One of the questions that I have been asking myself lately is how to work in the requirements for AI in the SOC-CMM assessment. How do we assess if the implementation of AI in the SOC is mature? Or is it something that we do not need to worry about, and simply focus on the outcomes only?
Currently, the assessment does not really address AI, only the implementation strategy of AI. And whether that implementation is aligned internally. Those are the only 2 questions on AI in the 2.4 version of SOC-CMM.
What do you think? Add additional capabilities to the technology and services domain? Embed AI engineering more explicitly to automation engineering? Add AI governance as a separate process? All of the above, none of the above, or something entirely different?