innovationterms
Guide · 10 min read Guide

AI Readiness Assessment: What to Fix Before You Deploy AI

A gold prize rosette ribbon reading "AI READY" pinned to a small rowboat that is sinking into the water.

Most AI readiness checks stop at maturity scoring. Assess workflows, data, governance, and talent before you build, buy, pilot, or wait.

A mid-market operations team runs the vendor quiz, scores 3.8 out of 5, and calls itself AI-ready. Six weeks later the pilot stalls. The workflow it tried to automate was never written down. Nobody could approve what the agent did once it touched a customer record. The score was real. The readiness never was.

An AI readiness assessment is the evaluation that decides whether a specific workflow can safely absorb AI now, needs redesign first, or should wait. As of late 2025, McKinsey's State of AI research found that 88% of organizations reported regular AI use, yet only 39% saw any enterprise-wide EBIT impact, and for most that impact stayed under 5%. The gap is not model quality. It is the operating conditions underneath the model.

Most assessments stop at a maturity label. This guide runs the assessment as a narrowing decision path: scope one workflow, clear the scorecard illusions, then walk the blockers that decide the verdict in the order they actually kill pilots. By the end you will have a build, buy, configure, pilot, or wait call for a concrete workflow, plus a 30-60-90 day plan to close whatever is missing.

Step 1: What decision must an AI readiness assessment actually make?

An AI readiness assessment is a workflow-level deployability verdict. It answers one question for one use case: can AI run this workflow safely now, does the workflow need redesign first, or should it wait? An AI maturity assessment measures how advanced an organization looks overall. Readiness decides whether a specific process is deployable.

Robert Half frames the core readiness goal directly, in its own words:

AI readiness refers to an organization's ability to successfully adopt, implement and scale AI technologies...in a way that delivers meaningful business value.  — Robert Half, AI Readiness Plan for Tech Leaders (2025)

Academic work, per Palade & Carutasu's digitization-readiness research, treats readiness as an extension of digital-maturity practice.

Why a score is not a decision

As of early 2025, McKinsey found that nearly every company was investing in AI while only about 1% of leaders called their organization mature in AI deployment. That figure, from McKinsey's Superagency in the Workplace research, reframed AI adoption as a leadership problem rather than a skills gap.

Readiness versus maturity, in one line

Maturity describes the organization. Readiness decides whether a specific workflow is safe to automate now. The rest of this guide builds that verdict, one blocker at a time. For teams already investing in AI-driven work, the companion piece on how to use AI for innovation covers where the payoff tends to concentrate.

Step 2: Why scope one workflow before you rate the whole company?

Assessing the whole company is too broad to produce a decision. A scope that wide yields only a label. Spread your force everywhere and you have force nowhere. The operational unit is one workflow, one business objective, one risk boundary, one next move. Scope narrow enough that a single process owner can describe every step, every exception, and the cost of getting it wrong. Company-wide scoring produces a label. Workflow scoping produces something you can act on.

Microsoft's own readiness framing warns against treating this as a one-time exercise. Its Copilot Studio team describes agent readiness as a continuous alignment of people, process, and technology that demands reassessment whenever conditions change. That is the practical reason to scope small: the assessment gets rerun every time the workflow, its data, or its controls change.

What a scopeable workflow looks like

"Improve customer service with AI" is an ambition. "Draft first-response replies to billing questions, using the last 12 months of resolved tickets, with a human approving every send" is a workflow. The second version maps what the agent touches (input and corpus) against the cost of a bad decision. Only the second can be assessed.

Three scoping questions

Before any pillar gets rated, answer three questions for the candidate workflow: what the single objective is and how you will measure it, what the worst outcome is if the AI is wrong and who absorbs it, and what the smallest pilotable slice looks like in 90 days without touching a regulated or revenue-critical path. Vague answers mean the workflow is not scoped yet. Scoring it anyway would just paper over the gap.

The cost of assessing too broadly

McKinsey found that high performers are about three times more likely to redesign specific workflows around AI than to layer it across everything at once. Narrow scope forces the redesign conversation a broad score lets you dodge.

