Guides

AI readiness checklist

An AI readiness checklist should be a checklist, not an article about one or a PDF behind a form. This is the full list we use, on this page, free.

How to use it

The six dimensions of the AI readiness checklist shown as cards: strategy, data, systems, people, governance, and operations
Six dimensions, five items each. The low dimension is where the work starts.

Score every item 0 (no), 1 (partly or unsure), or 2 (yes, and you could show evidence). That gives each dimension a score out of 10. Don't average them into one number; the per-dimension scores are the information, and the single number hides it.

1. Strategy

  • You can name two or three specific processes where AI would save money or time, with a number attached. Projects that start from "we should be doing AI" die; projects that start from a named bottleneck sometimes live.
  • One named executive owns AI decisions and the AI budget. Unowned initiatives stall the first time two departments disagree.
  • Each candidate use case has a written definition of what "working" means. If success isn't defined before the build, the pilot will be declared a success no matter what it does.
  • Real budget is allocated, not "we'll find the money if the pilot goes well." Production systems cost more than pilots, and the gap is where most projects quietly end.
  • You have a short written list of things you've decided not to use AI for. A company that has ruled nothing out hasn't really decided anything yet.

2. Data

  • For each candidate use case, you know which systems hold the data and who controls access to them. The most common first surprise in our work is that nobody can say where the data actually lives.
  • Someone has checked the accuracy and completeness of that data within the last year. AI trained or grounded on stale, duplicated data automates the errors at scale.
  • The teams who would build or run the AI can get to the data without a months-long access request. Access friction, more than data quality, is what stretches six-week projects into six-month ones.
  • You know which fields are regulated, confidential, or personal before any of them go near a model. Finding this out afterward is how companies end up in incident reviews.
  • You can say where a given record came from and how long you're allowed to keep it. Lineage and retention questions are the first ones auditors ask about AI systems.

3. Systems

  • The systems that would feed or receive AI output have APIs or reliable export paths. If the only way in is a human copying from one screen to another, integration cost dominates everything else.
  • A test environment exists that resembles production. Without one, your first real test of the AI is on live customers.
  • Your identity and access setup can give a system account narrow, least-privilege access. An AI should get the access the work needs and no more, like any new hire; many IT setups can only grant all or nothing.
  • Logging is good enough that you could reconstruct what a system did last Tuesday. When an AI makes a bad call, "we can't tell what happened" is not an acceptable answer.
  • Every system in scope has a named owner who can approve changes to it. Orphaned systems block integrations for months because nobody is authorized to say yes.

4. People

  • You know roughly how your staff already use AI tools, including the unsanctioned ones. They are using them. Banning AI just pushes it onto personal accounts with no rules and no record.
  • At least one person inside the company can technically evaluate a vendor's AI claims. Without one, procurement is negotiating against marketing with nothing on its side of the table.
  • There's a training plan and budget for the people whose daily work would change. Tools that arrive without training get worked around, and the workaround becomes the process.
  • The managers of affected teams know what's coming and have had a say in it. A workflow change imposed from above fails at the first inconvenient edge case.
  • People can flag AI mistakes without it reflecting on them. If reporting an error is punished, you'll learn about AI failures from customers instead of staff.

5. Governance

  • A written AI usage policy exists and the staff it applies to have actually read it. A policy nobody has seen protects nobody, including the company.
  • The policy states where company data may and may not be sent. The clearest and most useful limit on any AI is where it's allowed to send data.
  • There's a defined path for approving a new AI use: who reviews it, against what criteria. Without a path, teams either wait forever or don't ask, and both outcomes are bad.
  • Decisions made with AI assistance can be reconstructed after the fact. Regulators, courts, and your own lawyers will eventually ask how a decision was made.
  • You know which regulations apply to your AI use and one person tracks changes to them. Sector rules and laws like the EU AI Act assign obligations whether or not anyone is watching for them.

