What is an AI readiness assessment?

An AI readiness assessment is a structured evaluation of an organisation's capability to deploy, govern, and sustain AI systems responsibly. It scores the organisation across governance dimensions — typically strategy, data, model lifecycle, governance structure, people, security, and human oversight — and identifies the gaps that must be addressed before AI deployment is expanded.

How do consultants assess AI readiness in businesses?

AI readiness consultants typically use a maturity framework that scores each governance dimension on a 1–5 scale: 1 being absent, 5 being leading practice. They gather evidence through document review, stakeholder interviews, and system inspections. The output is a per-dimension maturity score, a composite score, and a prioritised action plan.

What are the 7 dimensions of an AI readiness assessment?

The seven dimensions are Strategy (is AI aligned to business objectives?), Data (is data inventoried and quality-controlled?), Model Lifecycle (are models versioned and monitored?), Governance (are accountability and risk classification in place?), People (are training and reporting mechanisms defined?), Security (are AI assets protected from adversarial risks?), and Refusal and HITL (are refusal conditions and human oversight checkpoints defined and enforced?).

What is an AI readiness assessment framework?

An AI readiness assessment framework is the set of dimensions, scoring criteria, and maturity descriptors used to evaluate governance capability. NIST AI RMF and ISO/IEC 42001 both describe governance requirements that can be operationalised into a readiness framework. The framework used by Cube A Cloud covers 7 dimensions and 25 questions.

What score indicates an organisation is ready to deploy AI?

There is no universal pass/fail threshold, but organisations with a composite score below 2.5 should address foundational gaps before expanding AI deployment. A score of 3.0 or above across all dimensions indicates that basic governance infrastructure is in place. Scores above 4.0 indicate a mature programme that can support high-risk AI deployments.

How to Run an AI Readiness Assessment

An AI readiness assessment answers a question that most organisations avoid asking directly: before we deploy more AI, do we have the governance infrastructure to do it safely? The question is uncomfortable because the honest answer is often no. The assessment is valuable because it identifies exactly which gaps exist, in which dimensions, and what would need to change before the answer becomes yes.

Key takeaways

Seven dimensions: A comprehensive AI readiness assessment scores an organisation across seven governance dimensions: strategy, data, model lifecycle, governance structure, people, security, and refusal and HITL.
1 to 5 maturity scale: Each dimension is scored on a 1 to 5 maturity scale where 1 is absent, 2 is initial, 3 is developing, 4 is managed, and 5 is leading. A composite score below 2.5 indicates foundational gaps.
Evidence-based scoring: Maturity scores are not self-reported estimates. Each score level has a descriptor that specifies what evidence is required to assign it, making the assessment auditable.
Action plan output: The primary deliverable is not the scorecard. It is the 90-day action plan: a prioritised set of specific actions for each dimension scoring below 3.0.
Readiness is not static: AI readiness degrades as the organisation's AI use expands. A quarterly reassessment cadence is the minimum for organisations deploying in regulated contexts.

Why Most AI Readiness Assessments Produce the Wrong Output

The most common AI readiness assessment produces a traffic-light chart: green for things that are fine, amber for things that need attention, red for urgent gaps. This is visually legible and managerially comfortable. It is also nearly useless for governance purposes.

A traffic-light chart does not tell you what would need to be true for the amber item to turn green. It does not tell you which gaps are prerequisites for others. It does not give a reviewer the evidence they would need to sign off on an AI deployment. It is a snapshot of perception, not a measurement of capability.

A well-designed AI readiness assessment produces three outputs: a per-dimension maturity score with the evidence behind it, a composite score with a confidence interval, and a 90-day action plan that is specific enough to assign to a named owner. The traffic-light chart may appear as a summary, but it is a summary of a measurement, not the measurement itself.

The Seven Dimensions of AI Governance Readiness

Figure. The seven dimensions of AI readiness span from strategic intent through to the specific HITL controls that govern individual decisions.

Strategy covers whether the organisation has a documented, maintained AI strategy linked to measurable business outcomes. A score of 1 means no strategy exists. A score of 5 means the strategy is board-approved, reviewed quarterly, and includes measurable KPIs for each AI use case.

Data covers whether the data used in AI systems is inventoried, quality-controlled, and subject to documented access controls. Data governance is the most commonly underscored dimension in practice, because organisations that have strong general data management often have not adapted it for AI-specific requirements.

Model lifecycle covers whether AI models are versioned, monitored, and subject to a documented retirement process. The absence of a model registry is the single most common finding in enterprise AI audits.

