1. Do you have a written AI acceptable-use policy?

Yes No / Not sure

One-page doc: what employees can use, what data is off-limits.

2. Are employees trained on what NOT to paste into public LLMs?

Yes No / Not sure

Customer PII, trade secrets, unreleased roadmap — never.

3. Is a list of approved AI vendors maintained?

Yes No / Not sure

Shadow AI (unsanctioned tools) is how data leaks. Name the sanctioned few.

4. Do approved AI vendors contractually disallow training on your data?

Yes No / Not sure

Anthropic, OpenAI enterprise, Azure OpenAI — check the DPA clause.

5. Are AI outputs reviewed by a human before customer-facing use?

Yes No / Not sure

Hallucinations are real; never ship AI-generated text as authoritative without review.

6. Is there logging of AI tool usage at the org level?

Yes No / Not sure

Even just visibility — what AI tools are employees using?

7. Is prompt-injection risk considered for any AI agent you deploy?

Yes No / Not sure

If your agent reads user content, treat that content as untrusted.

8. Is PII masked / redacted before being sent to AI vendors?

Yes No / Not sure

Replace emails, phone numbers, SSNs with placeholders before LLM calls.

9. Do AI integrations use least-privilege credentials?

Yes No / Not sure

An AI agent shouldn't be able to delete your database. Scope keys.

10. Is there a kill-switch / rate limit on AI spending?

Yes No / Not sure

OpenAI budget caps; Anthropic spend alerts. Don't find out at invoice time.

11. Are AI-generated decisions auditable (logged with inputs)?

Yes No / Not sure

Regulators (and your lawyers) want to reconstruct what the AI saw and replied.

12. Have you considered regulatory constraints (EU AI Act, sectoral rules)?

Yes No / Not sure

Healthcare, finance, hiring = high-risk under EU AI Act. Understand your category.

AI Security Readiness Score