CloudQuery Policies: Create cloud controls with AI for all your resources — every cloud, every account, every IaC or console.

Read the announcement ❯

Read the announcement ❯

Back to blog
Cloud Operations
Governance
Platform Engineering

Cloud Operations Maturity Model: A Six-Dimension Self-Assessment

Joe Karlsson

Joe Karlsson

Why Maturity Models Matter Here #

In Part 1, we defined the Cloud Operations Gap: the distance between what leadership believes about cloud infrastructure and what's actually running. The natural follow-up question is "how big is our gap?" You need a way to measure it.
That's what the Cloud Operations Maturity Model is for. Not as a vanity metric or a slide for the next board deck, but as a practical tool to figure out where you are, where the worst pain is, and what to fix first.
We built this model by combining data from the HashiCorp 2024 State of Cloud Strategy Survey and the Flexera 2024 State of the Cloud Report, then mapping it against patterns we see across hundreds of organizations using CloudQuery. The result is a four-level model with a six-question self-assessment you can score in under five minutes.

The Four Maturity Levels #

Here's the uncomfortable distribution: the majority of organizations are clustered at the bottom.
LevelName% of OrgsPrimary CharacteristicTypical Response to "What Changed?"
1Reactive55%Firefighting mode. Problems found after impact."Let me check… give me a few days."
2Visible25%Partial inventory exists but gaps remain."We can see most of it, but not everything."
3Governed12%Policies defined and enforced. Compliance is continuous."Here's the query. Results in seconds."
4Automated8%Self-healing. Policy violations auto-remediated."It was caught and fixed before you asked."
That 55% in Reactive isn't a failure of individual engineers. It's the natural outcome of cloud infrastructure growing faster than operational practices can keep up. Teams are too busy fighting fires to build the systems that would prevent them.

Level 1: Reactive (55% of Organizations) #

Reactive teams discover problems after they've already caused damage. A misconfigured security group gets found during an incident. Untagged resources surface when someone finally looks at the bill. Compliance gaps appear during the annual audit scramble.
The defining characteristic: questions about infrastructure state require manual investigation. "How many public S3 buckets do we have?" takes hours or days to answer because nobody has a single inventory that spans all accounts and providers.
At this level, toil dominates. Engineers spend significant portions of their week on repetitive infrastructure tasks - gathering data for reports, manually checking configurations, answering the same questions from security and compliance teams.

Level 2: Visible (25% of Organizations) #

Visible teams have some form of inventory, but it's incomplete. Maybe they can see AWS resources but not GCP. Maybe Terraform state files cover 60% of infrastructure but the rest is invisible. They've got dashboards, but the dashboards show different numbers depending on which tool you're looking at.
The jump from Reactive to Visible is the hardest one. It requires admitting that your current tooling isn't giving you the full picture, and committing to building a unified asset inventory as a foundation.

Level 3: Governed (12% of Organizations) #

Governed teams have moved from "we can see it" to "we enforce rules about it." Policies are defined as code. Compliance evidence is generated continuously, not compiled before audits. Security posture is measured and tracked over time, not just scanned and forgotten.
The key difference from Visible: governance is proactive, not reactive. Violations are caught at deployment time or shortly after, not weeks later during a review.

Level 4: Automated (8% of Organizations) #

Automated teams have closed the loop. Policy violations trigger automatic remediation. Cost anomalies get flagged before the monthly bill. New resources are automatically tagged, classified, and enrolled in the appropriate compliance frameworks. Industry surveys suggest that organizations at this level spend significantly less time on infrastructure toil, with some reporting reductions of more than half.
Only 8% of organizations reach this level. Getting here requires the foundation of the first three levels - you can't automate what you can't see, and you can't auto-remediate without policies to enforce.

The Perception-Reality Gap #

Here's what makes self-assessment tricky: maturity signals are misleading.
Having Terraform doesn't make you mature if only 40% of your infrastructure is managed by it. Having a cloud security scanner doesn't make you secure if alerts go to a Slack channel nobody reads. Having a tagging policy doesn't mean you have consistent tags - it means you have a document that describes tags you wish you had.
We see this pattern constantly. A team tells us "we're probably a 3 out of 4 on maturity" and then can't answer "how many EC2 instances are running without the owner tag across all accounts?" That's a Level 1 question. If you can't answer it in under a minute, you're not at Level 3.
The Fortinet 2024 Cloud Security Report found that misconfigurations are the leading cause of cloud security incidents, not sophisticated attacks. Organizations that think they're Governed because they have security tools are often still Reactive because those tools aren't connected to enforcement.

The Six-Dimension Self-Assessment #

Score each dimension from 1 (no capability) to 5 (fully automated). Be honest - the value is in accuracy, not in a high score.
Cloud Operations Maturity Self-Assessment
Score each dimension from 1 (no capability) to 5 (fully automated). Your total score maps to one of four maturity levels.
1. Inventory Completeness
Can you enumerate every cloud resource, across every account and provider, in under 60 seconds?
2. Security Posture
Are security policies enforced consistently across all resources, regardless of how they were provisioned?
3. Compliance Readiness
Can you produce audit-ready compliance evidence in hours, not weeks?
4. Cost Visibility
Do you know what percentage of cloud spend is attributed to a specific team, service, or project?
5. Automation Coverage
What percentage of infrastructure changes go through automated, reviewed pipelines?
6. Toil Reduction
How much time does your team spend on repetitive, manual infrastructure tasks each week?
0 of 6 answered

