what technical foundations support AI operations).
The table below provides a quick-reference overview. The narrative that follows focuses on the critical transitions where organizations most commonly stall.
[FIGURE: AI Maturity Staircase - Five-level progression diagram showing Levels 0-4 with the two critical transition points (L0-to-L1 and L2-to-L3) highlighted as chasms. Design team to create.]
Level 0: Awareness (The "Shadow AI" Stage)
Most enterprises have employees operating at this level, whether leadership realizes it or not. Individuals use personal accounts on public AI services with no organizational visibility into what tools are being used, by whom, or with what data. Usage is limited to simple, standalone tasks such as information retrieval, text summarization, and draft writing, with no policies, no audit trails, and no integration with enterprise systems.
This is the most dangerous stage, because the organization bears all the risks of AI adoption (data leakage, compliance exposure, ungoverned decision-making) while capturing none of the strategic benefits. As Cyberhaven's research shows, the question for most enterprises is not whether Shadow AI exists within their walls, but how much.
The First Critical Transition: From Shadow AI to Sanctioned Pilots (Level 0 to Level 1)
Moving from Level 0 to Level 1 is primarily a leadership and policy challenge, not a technology one, and the shift requires three things:
Visibility. The organization must first understand the scope of unsanctioned AI usage. This means auditing what tools employees are using, what data they are sharing, and where the highest-risk exposure points are.
Sanctioned alternatives. Employees use Shadow AI because it makes them more productive. Banning AI without providing a sanctioned alternative simply pushes usage further underground. The organization needs enterprise-tier instances that offer the same productivity benefits with appropriate data controls.
Baseline governance. A registry of approved tools, basic usage policies, and light monitoring. These do not need to be comprehensive at this stage, but they need to exist.
Critically, this transition is as much about change management as it is about policy.
Employees hide AI usage because they fear it will be taken away or because they worry about being seen as replaceable. Leadership needs to reframe the narrative on AI adoption as a strategic priority, not a threat to anyone's role. Executive sponsorship, internal champions who can model productive AI use, and clear communication that AI is meant to augment rather than eliminate positions are what turn a policy announcement into an actual shift in behavior.
Level 1: Experimental (The Pilot Stage)
At this level, usage shifts from scattered individuals to isolated teams. Marketing tests a copy-generation tool, IT experiments with code assistance, and customer support pilots a chatbot. These experiments are sanctioned but siloed.
The sophistication remains limited. AI handles individual tasks within a department but does not connect to other systems or workflows. Governance is reactive, written in response to incidents rather than designed proactively. Infrastructure plugs the most immediate data leakage risks through enterprise-tier SaaS, but deep integration with business systems is still missing.
The Trap. This is where "pilot purgatory" begins. IDC's finding that 88% of AI POCs fail to reach production happens primarily at this level. The organization runs interesting experiments but lacks the infrastructure and governance to move any of them into production workflows. Each pilot is built independently, creating technical debt that compounds over time. AI has a champion, usually a mid-level leader or innovation team, but it is not yet a C-suite strategic priority.
Level 2: Operational (The Integration Stage)
Level 2 is where AI transitions from novelty to business tool, and where organizations first capture real, measurable ROI. Agentic AI workflows are deployed across multiple business functions such as customer support triage, HR onboarding automation, invoice processing, and anomaly detection. Usage is measured and tracked.
This is where agentic workflows first appear. AI systems handle multi-step tasks that span multiple tools and data sources. Human-in-the-loop (HITL) protocols are standard for any decisions with meaningful business impact. The AI proposes and executes while a human reviews and approves at defined checkpoints.
Governance formalizes at this stage. Role-Based Access Control (RBAC) is enforced so that an AI agent handling HR data cannot access financial systems, and vice versa. Compliance checks run automatically, and usage logs capture what each agent does, what data it accesses, and what decisions it makes.
The critical architectural shift happens here and requires the introduction of an orchestration layer. Rather than deploying AI as standalone chat interfaces, the organization builds middleware that connects AI models to enterprise systems, from legacy databases and procurement platforms to ticketing systems and document repositories, allowing agents to fetch real-time data, execute actions, and maintain business logic within the organization's own infrastructure.
This is where legacy system integration becomes a real obstacle. Most enterprises run core operations on ERP and CRM platforms that are 10 to 20 years old, with custom configurations, outdated APIs, and fragile integrations that were never designed to support real-time AI interaction. The orchestration layer must bridge that gap without requiring a full replatforming effort, connecting modern AI capabilities to the systems the business actually runs on, not the systems it wishes it had.
In Practice: JPMorgan Chase deployed its LLM Suite across 200,000 daily users with over 450 use cases in production, spanning operations, risk management, and client services. The bank's investment in orchestration infrastructure, connecting AI models to internal systems under formal governance, is what enabled deployment at that scale rather than remaining a collection of isolated pilots.
Deloitte reports that companies achieving this integration stage see 26-55% productivity gains. However, it is also where the hardest transition begins.
