Oliver Church

What an AI-readiness audit actually looks like

July 2026 · Oliver Church

Your board asked what you are doing about AI. Somebody bought licences. Six months later, nobody can tell you what is actually deployed, what data it touches, or whether any of it moved a number.

An AI-readiness audit answers that question in three to four weeks. What follows is the whole method, nothing held back — if you have a capable senior person with a security background, hand them this note. The only thing I sell is the accountable person running it.

Why this engagement exists

In a mid-market company, AI arrives three ways. Top-down: the board asks for a strategy and someone is told to do something. Procurement-led: a vendor sells licences and the doing-something box gets ticked. And bottom-up, the one nobody accounts for: your staff are already using free AI tools, on personal accounts, with your data, whether you have a policy or not.

This has no natural owner. IT owns the licences but not the strategy. Legal owns the risk but cannot see the usage. Finance sees the bill but not the value. The audit puts all three questions — what do we have, what is it exposing us to, is any of it working — in one document, with one accountable author, in front of the board.

Phase 0 — Scoping

Scoping happens before the clock starts. The commissioner is usually the CEO (the board asked), the CFO (the AI bill grew and nobody can say what it buys), or the board after something made them nervous; the trigger sets the emphasis between spend and risk.

The real cost is your team’s time: an hour per leadership interview, thirty minutes per key staff member, a couple of hours from one IT contact, and a sponsor for the readout. The interviews are the audit — documentation alone misses the shadow usage, and the shadow usage is half the findings.

What it never requires: system access. Everything is read-only and agreed in writing up front. If someone pitching an “AI audit” wants to install a monitoring tool on your network in week one, that is a product sale wearing an audit costume.

Phase 1 — Inventory and data-flow mapping

Week one asks one question: what AI is actually in use? Not licensed — in use. There are two lists, and the gap between them is where the findings live.

The sanctioned stack is everything the company pays for, built from the supplier ledger, the admin consoles, and the contracts folder. The shadow stack only comes from interviews — and the posture is amnesty, not enforcement. You do not ask “are you using unauthorised tools?”; you ask people to walk you through how they produced the last proposal, and the tools come out in the workflow.

Every tool then gets four columns: the data classes it touches (client PII, financials, HR data, commercially sensitive material), who has access versus who actually uses it, full cost, and seats paid versus seats active. The near-universal finding: paid licences almost nobody uses, sitting alongside unsanctioned free tools almost everybody uses. The company funds the wrong list. The week-one artifact is a one-page data-flow map.

Phase 2 — Risk and compliance review

Week two interrogates every tool with five questions, answered from the contract and the data processing agreement, never the marketing page. Is our data used for training? Where does it live, and can the vendor commit to that in writing? Who are the sub-processors? What is the retention? And is there a DPA at all — an employee clicking “I agree” on a free tool is not one.

Alongside that: an access-control review and a regulatory mapping. The audit flags, it does not lawyer — genuine exposures become specific, answerable questions for your counsel.

Everything lands in a risk register: every tool tiered green (keep), yellow (remediate by a named date), or red (block and replace — the workflow need behind a shadow tool is real, and prohibition without a sanctioned alternative drives usage further underground).

Phase 3 — Opportunity assessment

The other half of the board’s question: where would AI actually pay here? The method matters more than the answers: start from the P&L and the org chart, not the tool market. At this size the value clusters reliably in four places: repetitive document handling, customer response drafting, internal search over your own documents, and the monthly reporting pack.

For every candidate, four things go on paper or the candidate dies: a measurable baseline, a realistic gain range, the full cost including change management (the licence is the cheapest line), and a verdict — build, buy, or skip. Skip is a first-class verdict. A third to half of ideas should die here; if every idea comes back “promising”, nobody assessed anything.

Phase 4 — The report and the 90-day plan

The deliverable has five components. A one-page executive summary readable in four minutes. The risk register. The opportunity ranking, skips included with the reason each died. A sequenced 90-day plan — kill the reds, land one measurable quick win, then pilot the strategic bet gated on the quick win hitting its numbers, every item with an owner and a date. And the stop-paying-for-this list — unused seats, duplicate features, leavers’ licences — which usually funds a meaningful chunk of the plan.

The tell that separates an audit from consulting theatre: can your team act on the report without hiring the firm that wrote it? If every road leads back to the author’s implementation team, you bought a sales document.

“Do something with AI” is not a strategy. A strategy is knowing what you have, what it exposes you to, what is worth doing, and in what order — written down, with numbers, that your board can hold you to.

If your board is asking the question and you would rather an accountable senior operator ran this — three to four weeks, fixed scope, board-ready document at the end — book a 20-minute call.

Book a 20-minute call