Cube A Cloud

25Questions7Dimensions15 minTime

0 of 24 questions answered0%

Strategy

1.Your organisation has a documented AI strategy that is reviewed at least annually.

1No AI strategy exists.2Informal intent to use AI, not documented.3Strategy document exists but is not actively maintained.4Documented strategy, reviewed annually, linked to business objectives.5Strategy is board-approved, reviewed quarterly, with measurable KPIs.

2.Senior leadership can articulate specific AI use cases and the risks associated with each.

1Leadership is unaware of specific AI use cases.2Leadership knows AI is being used but cannot describe risk.3Leadership is aware of major use cases; risk awareness is partial.4Leadership can articulate use cases and primary risks for each.5Leadership owns a live risk register for AI use cases.

3.AI investments are tied to measurable business outcomes, not just adoption metrics.

1No outcome measurement in place.2Activity metrics (models deployed) tracked, not outcomes.3Outcome metrics defined but not systematically tracked.4Outcome metrics tracked; AI investment decisions reference them.5Outcomes tracked with attribution; underperforming AI systems are retired.

Data

1.Data used to train or prompt AI systems is inventoried, with lineage documented.

1No data inventory exists.2Informal awareness of data sources; no formal documentation.3Key datasets are catalogued but lineage is incomplete.4Inventory and lineage documented for production AI systems.5Full inventory with lineage, quality scores, and consent provenance.

2.Data quality checks run automatically before data is used in AI inference or training.

1No automated quality checks.2Manual spot-checks only.3Automated checks exist for some pipelines.4Automated checks run across all production AI data pipelines.5Checks run automatically; failures block inference and trigger alerts.

3.Personal or sensitive data used in AI systems is subject to documented access controls and retention limits.

1No controls on sensitive data in AI systems.2Controls exist informally but are not documented.3Controls documented for some systems.4Controls documented and enforced across all production AI systems.5Controls automated, audited quarterly, with exception reporting.

4.Your organisation has a process for handling data correction requests when AI decisions are challenged.

1No process exists.2Ad hoc process; handled case by case.3Process documented but not tested.4Process documented, tested, and assigned to a named owner.5Process is automated, logged, and SLA-tracked.

Model Lifecycle

1.AI models in production are versioned and changes are tracked in a model registry.

1No versioning or registry.2Models tracked informally (e.g. in a spreadsheet).3Registry exists for most production models.4All production models versioned in a registry with deployment history.5Registry is the authoritative record; CI/CD enforces registration.

2.There is a documented process for retiring or replacing an AI model when it degrades.

1No retirement process exists.2Models are replaced reactively when failures occur.3Process described informally; no performance thresholds defined.4Process documented with performance thresholds and a named owner.5Thresholds trigger automatic alerts; retirement requires a documented sign-off.

3.Model performance is monitored in production with defined drift detection thresholds.

1No monitoring in place.2Monitoring exists but thresholds are not defined.3Thresholds defined for key models; monitoring is manual.4Automated drift monitoring across all production models.5Drift detection feeds an incident response workflow.

Governance

1.A named individual or team is accountable for AI governance in your organisation.

1No named accountability.2Responsibility shared informally across multiple teams.3A team owns it, but authority is unclear.4A named AI governance owner with defined authority.5AI governance owner with board-level reporting line and a governance charter.

2.AI systems are classified by risk tier before deployment, and higher-risk systems face additional scrutiny.

1No risk classification process.2Informal risk assessment performed ad hoc.3Classification criteria exist but are not consistently applied.4All AI deployments go through documented risk classification.5Classification is mandatory, automated where possible, and audit-logged.

3.Your organisation has an AI incident response plan that has been tested.

1No incident response plan for AI.2Generic IT incident plan applied to AI ad hoc.3AI-specific plan documented but not tested.4AI incident plan documented and tested at least once.5Plan tested annually with tabletop exercises; lessons incorporated.

4.External AI vendors and partners are assessed for governance maturity before procurement.

1No vendor governance assessment.2Commercial due diligence only; governance not assessed.3Governance questions included in RFP/RFI process.4Governance assessment is a procurement gate for AI vendors.5Ongoing assessment post-procurement; non-conformance triggers review.

People

1.Employees who work with AI systems have received training on the system's limits and failure modes.

1No training provided.2General AI literacy training; nothing system-specific.3System-specific training provided at onboarding; not refreshed.4System-specific training refreshed at least annually.5Training is role-differentiated, tested, and recorded in a compliance log.

2.There is a clear mechanism for employees to report concerns about AI system behaviour.

1No reporting mechanism.2Concerns reported through general IT helpdesk.3AI-specific reporting channel exists but is informal.4Named channel, named owner, defined SLA for response.5Channel is anonymous-capable, SLA-tracked, with quarterly trend review.

3.Hiring and performance frameworks include AI governance competencies for relevant roles.

1No AI governance competencies in HR frameworks.2Mentioned informally in some job descriptions.3Competencies defined for technical roles only.4Competencies defined across technical and non-technical roles.5Competencies assessed at hiring, in probation reviews, and annually.

Security

1.AI model weights, training data, and inference endpoints are covered by your security classification policy.

1AI assets are not in scope for security policy.2AI assets handled under general IT security; no specific classification.3Classification defined; not consistently applied.4AI assets classified and protected according to policy.5Classification enforced automatically; exception process documented.

2.Prompt injection and adversarial input risks are assessed for AI systems that handle external or untrusted input.

1No awareness of prompt injection risk.2Awareness exists; no formal assessment.3Assessment done for some systems.4Assessment done for all systems handling external input.5Assessment documented, controls tested, and refresh triggered on model changes.

3.Access to AI system outputs is logged and reviewable by authorised personnel.

1No logging of AI outputs.2Logging exists for some systems.3Logging across all production systems; no review process.4Logging and periodic review process defined.5Logging, automated anomaly detection, and documented review cadence.

Refusal & HITL

1.AI systems in your organisation have documented refusal conditions — defined situations where the system will not proceed.

1No refusal conditions documented.2Refusal conditions discussed but not written down.3Refusal conditions documented for some high-risk systems.4Refusal conditions documented for all production AI systems.5Refusal conditions documented, tested, and reviewed when the system changes.

2.Human-in-the-loop (HITL) checkpoints are defined for high-stakes AI decisions.

1No HITL checkpoints.2HITL applied ad hoc when someone raises a concern.3HITL defined for some high-stakes decisions.4HITL checkpoints defined and enforced for all high-stakes decisions.5HITL checkpoints are in the decision workflow, logged, and auditable.

3.When an AI system refuses or escalates, the reason is recorded and the escalation path is defined.

1Refusals/escalations are not tracked.2Tracked informally; no standard format.3Standard format exists; not consistently applied.4All refusals and escalations logged with reason and outcome.5Logs feed a quarterly governance review; trends drive policy updates.

4.The organisation can demonstrate, with audit evidence, that HITL decisions are made by qualified humans.

1No audit evidence exists.2Evidence available for some decisions; not systematic.3Evidence collected but qualification of reviewers not documented.4Evidence collected; reviewer qualifications documented.5Evidence collected, reviewer qualifications verified, and qualification lapse triggers access revocation.

Answer all 24 remaining questions to see results.

AI Readiness Assessment.