AI Readiness Checklist: 42 Items Your Executive Committee Will Actually Use

A readiness checklist is only useful if it produces a decision. Most published checklists do the opposite: they are vendor-marketing soft-funnel content, designed to make every reader feel they need help. This one is designed to let you walk into your next executive committee meeting with a defensible answer to "are we ready?".

The 42 items below are organized across the same 6 domains as our AI readiness assessment framework: Strategy & Leadership, Data Readiness, Technology & Infrastructure, Organizational Capability, Governance & Risk, and Use-Case Value. Each item is binary (yes / no / partial) so it can be aggregated into a domain score on a 1–3 scale.

How to use the checklist. Score each item once, with the relevant function head present. Aggregate to domain scores. Multiply Strategy and Governance by 1.5x as multipliers (the rest of the work is wasted if either of those scores at floor). Compare your domain scores to the score-9 use cases on your candidate inventory — you are ready for the use cases where every domain scores at least 2; you are at risk on use cases where any domain scores 1.

Time to complete. A serious team can score this in a 90-minute working session. Anything faster is wishful thinking. Anything slower is overthinking.

Domain 1 — Strategy & Leadership Alignment (8 items)

# Item Y / N / Partial
1.1 An executive sponsor has been named for AI initiatives at the C-suite level (CIO, COO, CDO, CFO, or CEO direct report).
1.2 The executive sponsor has a public, written mandate for the AI program — not just a budget line but a stated outcome (FTE redeployed, hours saved, error rate reduced, revenue protected).
1.3 Each candidate AI use case maps to a stated business priority that survives a 12-month horizon shift.
1.4 At least one cross-functional steering committee meets monthly (or more often) to review AI portfolio progress.
1.5 A single-source-of-truth document exists that lists all candidate AI use cases across departments — not just within one function.
1.6 Budget for AI initiatives is allocated per scored use case, not as a lump-sum departmental envelope.
1.7 The board (or board-level committee) has reviewed and approved the AI portfolio scope within the last 12 months.
1.8 A "what we will not build" list exists, naming use cases that have been explicitly deferred with the reasoning documented.

Why item 1.8 matters. The single best signal of strategic seriousness is a written list of rejected ideas. Organizations that cannot produce one are typically pursuing every direction in parallel and committing to none.

Domain 2 — Data Readiness (8 items)

# Item Y / N / Partial
2.1 A data inventory exists for every system that an AI agent might need to read from (CRM, ERP, ticketing, contract repository, document store).
2.2 Read access to systems-of-record (SAP, Salesforce, V-Tiger, custom platforms) has been negotiated for the AI program — not just promised.
2.3 Data quality is knowable (you have a basic profile of completeness, freshness, and outliers) for each system that will feed AI use cases.
2.4 Data lineage is documented for the data that will be used in production AI inference.
2.5 Personal data (employee records, customer PII) is classified per GDPR categories and the classification is enforced in practice.
2.6 Document corpora (contracts, RFPs, internal policies, support tickets) are accessible programmatically — not behind a login portal that requires manual export.
2.7 Italian / EU-localized data fields (CCNL, ISTAT indices, GDPR consent flags, multilingual content) are tagged consistently if you operate in EU jurisdictions.
2.8 A "data quality SLA" or equivalent exists, naming the human owner accountable for data freshness and integrity for each AI-relevant dataset.

Why item 2.6 matters. If your contracts are PDFs in a SharePoint folder and the only way to extract them is a manual export, your contract intelligence agent will not survive contact with reality. Programmatic access is the difference between a pilot and a production system. See our guide on AI document processing for the deeper treatment.

Domain 3 — Technology & Infrastructure (7 items)

# Item Y / N / Partial
3.1 A model-provider relationship exists (OpenAI, Anthropic, Google, Mistral, Azure OpenAI, AWS Bedrock) with billing and usage limits configured.
3.2 An abstraction layer (tool-orchestration fabric, agent orchestration runtime, or equivalent) exists so individual agents do not need bespoke API code per data source.
3.3 Network egress and API access from the production environment to the model provider is permitted by your security and network teams.
3.4 A vector store / embedding infrastructure is provisioned for retrieval-augmented use cases.
3.5 A logging and observability stack is in place that can capture every AI inference (input, output, model used, latency, cost) for audit.
3.6 A secret-management system (Vault, AWS Secrets Manager, equivalent) is used for model API keys — not environment variables in .env files committed to repos.
3.7 A development → staging → production promotion path exists for AI agents, not "edit in production".

Why item 3.5 matters. Without per-inference logging, you cannot run an AI Act audit, you cannot diagnose a quality regression, and you cannot allocate cost to the use case that consumed it. Logging is not optional infrastructure.

