D1 · Group A Operational
Versioning & Reproducibility
Reproducible builds, prompt/code/model version-pinning, deterministic re-runs, and artifact lineage.
What's new in v1.7 — owner-locked 2026-04-29
HCSM v1.7
The maturity model for agentic-software-development practices.
13 dimensions, 9 hive-types, 7 axes, 6 levels — signed-score scoring with cohort-comparability and 26 anti-gaming clauses, cross-walked to ISO 27001:2022, NIST CSF 2.0, EU AI Act, GDPR, CMMI v2.0, SPACE, and MLOps maturity.
A precise, defensible answer to: how mature is your agentic practice?
HCSM is a structured maturity model that scores agentic-software-development practices on evidence — not narrative. It distinguishes hindering practice from genuine craft, prevents cohort-laundering across different hive shapes, and is cross-walked to the major external frameworks your auditors already know.
- Dimensions
- 13
- Items
- 99
- Hive-Types
- 9
- Anti-gaming
- 26
The 13 dimensions, at a glance
Grouped into four areas: Operational, Knowledge, Risk, and (new in v1.7) Outcome.
D2 · Group A Operational
Observability & Telemetry
Run-level traces, agent invocation logs, cost / latency / quality metrics, and live drift signals.
D3 · Group A Operational
Continuous Integration
Automated test gates, prompt regression suites, eval-on-commit, and merge protections.
D4 · Group A Operational
Deployment & Release
Progressive rollout, blue/green or canary release, rollback playbooks, and deployment audit trails.
D5 · Group B Knowledge
KB Curation & Lessons
KB section discipline, lessons capture, deprecation hygiene, and read-tracking discipline.
D6 · Group B Knowledge
Retrieval & Grounding
Retrieval quality, grounding traceability, citation discipline, and hallucination-control evidence.
D7 · Group B Knowledge
Onboarding & Pedagogy
Stakeholder onboarding, agent-orientation paths, role-based training, and pedagogy evidence.
D8 · Group C Risk
Security & Hardening
Secret hygiene, supply-chain security, agent permission scoping, and hardening drift detection.
D9 · Group C Risk
Compliance & Jurisdiction
GDPR, EU AI Act, sector-specific regimes, jurisdiction-obligation registry, and DPIA evidence.
D10 · Group C Risk
Risk Register & Tabletops
Active risk register, scheduled red-team exercises, tabletop simulations, and post-mortem feedback.
D11 · Group C Risk
AI Disclosure & Transparency
Public AI-disclosure artifacts, decision-explainability, model cards, and use-case transparency.
D12 · Group D Outcome
Deliverable Acceptance
Stakeholder-acknowledged acceptance of deliverables, signed sign-offs, and rejection-rate tracking.
D13 · Group D Outcome
Stakeholder Outcomes
Customer-impact metrics, business-value tracking, stakeholder feedback loops, and outcome-based KPIs.
Four groups, each with its own floor
A practice cannot claim a level its weakest group does not yet support. Group-floors enforce minimum coverage so that L4 actually means something at audit time.
Group A
Operational
Day-to-day discipline of running an agentic-software-development practice — the engineering hygiene that keeps the hive accountable, repeatable, and recoverable.
L4 group-floor required to claim L4+ overall
Group B
Knowledge
How the hive captures, validates, and propagates knowledge across humans and agents — KB curation, lessons, retrievability, and onboarding semantics.
L3 group-floor required to claim L4+ overall
Group C
Risk
How the hive manages security, regulatory, ethical, and operational risk — drift, red-teaming, jurisdictional obligations, and AI disclosure.
L4 group-floor required to claim L4+ overall
Group D
Outcome
New v1.7 group — outcomes the practice produces for stakeholders: deliverable acceptance, customer feedback loops, business-level impact.
L3 group-floor required to claim L4+ overall
Ready to map your practice?
Walk through the scoring methodology, including the signed-score scale, blocker classes, and cohort-tier visibility rules.