AI Agent Readiness Score

Answer 18 plain-English questions and get an indicative 0-100 readiness score, your top gaps, and a human-review flag where high-risk AI use appears.

Organisation name Sector Email for PDF report

Q01 Do you have a documented list of every AI tool, agent, or automation in use across your business?

Yes - complete and reviewed in the last 90 days Yes - but partial or out of date Informal - in someone's head or scattered notes No

Q02 How confident are you that staff are not using AI tools your business hasn't approved (e.g. personal ChatGPT for work data)?

Very confident - we have monitoring and acceptable-use enforcement Reasonably confident - we have a policy but limited enforcement Not confident Don't know

Q03 Does every AI tool or agent have a named human business owner accountable for it?

Yes - all of them Most of them Some of them No / not assigned

Q04 Do any of your AI tools influence decisions in any of these areas? (Select all that apply)

Recruitment, hiring, or employee evaluation Credit, insurance, or financial decisions about people Healthcare or clinical triage Education assessment or grading Access to essential services Law enforcement or immigration Biometric identification or categorisation None of the above

Q05 What is the highest level of autonomy any of your AI tools have today?

Suggest only - a human approves every action Acts on internal items only (e.g. drafts, summaries) - human reviews Acts autonomously on internal systems (CRM, finance, HR) Acts autonomously with external parties (customers, suppliers)

Q06 If you have customer-facing AI (chatbot, voice agent, generated content), do customers know they are interacting with AI?

Yes - clear written disclosure in every interaction Sometimes - inconsistent No We don't have customer-facing AI

Q07 Do your AI tools process personal data (names, emails, customer records, employee data)?

No Yes - and we have a DPIA for each system Yes - DPIA partial or for some systems only Yes - no DPIA Don't know

Q08 Do any of your AI tools touch special-category data (health, ethnicity, religion, political views, biometric, sexual orientation), children's data, or data about vulnerable users?

No Yes - with documented lawful basis and additional safeguards Yes - lawful basis unclear or safeguards not documented Don't know

Q09 Do you know which countries the AI services you use process and store data in?

Yes - documented per service For most services No - not tracked Don't know

Q10 Have you reviewed what data is sent to AI tools to ensure only what's necessary is shared?

Yes - reviewed in last 12 months Yes - but over a year ago No formal review

Q11 Do you have a written AI acceptable-use policy that staff have seen?

Yes - signed off and circulated within last 12 months Yes - older than 12 months Draft or informal No

Q12 For consequential AI outputs (decisions affecting people, money, or external comms), is there a documented human review step?

Yes - documented and followed Yes - but inconsistently applied No documented step Not applicable - no consequential outputs

Q13 Have staff who use AI tools received AI literacy training (risks, limitations, appropriate use)?

Yes - completed within last 12 months, with completion log Yes - but no completion log Informal awareness sessions No

Q14 Have you reviewed the security and privacy posture of the AI vendors you use (DPA signed, data handling, subprocessors)?

Yes - documented assessment for each vendor Major vendors only Informal / spot checks No

Q15 Do you know which underlying AI models (OpenAI, Anthropic, Google, etc.) sit behind the tools you use?

Yes - documented per tool Most tools Some tools No

Q16 Are AI tool usage and outputs logged in a way you could produce for an audit or incident investigation?

Yes - centralised, retained, searchable Per-tool logs only Limited or unreliable logging No

Q17 Is there a scheduled review of your AI tools (at least annually) to check controls, evidence, and changes?

Yes - calendar-driven and minuted Ad hoc when things change No

Q18 If an AI tool produced harmful, biased, or incorrect output that caused real impact, do you have a documented incident response process?

Yes - documented and tested Documented but never tested Informal / would handle reactively No