Domain 4 — Organizational Capability & Culture (7 items)

# Item Y / N / Partial
4.1 Each AI use case has a designated human reviewer for cases requiring human oversight under the EU AI Act or your internal governance policy.
4.2 The end-user team for each AI use case has had hands-on training (not just a kickoff email) on what the agent does and does not do.
4.3 A "fact correction" feedback loop exists — end users can flag bad outputs and the flag reaches the team that maintains the agent.
4.4 A change-management plan exists for each AI use case beyond launch communications. See our guide on AI change management.
4.5 The internal narrative about AI adoption is honest — i.e., the program does not claim "AI replaces no jobs" if some FTE will, in fact, be reallocated.
4.6 Multilingual support is in scope (IT / FR / EN minimum) if your operations span EU markets.
4.7 At least one internal champion per department actively uses AI tools in their own workflow and can demo benefits to peers.

Why item 4.5 matters. Organizations that lie to themselves about FTE impact end up surprised by passive resistance from the affected teams. Honesty here is not just ethics — it is delivery risk management. See our AI workforce transformation hub for the longer treatment.

Domain 5 — Governance, Ethics & Risk (7 items)

# Item Y / N / Partial
5.1 Each AI use case has been classified by EU AI Act risk level (minimal / limited / high / prohibited).
5.2 An AI impact assessment is on file for any use case classified as high-risk or limited-risk.
5.3 A human-oversight policy is documented for each high-risk use case, naming the function and role accountable for review.
5.4 Model cards or equivalent documentation exist for each production AI agent (model version, training data scope, known failure modes).
5.5 An incident response process is defined for AI failure cases — not just generic IT incident response, but AI-specific (hallucination, drift, jailbreak, data leakage).
5.6 Vendor due diligence has been performed on every external model provider, including data residency and training-data-use clauses.
5.7 An audit trail captures: who approved each AI use case, when, against which risk classification, and on what evidence.

Why item 5.7 matters. Most organizations have items 5.1–5.6 in some form. They fail item 5.7 because the audit trail is verbal — the CISO "approved it in a meeting". Verbal approvals do not survive an external regulatory audit. See our AI compliance checklist 2026 for the full audit-readiness shape.

Domain 6 — Use-Case Value & Delivery Mechanics (5 items)

# Item Y / N / Partial
6.1 Each candidate use case has a one-sentence problem statement, not a paragraph. (If you cannot write it in a sentence, it is two use cases or it is not a use case yet.)
6.2 Each candidate use case has a measurable success metric defined before development starts (FTE reallocated, hours saved, error rate reduced, etc.).
6.3 Each candidate use case has a 4-to-12-week pilot scope defined, with an exit criterion (continue / stop) the executive sponsor has signed off on.
6.4 Each score-9 use case has been classified as build / buy / partner with the reasoning documented in one paragraph.
6.5 Transversal clusters have been identified — i.e., use cases across departments that share the same architectural pattern and could be co-funded as a single agent.

Why item 6.5 matters. A use case that scores 9 in three departments simultaneously (e.g., RAG over document corpus + cross-system check, appearing in Legal, Finance, and Delivery) is a single shared agent with three budget lines, not three competing initiatives. Organizations that miss the cluster pay 3x for the same capability.

Aggregating the score

Add the items per domain. A perfect domain (all yes, no partials) scores 1.0; floor (all no) scores 0.

Strategy   = (Σ yes / 8) × 1.5    [multiplier]
Data       = (Σ yes / 8) × 1.0
Tech       = (Σ yes / 7) × 1.0
Org        = (Σ yes / 7) × 1.0
Governance = (Σ yes / 7) × 1.5    [multiplier]
Use-case   = (Σ yes / 5) × 1.0

Aggregate  = sum(domain scores) / 8 (= max possible 1.0)

Reading the aggregate.

  • 0.85–1.00 — You are ready. Run the assessment, fund the score-9 use cases. The rest is execution.
  • 0.65–0.85 — You are mostly ready. Identify which domain is dragging the score down and fix it before the largest 2–3 use cases enter pilot.
  • 0.40–0.65 — You are not yet ready. Most score-9 use cases will run into a hidden blocker. Focus the next 90 days on the lowest-scoring domain, not on starting AI projects.
  • Below 0.40 — Pause AI initiatives at the executive level. The risk of a high-profile failure damaging future AI funding is greater than the upside of any individual pilot.

The blunt version. If Strategy or Governance scores below 0.5, do not start. Both domains are multipliers — 0 × everything = 0. We have seen organizations with strong data and tech scores fail spectacularly because no executive owned the program. The sequence matters.

What to do with the result

The checklist is the input to the AI readiness assessment, not a substitute for it. Once you have your domain scores, run the full 6-step process described in our AI readiness assessment framework:

  1. Discovery interviews with each function head
  2. Process / system / volume mapping
  3. Candidate use case inventory
  4. Impact-Easy scoring across all candidates
  5. Build vs Buy vs Partner classification on the score-9 shortlist
  6. Transversal cluster detection + 6-month sequenced roadmap

The checklist gates whether you should run the assessment now or fix infrastructure first. Both are legitimate answers. Running the assessment with weak scores produces a roadmap you cannot execute.

Frequently asked questions

How is this checklist different from a vendor's free assessment download?