Step 3: Which scorecard mistakes turn AI readiness into theater?

The common failure is treating every pillar as equal weight and reading a strong average as permission to deploy. A single unresolved blocker invalidates a high-average score. Organizations that average their blockers away don't remove them, they enshrine them. Averages hide the one no-go blocker that kills the pilot. The three recurring traps are pilot sprawl, shadow AI, and automating broken work. Each one looks like progress on a scorecard. Each one behaves like debt in production.

MIT's NANDA study of enterprise deployments found that roughly 95% of generative-AI pilots delivered little or no measurable profit impact, with the root cause located in integration and workflow fit rather than raw model capability. Its lead author put the mechanism directly.

Generic tools like ChatGPT excel for individuals because of their flexibility, but they stall in enterprise use since they don't learn from or adapt to workflows.  — Aditya Challapally, MIT NANDA, The GenAI Divide (2025)

Common misconceptions

  • "A high maturity score means we are ready." A strong average can mask a single blocking gap. Cisco's 2025 index found that only about 13% of organizations qualify as fully prepared "Pacesetters," and the separation shows up in specific pillars like guardrails and change management, not in the overall grade.
  • "Widespread AI use proves readiness." Adoption without governance is shadow AI. UpGuard's 2025 research found that more than 80% of workers use unapproved AI tools, with executives among the heaviest unsanctioned users and fewer than 20% of workers limiting themselves to company-approved options.
  • "Automating a slow process is always a win." Actually automating an undocumented, broken process just scales the mess. The automation-practitioner canon, going back to Tom Taulli's 2020 handbook, warns that encoding swivel-chair work and undocumented exceptions just makes failures happen faster. That framing comes from Tom Taulli's RPA Handbook, the automation-practitioner canon this guide leans on for exception-handling failure modes.
Two-panel comic — a beaver holds up a card reading "AI READY 5/5" beside an intact dam, then looks stunned as water bursts through one gap marked "ONE GAP".

Steelman: are scorecards worthless?

OWASP maintains a formal AI Maturity Assessment project, and structured models have a real job.

AI maturity models provide the structure to grow with intention, evaluate risk, and scale capabilities in a measurable way.  — G2, AI Maturity Model: How to Assess and Scale

A maturity model is a legitimate governance tool. It becomes theater only when its averaged output replaces the workflow decision. Keep the scorecard for tracking progress, but do not let it answer the deployment question.

Step 4: How do you inventory the hidden decisions an AI agent will guess at?

The hidden readiness layer is documented context. If a workflow runs on unwritten judgment calls, exception handling, and institutional memory, an AI agent has to infer them, and it will infer some of them wrong. This step maps the workflow's real decision logic: the core path, the exceptions, the escalation rules, and the tacit knowledge that currently lives only in someone's head.

A titled row "Check Blockers in Kill Order" with five numbered stages joined by arrows, labeled Docs, Data, Integration, Governance, People.

Two independent 2025 surveys converge on the same blocker. Lucid's 2025 survey of roughly 2,200 knowledge workers found that only 16% describe their workflows as extremely well documented, and 46% say operations depend most on informal or institutional knowledge. Lucid's own 2025 AI Readiness Survey is the source. Microsoft's survey of 500 agent decision-makers across 13 countries reached the same place from a different sample.

78% reported gaps in capturing business process and data dependencies to complete their workflows. You can't identify what you haven't mapped.  — Jack, Microsoft Copilot Studio, Agent Readiness Framework (2025)

The exception path problem

Humans handle exceptions with a shrug and a Slack message. An agentic AI system handles them by guessing. A refund workflow might have one documented path and nine unwritten judgment calls about goodwill, fraud signals, and VIP accounts. Those nine are where an AI agent quietly invents policy. AI systems do not run on ambition. They run on documented context, permission boundaries, and decision logic.

What "documented enough" actually means

A usable workflow map names the trigger and the ordered steps, then documents the governance layer covering every branching rule, exception handler, and success criterion. If any of those live only in tribal knowledge, the workflow needs a documentation pass before a pilot, not after.