What Your Score Doesn't Tell You #

A maturity model is a snapshot, not a strategy. Your score tells you where you are but not why you're there or what's blocking progress.
Some common patterns we see:
High Inventory, Low Everything Else: You've built or bought an asset inventory but haven't connected it to security, compliance, or cost workflows. The data exists but it's not actionable. This is the most common pattern at Level 2.
High Automation, Low Compliance: You've invested in IaC and CI/CD but compliance is still a manual process. This usually means the platform team and the GRC team aren't connected. Building continuous compliance on top of your existing automation is often a quick win.
Uniformly Low Scores: Everything is a 1 or 2. Don't try to fix all six dimensions at once. Start with Inventory. You can't improve security posture, cost visibility, or compliance without first knowing what you have. Our quickstart guide can get you from zero to a full inventory in under an hour. The eBook covers each of these patterns in depth, with step-by-step improvement paths and the specific queries to track your progress.

From Score to Action #

Your maturity score is a starting point for a conversation, not an end state to achieve. The goal isn't to hit 30/30 - it's to identify the specific gaps that are costing your team the most time and risk, and close those first.
In the rest of this series, we'll dig into each dimension. Part 3 covers the Hidden Security Tax - the cost of security gaps that aren't showing up in your incident tracker. Part 4 tackles compliance. Part 5 gives you a cloud waste calculator to put a dollar figure on cost visibility gaps.
The first step is always the same: know where you stand. Take the assessment, write down your scores, and revisit them in 90 days. That's how you turn a maturity model from a one-time exercise into an operational improvement tool.
About This Series: This is Part 2 of our 12-part Cloud Operations Playbook series. Each post builds on the previous, covering the gap between what leadership thinks they know about cloud infrastructure and what's actually running.
Want the complete guide? Download the free 67-page eBook.
Go Deeper: Dimension-by-Dimension Improvement Guides
The free 67-page eBook includes a printable scorecard, detailed improvement guides for each of the six dimensions, and SQL queries that objectively measure where you stand.
Download the free eBook

Start Closing the Gap with CloudQuery #

CloudQuery gives you a unified cloud asset inventory across every provider and account - the foundation that every maturity improvement depends on. From there, you can build continuous compliance, track your security posture, and eliminate the manual toil that keeps most teams stuck in Reactive mode. Get started in under an hour with our quickstart guide, or talk to our team about closing the cloud operations gap at your organization.

FAQ #

What Is a Cloud Operations Maturity Model? #

A Cloud Operations Maturity Model is a scoring framework that measures how well an organization manages its cloud infrastructure across key dimensions like inventory, security, compliance, cost, automation, and toil. It provides a structured way to identify gaps and prioritize improvements, moving from reactive firefighting toward automated, self-healing operations.

How Do I Score My Organization's Cloud Maturity? #

Use the six-question self-assessment in this post. Score each dimension (Inventory, Security, Compliance, Cost, Automation, Toil) from 1 to 5, then add the scores. A total of 6-12 indicates Reactive maturity, 13-18 is Visible, 19-24 is Governed, and 25-30 is Automated. Be honest - the value comes from accuracy, not from a high number.

What Percentage of Organizations Are Cloud-Mature? #

According to the HashiCorp 2024 State of Cloud Strategy Survey, only 8% of organizations qualify as "highly cloud-mature" (Automated level). 55% are still in Reactive mode, 25% have reached Visible, and 12% operate at the Governed level. Data from the Flexera 2024 State of the Cloud Report corroborates this skewed distribution.

Why Do Teams Overestimate Their Cloud Maturity? #

Because maturity signals are misleading. Having Terraform in your stack doesn't mean you're mature if it only manages 40% of your infrastructure. Having a security scanner doesn't mean you're secure if nobody acts on its findings. Teams conflate tool ownership with operational capability, and the gap between the two is usually larger than expected.

Where Should I Start Improving Cloud Maturity? #

Start with Inventory (Question 1 in the assessment). You can't improve security posture, cost attribution, or compliance readiness without first knowing what resources exist across all your accounts and providers. A unified cloud asset inventory is the foundation everything else builds on. Our quickstart guide can help you get started.

How Often Should I Reassess Cloud Maturity? #

We recommend quarterly reassessments. That cadence is frequent enough to track the impact of specific initiatives but not so frequent that scores fluctuate from noise. Record your per-dimension scores each time - tracking the individual dimensions over time is more useful than watching the aggregate number.

What's the Difference Between Governed and Automated Maturity? #

Governed organizations have defined policies and enforce them consistently. Violations are caught and flagged. Automated organizations have closed the loop - violations are not just detected but remediated without human intervention. The difference is between "we found and fixed 50 policy violations this week" and "50 violations were auto-remediated before anyone needed to look at them."

How Does Cloud Maturity Affect Security Risk? #

The Fortinet 2024 Cloud Security Report found that misconfigurations are the leading cause of cloud security incidents. Organizations at Reactive maturity discover these misconfigurations after exploitation. Governed and Automated organizations catch them at deploy time or remediate them automatically. Higher maturity directly reduces the window of exposure for configuration-based vulnerabilities.
Turn cloud chaos into clarity

Find out how CloudQuery can help you get clarity from a chaotic cloud environment with a personalized conversation and demo.

CloudQuery Updates, In Your Inbox Weekly

Product

Resources

Legal

© 2026 CloudQuery, Inc. All rights reserved.