Governance covers whether accountability is assigned, risk classification is performed before deployment, and incident response has been defined and tested. A governance score of 3 or above is the prerequisite for Tier 3 deployments under a contextual governance framework.

People covers whether the humans who operate AI systems have been trained on their failure modes, have a mechanism for reporting concerns, and are assessed on governance competencies as part of their role. This dimension is frequently treated as a training compliance question, which misses most of what matters.

Security covers whether AI assets are classified under the organisation's security policy, whether adversarial input risks have been assessed, and whether AI outputs are logged and reviewable. Prompt injection is the most commonly unassessed risk in this dimension.

Refusal and HITL covers whether refusal conditions are documented and tested, whether HITL checkpoints are defined and enforced, and whether escalation decisions are logged with the reviewer's name and rationale. This dimension is the operational expression of the contextual governance framework. A score below 2 here means the organisation has no reliable mechanism for preventing harmful AI outputs.

Scoring Methodology: What Each Maturity Level Requires

Each of the 25 questions in the assessment has five maturity descriptors, one per level. Level 1 describes an absence of the capability. Level 5 describes leading practice: the capability is documented, tested, automated where possible, and reviewed on a defined cadence.

The descriptors are evidence-based. Assigning a level 4 to the model lifecycle dimension, for example, requires that all production models are versioned in a registry with deployment history. Saying that models are "generally tracked" is not level 4; it is level 2 at best. This specificity is what makes the scores auditable.

The composite score is the mean of the seven dimension scores. Dimensions with no evidence are scored at 0 and excluded from the mean. A composite score between 1.0 and 2.4 indicates that governance infrastructure is largely absent and that AI deployment should be limited to low-risk, fully reversible use cases. A composite between 2.5 and 3.4 indicates developing capability: adequate for Tier 1 and Tier 2 deployments, not adequate for Tier 3. A score of 3.5 or above indicates managed capability: the programme is in a position to support high-risk deployments with appropriate controls.

How Consultants Structure the Assessment

In a consulting engagement, the AI readiness assessment typically runs over two to three weeks. The first week is document review: the assessor requests the AI strategy, data inventory, model registry, incident response plan, training records, and security classification documentation. The absence of any of these documents is itself a finding.

The second week is stakeholder interviews. The assessor speaks with the AI governance owner, the data protection officer or equivalent, a model owner, a line manager in a function that uses AI, and an end user. The interviews surface gaps between what the documentation says and what the practice is. The most common finding is that controls documented at the policy level are not consistently applied in practice.

The third week is reporting. The assessor scores each dimension against the evidence gathered, not against what interviewees reported. The output is the scorecard, the evidence base, and the 90-day action plan.

ISO/IEC 42001:2023 Section 9.1 requires that organisations "evaluate the performance and effectiveness of the AI management system" using "monitoring, measurement, analysis and evaluation methods." A maturity-scored readiness assessment satisfies this requirement when it is evidence-based and documented.

The 90-Day Action Plan

The 90-day action plan is the primary deliverable. It lists three specific actions for each dimension scoring below 3.0, in order of priority. Each action is written as an imperative: it names what must be done, who is responsible (by role, not by name), and what evidence will demonstrate that the action is complete.

The 90-day frame is not arbitrary. Most governance gaps that score between 1 and 2 can be closed with documented process and policy work, which is achievable in 90 days. Gaps that score 0 or require new tooling will take longer; the action plan flags these as follow-on work beyond the 90-day horizon.

The most important characteristic of the action plan is that it is sequenced. Data governance gaps must be closed before model lifecycle gaps can be fully addressed, because model monitoring depends on data quality infrastructure. Governance structure must be in place before the People dimension can reach score 4, because role definitions and reporting lines come from the governance function. The plan reflects this dependency structure.

For organisations running the assessment independently, the AI Readiness Assessment tool produces a scored maturity profile and a 90-day action plan automatically, based on responses to 25 questions across the seven dimensions. It does not replace a formal consulting engagement for regulated contexts, but it is a reliable starting point for organisations that need to understand where they stand before committing to a formal programme.

When to Run the Assessment

The assessment should run before any new AI deployment is approved for production. It should run again when the organisation's AI footprint materially changes: when a new general-purpose model is deployed, when a use case moves from internal to external audiences, or when the regulatory environment changes. In regulated industries, an annual readiness assessment is a reasonable minimum; quarterly is better practice.

Organisations that have never run a formal assessment often discover that their governance posture is less mature than they assumed. This is not a failure; it is the point of the assessment. The gap between assumed maturity and evidenced maturity is the governance liability that the assessment exists to surface.