Process owners and frontline operators reveal documentation gaps when they walk the workflow together. Sit the process owner and a frontline operator in the same room and ask them to walk the workflow end to end, including every "well, it depends" moment. The gaps between their two accounts are the exception paths an agent would have to invent. This is the same discipline that makes innovation feedback loops work: write the circuit down before you wire anything to it.

Step 5: Is your data good enough, or are you chasing data perfection?

The scoped workflow needs bounded, permissioned, traceable data that is good enough for the task and safe enough to monitor. Enterprise-wide data perfection is a decade-long program. A bounded pilot needs local sufficiency. Judge the slice you actually scoped, and leave the rest of the data estate for a later cycle.

Microsoft's readiness survey identifies data access as the hard constraint for agent deployment.

80% report data that is not easily accessible across their teams...If that data isn't accessible, the number of viable use cases collapses before it even begins.  — Jack, Microsoft Copilot Studio, Agent Readiness Framework (2025)

Cisco's index frames centralized data as one of the pillars that separates prepared organizations from the rest. Centralized enough to monitor is the pilot threshold. Perfect unification is a multi-year program. Monitored access to the scoped corpus is the standard that actually gates a pilot.

Data sufficiency, dimension by dimension

Four dimensions decide whether the scoped corpus clears the bar: access (reachable by the agent with clear permissions, not locked in a system nobody can programmatically read), freshness (current enough that a stale answer is annoying, not dangerous), traceability (every output traces back to a source record), and boundedness (a finite, curated, permission-scoped corpus, not an open data lake).

A central box labeled "Scoped Data" with four arrows to circles labeled Access, Fresh, Traceable, Bounded, titled "Judge the Slice, Not the Estate."

The data check fails when the mess touches the specific workflow's access controls, traceability, or boundedness. Otherwise the scoped check stands on its own. Move on. If it fails traceability, stop, because you cannot monitor what you cannot reconstruct.

Step 6: What does technical debt cost you as an AI tax?

Integration constraints kill more pilots than model capability does. Brittle integrations, legacy systems, and missing APIs routinely turn a plausible pilot into a long, expensive rewrite. Technical debt is a readiness dimension, but it matters after workflow and data, because those earlier blockers often decide whether the integration work is worth funding at all. Treat technical debt as a tax on delivery time, and price it before committing.

In its April 2025 research, Robert Half found that 46% of technology leaders named integrating legacy systems and addressing technical debt as a top challenge, and 63% cited hiring AI and data-science talent as a critical barrier. Robert Half's research shows the pattern repeats across enterprise readiness studies: the model demos well, then the integration layer eats the timeline.

A demo proves model readiness. Nothing more. It says nothing about whether the agent can write back to the CRM, respect record-level permissions, or survive a downstream API change. Seneca warned that we suffer more in imagination than in reality, but with legacy debt, the opposite is true. The suffering in production exceeds anything the demo suggested. When a workflow's real logic lives in legacy glue, automating the front end just exposes the debt faster. If the integration path requires a multi-quarter platform rewrite, the honest readiness verdict for this quarter is often "wait," and that is Step 10's job to decide.

Step 7: What controls must exist before any pilot goes live?

Pilot-to-production failure is usually a control problem. The failure mode is governance depth. Not a vendor problem. A control problem. Eisenhower understood this: plans are worthless, but planning is everything. What he meant was that the process of thinking through control (who approves what, who can stop it, who owns the log) is more valuable than any document you produce. A workflow is not ready when nobody can approve sensitive actions, inspect logs, or stop the system safely. The core requirement is traceability. Named approval points get the most attention, but live monitoring, rollback controls, and audit logging that can reconstruct any decision after the fact are what make an agent deployment governable rather than merely functional. Static policy documents do not count. Live control does.

