This paper addresses the conceptual conflation of “oversight” and “control” in AI safety governance, systematically distinguishing their distinct objectives, operational mechanisms, and temporal scopes. Through a critical cross-disciplinary literature review—and integrating insights from Responsible AI maturity models and risk governance theory—it develops a theoretically rigorous yet policy-actionable analytical framework, introducing the first AI Oversight Maturity Model (AI-OMM). The model identifies critical boundary conditions for oversight failure and establishes a structured, conditional system for assessing the feasibility of meaningful human oversight. Key contributions include: (1) clarifying the normative distinction between oversight and control; (2) diagnosing design gaps and contextual limitations in current oversight mechanisms; and (3) providing regulators, auditors, and developers with a practical tool to evaluate oversight effectiveness, detect capability gaps, and guide technical alignment with governance requirements.

Oversight and control (collectively, supervision) are often invoked as key levers for ensuring that AI systems are accountable, reliable, and able to fulfill governance and management requirements. However, the concepts are frequently conflated or insufficiently distinguished in academic and policy discourse, undermining efforts to design or evaluate systems that should remain under meaningful human supervision. This paper undertakes a targeted critical review of literature on supervision outside of AI, along with a brief summary of past work on the topic related to AI. We then differentiate control as being ex-ante or real-time, and operational rather than policy or governance. In contrast, oversight is either a policy and governance function, or is ex-post. We suggest that control aims to prevent failures. In contrast, oversight often focuses on detection, remediation, or incentives for future prevention; all preventative oversight strategies nonetheless necessitate control. Building on this foundation, we make three contributions. First, we propose a theoretically-informed yet policy-grounded framework that articulates the conditions under which each mechanism is possible, where they fall short, and what is required to make them meaningful in practice. Second, we outline how supervision methods should be documented and integrated into risk management, and drawing on the Microsoft Responsible AI Maturity Model, we outline a maturity model for AI supervision. Third, we explicitly highlight some boundaries of these mechanisms, including where they apply, where they fail, and where it is clear that no existing methods suffice. This foregrounds the question of whether meaningful supervision is possible in a given deployment context, and can support regulators, auditors, and practitioners in identifying both present limitations and the need for new conceptual and technical advances.