The Second Critical Transition: From Departmental to Enterprise-Wide AI (Level 2 to Level 3)
This is the hardest transition in the framework, and the one where most organizations stall. BCG's research confirms the scale of the challenge: 60% of companies are "laggards" generating no material AI value, 35% are "scalers" with pockets of success, and only 5% are "future-built" with AI capabilities embedded across the organization.
The gap between Level 2 and Level 3 is not a technology problem but an organizational one. Level 2 succeeds because individual teams can deploy AI within their own domain, using their own data, under their own oversight. Level 3 requires something fundamentally different: AI systems that operate across departmental boundaries, share data and context, and coordinate actions at scale.
This transition demands changes in governance (from departmental policies to organization-wide frameworks), infrastructure (from standalone integrations to resilient, scalable platforms), and culture (from team-level champions to leadership-driven strategy). The orchestration chasm between these levels is significant enough to deserve its own dedicated analysis, which will follow in the next installment of this series.
In Practice: Klarna deployed an AI customer service agent that handled the equivalent of 853 full-time agents and projected $60M in annual savings. But customers complained about generic answers and an inability to handle nuanced questions, and the company reintroduced human oversight to manage complex cases. This illustrates exactly why the jump from departmental deployment (Level 2) to enterprise-wide scaling (Level 3) demands more than just technology. Governance, quality frameworks, and workforce planning must scale alongside the AI itself. Klarna's initial approach displaced hundreds of support roles without a clear plan for how the remaining staff would handle the complexity that AI could not, and the quality gaps that followed were a direct consequence.
Level 3: Systemic (The Scaling Stage)
At Level 3, AI is mission-critical, and if the AI systems went offline, the business would experience meaningful disruption. Multi-agent systems coordinate complex tasks autonomously. Rather than a single AI handling one workflow, specialized agents collaborate: one agent handles data retrieval, another handles analysis, a third handles execution, and an orchestrator coordinates them. Human oversight shifts from approving individual decisions to monitoring system performance and handling exceptions.
Governance operates continuously where organization-wide policies address bias, hallucination, and adversarial attacks. Automated quality control systems, such as "LLM-as-a-judge" evaluations, verify agent outputs at scale. The infrastructure becomes resilient, including self-hosted LLMs for sensitive data that cannot leave the organization, vector databases for long-term organizational memory, and enterprise-grade observability tools that monitor every agent decision for debugging and performance optimization.
Leadership drives AI strategy at this level, continuous upskilling programs are standard, and the organization thinks "AI-first" when designing new processes and workflows.
Level 4: Transformative (The AI-Native Stage)
Very few organizations operate at Level 4 today. McKinsey reports that only about 1% of organizations feel they have achieved true AI maturity. This level represents a strategic aspiration, included in the framework to show the direction of travel and help organizations make architectural decisions today that will not block them from reaching it in the future.
At this level, AI drives strategy, and the business model shifts to capitalize on capabilities that AI makes possible. Adaptive agent ecosystems operate with minimal human intervention for routine operations, while humans focus on strategic decisions, exception handling, and system improvement. Governance becomes dynamic and real-time, with compliance automated and continuous. The technology stack is fully AI-native, with federated learning enabling collaboration across business units without centralizing sensitive data, and edge computing bringing AI capabilities closer to the point of action.
For the organizations that reach this level, AI transitions from a cost-optimization tool to a revenue engine. BCG's research found that "future-built" companies are creating new revenue streams, redefining their industry positioning, and building competitive moats that widen over time.
Progressing Through the Framework
The path from one level to the next is not purely technical; each transition requires a different combination of governance, infrastructure, and cultural change. Moving from Level 0 to Level 1 is primarily a leadership decision: audit Shadow AI usage, provide sanctioned alternatives, and establish baseline policies. The shift from Level 1 to Level 2 is an integration challenge, connecting AI tools to enterprise systems through an orchestration layer and formalizing human-in-the-loop protocols so that agentic workflows can operate reliably within a single department. The hardest leap, from Level 2 to Level 3, is organizational rather than technical; it requires cross-functional data sharing, enterprise-wide governance frameworks, and executive sponsorship that treats AI as core infrastructure rather than a departmental experiment. Reaching Level 4 demands a strategic reinvention where AI capabilities reshape the business model itself.
At every stage, the common thread is that the technology is rarely the bottleneck. Harvard Business Review's research on organizational barriers to AI found that the dominant factor separating companies that scale AI from those that stall is not integration or budget, but organizational design: culture, resistance to change, and rigid workflows derail initiatives even in companies with advanced tooling. Cloud Security Alliance's State of AI Security and Governance report reinforces this finding, showing that governance maturity is the single strongest predictor of enterprise AI readiness. The organizations that advance are the ones that invest equally in the governance, workforce readiness, and process redesign that allow AI to operate safely and at scale.
What Comes Next
Where does your organization sit today? Identifying your current level is the starting point, not the destination.
The next post in this series breaks down the hardest question: how do you actually cross the orchestration chasm between Level 2 and Level 3, where most enterprises stall? It covers the specific infrastructure, governance, and organizational changes required to move from departmental AI successes to enterprise-wide systems that operate reliably at scale.