Only 24% of organizations can control agent actions with proper guardrails and live monitoring, versus 84% of the prepared "Pacesetters," per [Cisco's AI Readiness Index](https://www.cisco.com/c/dam/m/en_us/solutions/ai/readiness-index/2025-m10/documents/cisco-ai-readiness-index-2025-realizing-the-value-of-ai.pdf). That gap is a direct predictor of which pilots survive contact with production. Auditability is a readiness precondition. Peer-reviewed accounting research treats the ability to inspect, log, and review AI actions as a threshold requirement before deploying AI into consequential work.

Live monitoring versus static policy

A policy PDF is a wish. Live monitoring is a control. The policy says the agent "should" escalate risky actions. Live monitoring means the agent's actions stream to a dashboard, a human can intervene mid-task, and every decision is logged with its inputs. Regulated environments push this further, which Step 13 covers with the FDA's human-interaction requirements.

A minimum governance checklist

Before a pilot touches a real workflow, confirm five controls exist. A named human owns approvals for sensitive actions, every agent action is logged and reconstructable, and a kill switch can halt the workflow without a deploy. Access is scoped to the workflow's corpus rather than the full data estate. Someone reviews a monitored output sample on a fixed cadence.

When light governance is acceptable

Governance depth should match the workflow's stakes. A workflow that drafts internal meeting summaries, with no external action and a human reading everything before it goes anywhere, does not need the same control surface as one that touches customer money. The test is reversibility and blast radius (the total scope of harm if the system produces a wrong output, who is affected, how fast, and whether it can be undone). If a wrong output is cheap to catch and cheap to undo, a lighter approval path is defensible. If the action is irreversible or customer-facing, the full checklist is the price of a pilot. Governance patterns from federated innovation apply here: distributed autonomy still needs central guardrails.

Step 8: Can your people actually absorb the change?

When decision authority is unassigned, deployments fail regardless of technical readiness. If process owners, operators, security, and leadership have not agreed on role changes, escalation paths, and success criteria, the pilot stalls after the demo. The gap is rarely raw skills. It is unassigned ownership of the new decisions, exceptions, and reviews an AI workflow creates. Change absorption predicts scale better than enthusiasm does, and it tracks closely with an organization's broader innovation culture health.

[Cisco's index](https://www.cisco.com/c/dam/m/en_us/solutions/ai/readiness-index/2025-m10/documents/cisco-ai-readiness-index-2025-realizing-the-value-of-ai.pdf) quantifies the split: 91% of prepared organizations have a change-management plan, against 35% of everyone else. Peer-reviewed work adds that the barriers are as much psychological and organizational as technical, which is why training alone does not close them.

Skills gap versus operating-model gap

Training fixes a skills gap. An operating-model gap, where nobody owns the agent's exceptions and decision authority is unassigned, requires decisions reassigned to named people. Conflating the two early collapses the assessment into a generic upskilling plan.

Step 9: How do you rank use cases by upside, complexity, and risk?

Once the blockers are visible, use-case prioritization becomes possible. Score each candidate workflow on business value, technical feasibility, and readiness, then apply risk and documentation gaps as penalties rather than averages. InitializeAI's prioritization-matrix template weights business value at 35 to 45% and feasibility at 25 to 35%, with risk and data readiness applied as penalties. The right first pilot is rarely the highest-value use case. It is the workflow with real upside and boring, bounded risk. This is the same logic behind a good market validation test: cheap, bounded, and informative before you commit real budget.

A worked ranking

Take three candidate workflows. Autonomous pricing changes score very-high upside and high complexity, but the penalty is severe: live financial actions with thin guardrails, exactly the profile Step 7 flags. Despite the highest raw upside, the verdict is wait. Contract-clause extraction scores medium upside and medium complexity, with a moderate penalty for the legal review it needs. The verdict is redesign, then pilot. Billing first-response drafts score medium upside and low complexity, with a penalty near zero because a human approves every send against a bounded corpus. The verdict is pilot now, ahead of the higher-upside option. A single guardrail or documentation gap should sink a use case even when its raw value score looks strong: averaging that penalty away is how organizations pick a flashy pilot that fails in month two.

Step 10: How do you make the build, buy, configure, pilot, or wait call?