This checklist asks 42 binary questions that map to a scoring rubric you can defend in front of an auditor. Most vendor downloads ask 8–12 open-ended questions ("how mature is your data strategy?") and produce a CTA to book a meeting. This one is for teams doing the work themselves.

Should every item score "yes" before we start AI initiatives?

No. The aggregate score normalizes for relevance — item 4.6 is irrelevant if you operate in one country, item 2.7 is irrelevant outside the EU. What matters is that no domain scores below 0.5, with extra rigor on the multiplier domains (Strategy, Governance).

How often should we re-run the checklist?

Annually for the full run. Quarterly for actively-improving domains. The checklist is most useful as a delta — "we moved from 0.62 to 0.78 this year" is a more useful narrative than a single point-in-time score.

What if our IT team disputes the data readiness scores?

Use the dispute. Have the IT team and the AI program team each score Domain 2 independently, then compare. Disagreements expose hidden assumptions about data access. The output is usually a small backlog of access gates to open before use cases ship.

Can we use this checklist for a single function instead of the whole organization?

Yes. The 42 items apply at the function level. Score the function as if it were a small enterprise. Most assessments start this way — one function goes first (typically Sales Operations or Customer Success), the framework proves itself, and the rest of the organization adopts it. See our AI sales tools guide for one function-first rollout.

Is this checklist EU-AI-Act-shaped or US-shaped?

Both. Domain 5 is explicitly AI-Act-aware but the framework is jurisdiction-agnostic — replace EU AI Act with NIST AI RMF, ISO 42001, or your local equivalent without changing the structure. See our AI compliance regulation hub for jurisdiction-specific guidance.

Where does generative AI specifically come in?

Most explicitly in Domain 3 (model provider relationships, vector store, observability) and Domain 5 (incident response for hallucinations and drift). Generative is not a separate domain — a generative use case scoring 1 on Domain 5 governance is no more shippable than a classical ML use case with the same problem.

Is there a shorter version of the checklist?

No. A shorter version produces false confidence. 90 minutes for 42 binary items is the price of a defensible budget allocation.

Related reading

Discovered competitors

  • ovaledge.com/blog/what-is-ai-readiness ranks page-1 with a 3-pillar (Why / Who / How) framework + their own checklist. Direct competitor for the keyword ai readiness checklist. Not in prior inventory.
  • knack.com/blog/ai-readiness-framework-assessment-implementation ranks for the Italian-language SERP despite English content. SaaS no-code platform using SEO as a top-of-funnel.
  • secoda.co/glossary/ai-readiness-framework glossary page ranking on both US and IT SERPs. Data-catalog vendor.
  • deltalogix.blog/en/2022/04/20/ai-readiness-index-airi-assess-the-adoption-of-ai-in-your-organization/ references the AIRI test from AI Singapore as an external benchmark — useful for citation but a competitor in the same SERP slice.

The Italian competitor density (deepelse.com, aipia.it, deltalogix.blog) is higher than competitor-map-per-uc.md originally assessed.

Geographic SERP notes

Methodology: Google US-EN and IT-it for "ai readiness checklist" / "checklist AI readiness aziende".

Top-10 differences observed:

  • US SERP for ai readiness checklist is dominated by vendor blogs offering downloadable templates: ovaledge, thinking.inc, athena-solutions, quinnox, and Microsoft's interactive 7-pillar quiz. Featured Snippet trigger is active — informational pages with explicit "checklist" formatting (numbered lists, FAQ, comparison table) win.
  • IT SERP for the Italian variant is sparser. lista controllo AI readiness returns mostly EN-language content (knack, secoda, deltalogix) ranking on Italian queries. Two real Italian-language competitors: deepelse.com (methodology-tilted, 3.2k words) and aipia.it (compliance-tilted, 1.8k words). The Italian SERP is less empty than the prior inventory assumed.
  • Format observation: US top-3 includes downloadable spreadsheet CTAs; IT top-3 leans toward editorial framework explanations without downloads. An Italian version of this checklist with an EU-AI-Act-tagged downloadable could plausibly hit top-3 within 90 days given the format gap.
  • AI Overview eligibility: The US SERP for ai readiness checklist triggers Featured Snippet; the IT SERP does not yet. GEO optimization (FAQ schema, passage-level direct answers, numbered checklist H2s) is high-leverage for the EN version, premature for the IT version.

Sources

  • ovaledge.com/blog/what-is-ai-readiness
  • thinking.inc/en/pillar-pages/ai-readiness-assessment/
  • athena-solutions.com/ai-readiness-assessment-framework/
  • quinnox.com/blogs/ai-readiness-assessment/
  • aipia.it/normativa-ai/valutazione-prontezza-ia/
  • deepelse.com/blog/ai-assessment-guida-completa
  • knack.com/blog/ai-readiness-framework-assessment-implementation/
  • secoda.co/glossary/ai-readiness-framework
  • deltalogix.blog/en/2022/04/20/ai-readiness-index-airi-assess-the-adoption-of-ai-in-your-organization/