How to run an AI readiness assessment in a regulated enterprise

An AI readiness assessment is supposed to tell you whether your organization can actually deploy AI and get value from it. Most of them do not. They produce a heatmap of capabilities that looks defensible, a maturity score that is hard to argue with, and no real answer to the question that mattered: should we deploy this, here, now?

In a regulated enterprise the cost of a wrong answer is asymmetric. Deploy too early and you create rework, audit findings, and people who never trust the next system. Deploy too late and you watch competitors learn things you do not. A useful readiness assessment has to be sharp enough to support a real decision under that pressure.

The five layers to assess

Readiness is a property of a system, not of a capability list. The system has five layers, and a use case is only as ready as its weakest one:

• Knowledge — Does the organization actually know what it needs to know to act? Not whether the data exists somewhere. Whether the right people can reach the right facts at the moment of decision.
• Governance — Are the four governance jobs answered for this use case: scope, decision rights, evidence, escalation?
• Coordination — Do the functions that have to move together know they have to move together? Most AI failures inside regulated enterprises are coordination failures dressed as model failures.
• Orchestration — Can the end-to-end workflow actually run? Inputs available, handoffs defined, outputs consumed, exceptions handled.
• Human Adoption — Will the people who have to use it, use it? Not in the pilot. In the second quarter, when novelty is gone and the workaround is still there.

The scoring rule that actually works

Score each layer red, amber, or green for the specific use case under review. Not for the organization as a whole — that score is rarely actionable. A use case with one red layer is not ready, regardless of how green the other four are. That is the rule. Average scores hide exactly the thing you are paying for the assessment to surface.

This is the single biggest difference between readiness assessments that lead to deployment and readiness assessments that lead to another readiness assessment. Refuse to average.

Questions that separate the colors

For each layer, a handful of questions does most of the work. They are deliberately concrete:

• Knowledge — Where does the model get the facts it needs? Who keeps those facts current? What breaks when they are wrong?
• Governance — Who decides this can go live? What evidence do they need? Who is accountable for the outcome after it does?
• Coordination — Which functions have to change behavior for this to work? Have they agreed? Who notices if they stop?
• Orchestration — What is the end-to-end path from input to action? Where are the manual steps? What happens on exception?
• Adoption — What is the alternative behavior we are competing with? Why would a busy person choose this instead?

Regulated-industry adjustments

In pharma, financial services, and other regulated environments, three additions matter:

First, evidence of human oversight is not optional and must be designed in, not bolted on. The EU AI Act calls this out explicitly for high-risk systems; the spirit is the same in FDA and EMA expectations for AI-enabled processes. If you cannot show how a human stays in the loop in a way that is meaningful — not theatrical — the system is not ready.

Second, data provenance has to survive an audit. If the readiness assessment cannot trace the lineage of every input the model uses to a system of record with a known owner, that is a red on Knowledge, no matter how good the model is.

Third, the validation pathway has to exist before the build. Validating a deployed AI system retroactively is expensive and rarely produces a clean answer. The path through validation is part of readiness, not a downstream concern.

What to do with the output

A readiness assessment that ends with a score is the wrong shape. A readiness assessment that ends with a decision and a remediation list is the right shape. For each red and amber layer, name the owner, the action, and the date the layer will be re-scored. Anything else is a report.

The point of the assessment is not to grade the organization. It is to make the next decision sharper than it would have been without the assessment. If the decision is the same with or without the document, the document was wasted effort.