The assessment earns its keep only when it ends in a workflow decision. Five options exist, ranging from custom builds and specialized purchases to lower-commitment moves like configuration, piloting, or a deliberate pause. An AI readiness assessment that ends in a maturity score instead of a workflow decision is theater: the organization has graded itself and still not decided anything.

The organization's controls and data maturity determine which sourcing path is viable. Research on institutional readiness frames the pick between a foundational-model tool and a bespoke autonomous system as an eligibility decision driven by the organization's controls and data. The market evidence tilts toward buying: MIT's data shows specialized-vendor deployments succeeding around 67% of the time versus roughly 33% for internal builds.

The five-path matrix

Five labeled cards in a row — Build, Buy, Configure, Pilot, Wait — under the title "Five Verdicts, Not a Score."
PathPick whenReadiness preconditionFailure mode if you skip it
BuildThe workflow is a durable differentiator and you have the engineering depthStrong data, integration, and MLOps maturityA multi-year rewrite that a vendor already sells
BuyA specialized vendor already solves the scoped workflowGovernance to vet the vendor's data handlingShadow AI as teams buy tools unofficially
ConfigureAn existing platform can be adapted without new codeDocumented workflow to configure againstConfiguring a broken process into permanence
PilotUpside is real but readiness has gaps to testBounded scope, human in the loop, monitoringPilot sprawl with no production path
WaitA hard blocker (guardrails, data, ownership) is unresolvedA dated plan to close the blockerDeploying into a workflow you cannot control

Wait is a verdict, not a failure. If the workflow lacks live monitoring or documented decision logic, "wait" plus a 30-60-90 day plan beats a launch that pages someone at 2 a.m. The maturity-score-first approach cannot produce this call, because a 3.8 out of 5 says nothing about whether to build or wait on the billing workflow specifically.

Step 11: Which numbers predict pilot failure?

Organizations systematically overestimate readiness across four dimensions: documentation quality, governance depth, change-management strength, and the ability to scale past a pilot. Read these as leading indicators, not decoration. Each one changes a verdict, because each one names a blocker that a maturity average tends to hide.

MetricValueSourceYear
GenAI pilots with no measurable P&L impact~95%MIT NANDA2025
Organizations that can control agent actions with guardrails + live monitoring24%Cisco AI Readiness Index2025
Knowledge workers with extremely well-documented workflows16%Lucid2025
Large-enterprise decision-makers reporting process-mapping gaps78%Microsoft Copilot Studio2025
Workers using unapproved (shadow) AI tools>80%UpGuard2025
Vendor-bought deployment success rate vs internal builds67% vs 33%MIT NANDA2025
Organizations reporting enterprise-wide EBIT impact from AI39%McKinsey2025

Read the table as a readiness filter. The 78% process-mapping gap predicts Step 4 failures. The 24% guardrail figure predicts Step 7 failures. The 67% versus 33% split is the Step 10 sourcing tilt. Together they explain the 95% headline: pilots fail because the operating conditions were never assessed, not because the models were weak.

Step 12: What does Morgan Stanley's copilot rollout teach about readiness?

A strong AI pilot usually succeeds because the workflow is narrow, the corpus is controlled, the human stays in the loop, and permissions are explicit. Morgan Stanley's advisor assistant, built with OpenAI, is the enterprise-grade example of that profile. It is worth studying precisely because it is governance-heavy and bounded, not because it is flashy.

The rollout put a chatbot over an approved internal corpus of roughly 100,000 documents, with advisors and prompt engineers grading responses for accuracy and coherence before wider release, according to OpenAI's case study on the Morgan Stanley rollout. Humans reviewed and adjusted outputs before anything was finalized, and OpenAI's zero-data-retention policy handled the compliance constraint. Over 98% of advisor teams actively use the assistant, and document access jumped from 20% to 80%.