6. Operations

  • A named team would monitor and maintain each AI system after go-live. The demo is the cheap part; the value shows up, or doesn't, in year two of running it.
  • When the AI gets something wrong, a defined human process catches and corrects it. Every AI system is wrong sometimes. The escalation path is the difference between an incident and a catastrophe.
  • For any AI product you buy, you know how you'd get your data out and leave. Exit terms are easiest to negotiate before you've signed, and impossible after you depend on the tool.
  • Usage-based AI spend has an owner and a ceiling. Per-token and per-seat costs grow quietly, and unowned spend is the most common budget surprise.
  • The process you want to automate is documented as it actually runs, not as the manual says it runs. A broken process doesn't get better when you automate it; AI just scales the confusion faster.

How to score yourself honestly

Self-assessments fail in predictable ways, and knowing them is most of the defense. Score what exists today, not what's on the roadmap; a data catalog scheduled for next quarter is a 0. Ask the people closest to each item: the data engineer about data, the line manager about people, not the executive sponsor about everything. Treat "I think so" as a 1, and only give a 2 where you could show a document, a log, or a named person. And if every dimension comes back 9 or 10, the likeliest explanation is optimistic scoring, not excellence. So have a second person score it separately and compare; the disagreements are usually where the truth is.

What to do with your result

Read the weakest dimension first, because that's where your first project will fail. A rough guide per dimension: 4 or less means fix foundations before funding any AI build; 5 to 7 means pick one contained use case that avoids your weak spots and use it to build the missing muscle; 8 or more means this dimension isn't your constraint, so look at the others.

Where the weak dimension points at a specific kind of work: low governance scores are the ground covered by AI governance consulting and, if you're building toward a formal framework, the AI compliance framework guide and ISO 42001 checklist. If the risk items are what worry you, that's an AI risk assessment. If nobody owns AI decisions at all (the strategy items), that gap has a job title: fractional chief AI officer. And low operations scores around manual work are often where AI automation pays off first.

If you're about to talk to a consultancy, ours included, bring your scored checklist to the conversation. It makes the first call concrete instead of exploratory, and it lets you test the firm: anyone worth hiring should be able to say which of your weak dimensions they'd verify first and how. One honest caveat about self-scoring: this list reflects what you believe about your organization, and every company we've looked at closely believed at least one thing about its own systems that wasn't true. The paid assessment exists for exactly that gap: our senior team inside your systems for 3–6 weeks, verifying these same dimensions against evidence, at a published fixed price of $20,000 to $80,000.

Questions people ask

Is there a PDF version of this checklist?
The page itself is the full version, nothing held back, and it prints cleanly from your browser if you want it on paper or as a PDF. We deliberately don't gate it behind an email form; a checklist you have to trade your address for isn't free.
What are the pillars of AI readiness?
Different frameworks slice it differently (Microsoft uses seven pillars, Cisco six), but the territory is the same: strategy, data, technology, people, and governance, plus the operational capacity to keep systems running. We use the six dimensions above because they map to what actually breaks in practice, and to what we examine in our paid assessment.
How long does the checklist take to work through?
An hour alone for a rough pass. A half day if you check answers with the people who would actually know, which is the version worth doing. Guessing your way through it in ten minutes produces a score, but not information.
What is the difference between this checklist and an AI readiness assessment?
Who does the verifying. This checklist is self-scored: it reflects what you believe about your own organization, which is useful and sometimes wrong. Our paid assessment is our senior team inside your actual systems for 3–6 weeks, checking the same six dimensions against evidence, at a published fixed price of $20,000 to $80,000.
What score means we're ready for AI?
There's no threshold where a horn sounds. A dimension scoring 8 or more out of 10 is unlikely to be what kills your first project; one scoring 4 or less probably will be. Readiness isn't a grade to pass, it's knowing which of the six is your weakest before you spend money finding out.

Tell us about the work.

A few lines is enough. We read every enquiry ourselves and reply within one business day.