Before standing up an AI adoption program, confirm these foundations exist. If most are missing, build them first — launching AI adoption on broken ground produces shadow AI and incidents.
| # | Foundation | What "ready" looks like |
|---|---|---|
| 1 | Named executive sponsor | One C-level person backs the AI program with budget and authority. Without this, the CoE has no teeth. |
| 2 | Risk appetite stated | Leadership has written down where AI may and may not act — drafting customer emails? approving payments? hiring decisions? If ambiguous, settle it before starting. |
| 3 | Identity provider in place | Okta / Entra ID / Google Workspace SSO managing humans and service identities. We will issue agent identities through this, not invent a parallel system. |
| 4 | Security review path | A working process for vetting new tools and integrations. We will plug AI procurement into it, not build a parallel one. |
| 5 | Data classification baseline | Some notion of public / internal / confidential / PII data, even if informal. Without it, agent scoping is guesswork. |
| 6 | Logging & monitoring infrastructure | The company already runs centralized logging / dashboards for non-AI systems. Our AI observability layer plugs in here. |
| 7 | Operational discipline | Standard SDLC, change management, incident response capability somewhere in the org. AI cannot be the first system the company runs operationally. |
| 8 | Workflow visibility | At least 3–5 high-impact workflows identified, documented well enough to be candidates for an agent. If everything is tribal knowledge, we automate nothing reliably. |
This is a gate, not a one-time check — reassess every 6 months. Readiness drifts as the company grows, acquires, or churns staff.