Why this workflow was ready

Map it back to the earlier steps. The workflow was scoped (Step 2): retrieve and summarize from a defined knowledge base, not act autonomously. The corpus was bounded and permissioned (Step 5). Governance was live: evals, human review, and a retention policy (Step 7). The people were in the loop by design (Step 8). Every blocker the guide sequences was closed before scale, which is why adoption held instead of stalling in a demo.

What would have made it not ready

Change three variables and the verdict flips to wait. An unbounded corpus that pulled from any internal system would fail the boundedness test from Step 5. Autonomous action without human sign-off would fail the governance test from Step 7. The grading step was not optional. Without advisors and prompt engineers scoring responses for accuracy, there is no evidence base to justify trusting outputs at scale,only assumption. The lesson is portable: readiness is a property of the workflow's constraints, not the vendor's brand. The same logic underpins a working digital second brain deployment, where the corpus and the review loop decide whether the tool earns trust.

Step 13: Which edge cases break generic readiness frameworks?

Some workflows fail generic readiness formulas. Regulated work, thin-data environments, and cross-functional ownership tangles need a different threshold for "pilot now" versus "redesign first" versus "wait." In these cases a single dimension dominates the verdict, and averaging it against the others produces a dangerously optimistic score. Name the dominant blocker, then decide against it.

In regulated work, approval burden and provable oversight outrank model quality. The FDA's January 2025 draft guidance for AI-enabled device software requires submissions to document the human-AI workflow, capturing how a human and the model interact at each decision point. That turns the readiness call into a control question: can you prove oversight at every step?

Three edge cases each hinge on one dominant blocker: regulated workflows in health, finance, or legal hinge on approval burden and auditability, so pilot only if human-on-the-loop oversight is provable end to end. Thin-data environments hinge on the cold-start problem (the period before the system has accumulated enough interaction data to make confident, calibrated predictions), so prefer a rules-first or human-assisted pilot. Cross-functional ownership tangles hinge on no single owner for the new decisions, so redesign ownership first rather than pilot into a vacuum.

The FDA guidance also draws a useful line between human-in-the-loop, meaning intervention at every decision, and human-on-the-loop, meaning continuous supervision with the ability to take over. A strict industry can still run a bounded pilot when the workflow is narrow enough that oversight stays inexpensive. The regulation itself is rarely the blocker. The organization's inability to demonstrate control inside it usually is.

Step 14: How do you turn findings into a 30-60-90 day roadmap?

No owners, no progress. The assessment should close with ordered remediation and a scheduled date to rerun the workflow check, sequenced by blocker severity from Steps 4 through 8 rather than handled all at once, with documentation and governance gaps addressed before anything else because they block every downstream step. This sequencing mirrors a stage-gate model: each 30-day block is a gate the workflow must clear before the next one opens. Without named owners attached to each item, the output is maturity theater.

The 30-60-90 shape

  • Days 0 to 30: Close the documentation and access blockers. Map the scoped workflow's decision logic and exceptions. Confirm the corpus is reachable, permissioned, and traceable. Assign a process owner and a risk owner.
  • Days 31 to 60: Stand up governance before any live action. Wire logging and an approval gate. Add a monitored output sample and a kill switch once the agent is running. Run evals against a held-out set.
  • Days 61 to 90: Launch the bounded pilot with a human in the loop. Track the single success metric from Step 2. Decide build, buy, configure, continue, or stop based on results, not sentiment.

Make the plan specific enough to argue with. "Improve documentation" is not a milestone. "Process owner Priya maps the refund workflow's exception paths by day 21, reviewed by the operations lead" is. Every gap the assessment surfaced gets one owner, one due date, and one definition of done. Remediation that treats all gaps as equal-priority work is how a 90-day plan quietly becomes an 18-month one.

Rerun it on a cadence

Rerun the workflow-level assessment when the workflow, its data, its risk class, or its control environment changes materially. At minimum, run it once per remediation cycle. Attach a named owner and a deadline to every gap the assessment finds. Without both, a finding tends to outlast the review that produced it. Microsoft frames readiness as continuous rather than a credential you earn once, which makes the check a recurring discipline, not an event — the readiness-specific instance of continuous foresight: treating change detection as an ongoing practice, not a one-time audit. Teams building this habit over time also develop stronger absorptive capacity, the ability to use what each pilot actually teaches rather than rediscovering the same lessons on the next cycle.

TL;DR (draft)

  • An AI readiness assessment is a per-workflow verdict: deploy now, redesign first, or wait.
  • Scope one workflow first. Company-wide scores produce labels, not decisions.
  • Only ~13% of organizations are fully prepared, per Cisco's AI Readiness Index. A separate 24% can apply live guardrails to control agent actions.
  • Undocumented decision logic is the top hidden blocker: 78% of large enterprises report process-mapping gaps, per Microsoft's Agent Readiness Framework.
  • Don't let the assessment end in observations. Commit to build, buy, configure, pilot, or wait, then use a 30-60-90 day plan to make that commitment actionable.

Frequently asked questions

What should an AI readiness assessment include?

A workflow-level AI readiness assessment inspects five things in severity order: documented decision logic and exception paths, data sufficiency for the scoped task, technical-debt and integration cost, governance with live monitoring, and change-management ownership. It ends in a verdict. The five options are build, buy, configure, pilot, or wait, not a maturity score.

How do I know if my company is ready for AI?

Assess one workflow, not the whole company. Ready means the scoped workflow has documented decision logic, permissioned and traceable data, a workable integration path, live guardrails, and named owners for the new decisions. If any of those is missing, the honest answer is redesign first or wait, with a dated plan to close the gap.

What is the difference between AI readiness and AI maturity?

AI maturity measures overall organizational capability, a snapshot on a curve. AI readiness is a deployability verdict scoped to one specific workflow.

As of early 2025, roughly 1% of leaders called their organization mature, per McKinsey's Superagency in the Workplace research. The label, even when earned, offered no guidance on which workflow was ready to automate next.

Are we ready for AI if our data is still messy?

Possibly. Enterprise-wide messiness does not disqualify a bounded workflow. What matters is whether the scoped corpus is accessible, permissioned, traceable, and finite. If those hold, messy data elsewhere is not your blocker. If outputs cannot be traced back to source records, stop, because you cannot monitor what you cannot reconstruct.

Should we build, buy, or pilot first?

For most scoped workflows, buying or configuring a specialized tool beats building — MIT NANDA's research found vendor deployments succeeding around 67% of the time versus 33% for internal builds. Build only when the workflow is a durable differentiator and your data and integration maturity are strong. Pilot when upside is real but readiness has gaps worth testing under monitoring.

Who needs to be involved in an AI readiness assessment?

At minimum: the process owner and a frontline operator. You also need the risk-and-governance layer above them, up through executive sponsorship. Each answers a different readiness question, from "is the logic documented" to "will we actually change how people work." Missing the security owner or the sponsor is how pilots pass on paper and stall in production.

How often should we rerun an AI readiness assessment?

Rerun the workflow-level check whenever the workflow, its data, its risk class, or its control environment changes materially. Run it at minimum once per remediation cycle. Microsoft describes agent readiness as continuous rather than one-and-done, so treat the assessment as a recurring habit tied to change, not an annual certificate.

Mikkel avatar

Contributor

Mikkel @mkl_vang

Covers operational innovation, AI implementation patterns, and how teams ship useful change without theater.

Mikkel writes from an operator perspective. He is interested in what happens after the strategy deck: staffing constraints, decision latency, governance friction, and the daily tradeoffs that determine whether innovation initiatives survive contact with reality. His reference base includes the OECD Oslo Manual, the NIST AI Risk Management Framework, and Google Re:Work.

His pieces often combine process design with clear implementation checklists, especially around AI adoption and cross-functional delivery. He likes explaining how high-level frameworks can be adapted to smaller teams with fewer resources by drawing on practical standards like the OECD Oslo Manual, the NIST AI Risk Management Framework, and team practices from Google Re:Work.

When reviewing content, Mikkel prioritizes precision over hype. If a recommendation cannot be tested in a sprint or measured over a quarter, it usually does not make the final draft.