Home/Services/Readiness Assessment
SVC · 01 · Diagnostic

AI Readiness
Assessment.

A structured engagement covering all six SAISF domains. Discovery, gap analysis against NIST AI RMF and ISO/IEC 42001, prioritised remediation roadmap, and a board-ready report.

Format
Fixed scope
Coverage
All 6 domains
Deliverable
Board report
01 What this is

Most organisations have AI activity already underway — sanctioned tools, shadow Copilots, vendor-embedded features — without a coherent view of the risk it carries. The Readiness Assessment establishes that view.

The engagement covers all six SAISF domains: Govern, Discover, Protect Data, Secure, Detect & Respond, and Assure. Discovery interviews, document review, technical sampling, and gap analysis produce a maturity score per domain, a prioritised remediation roadmap, and a one-page board summary that survives the C-suite, the audit committee, and the regulator.

The assessment is designed to be the opening engagement with Secucloud — the diagnostic that tells you and us where the work needs to start. Most clients use the output to scope the next twelve months of AI security investment.

02 Engagement Timeline

A structured engagement,
four phases.

WEEK 1 WEEK 2 i. Discover Days 1–3 ii. Sample Days 3–6 iii. Analyse Days 6–9 iv. Deliver Days 9–10 INTERVIEWS TECHNICAL SCORING REPORT & READOUT
PHASE I
Discover

Stakeholder interviews across security, legal, data, engineering, and the business. Document review of existing policies, registers, and architectural decisions.

PHASE II
Sample

Technical sampling of in-scope AI systems — configuration review, log review, identity model inspection, shadow AI discovery via existing telemetry.

PHASE III
Analyse

Findings mapped to SAISF domains. Maturity scoring against the five-level ladder. Cross-reference to NIST AI RMF, ISO 42001, EU AI Act, OWASP LLM Top 10.

PHASE IV
Deliver

Written report, board-ready one-pager, prioritised remediation backlog, and a 90-minute executive readout session covering findings and the next twelve months.

03 Scope

What's in, what's out.

In Scope

  • Six-domain SAISF maturity scoring
  • NIST AI RMF gap analysis
  • ISO/IEC 42001 readiness assessment
  • EU AI Act applicability and exposure
  • OWASP LLM Top 10 control mapping
  • Shadow AI discovery sample (CASB & SaaS log review)
  • Up to ten stakeholder interviews
  • Existing policy and architecture document review
  • Prioritised remediation roadmap
  • Executive board-ready report
  • 90-minute readout session

Out of Scope

  • Detailed per-system architecture review (see Service 02)
  • LLM red-teaming or penetration testing
  • Implementation of remediation items
  • Policy drafting (provided as recommendations only)
  • Full audit-grade evidence collection
  • Third-party vendor security assessments
  • Ongoing advisory beyond the readout (see Service 04)
04 Who this is for

Three buyer profiles
where this fits.

i.
CISO / Security Leader
Pre-rollout assessor

Your organisation is about to authorise broad AI adoption — Copilot, custom RAG, agent platforms — and you need a defensible baseline before the rollout, not after the incident.

ii.
Board / Audit Committee
Independent diagnostic

The board has heard "we have AI risk under control" too many times without supporting evidence. An independent diagnostic from outside the line organisation provides verifiable answers.

iii.
Compliance / Legal
Regulatory readiness

EU AI Act applicability, ISO 42001 certification ambitions, or sector-specific regulation (DORA, NIS2) requires a structured baseline of AI control maturity to inform programme planning.

05 Deliverables

Four artefacts you keep.

i.
SAISF Maturity Report
Full written report — typically 30 to 50 pages — documenting findings across all six domains, evidence supporting each maturity score, and detailed observations. Designed for security, engineering, and compliance audiences.
PDF · 30–50 pages
ii.
Board One-Pager
A single-page executive summary with maturity radar, key risks, top three priorities, and an indicative twelve-month investment shape. Designed to fit a board pack without translation.
PDF · 1 page
iii.
Remediation Backlog
A structured list of prioritised remediation items, each tagged by domain, effort estimate, risk reduction, and dependencies. Designed to be imported directly into Jira, Asana, or your own backlog tool.
CSV / XLSX
iv.
Executive Readout
A 90-minute session walking executive stakeholders through findings, priorities, and recommended next steps. Recorded if requested, with a written follow-up summary.
90 min · Live or remote
06 Framework Coverage

All six domains.

01
Govern
Authority & Accountability
02
Discover
Visibility & Inventory
03
Protect
Boundaries & Provenance
04
Secure
Architecture & Identity
05
Detect
Telemetry & Reaction
06
Assure
Testing & Evidence
07 Frequently Asked

What buyers ask.

How is this different from a standard cyber audit?
A traditional cyber audit measures you against IT general controls (ISO 27001, SOC 2, etc.). The Readiness Assessment is purpose-built for AI — it measures you against AI-specific frameworks (NIST AI RMF, ISO 42001) and AI-specific failure modes (prompt injection, RAG leakage, model supply chain). Most clients run both; they answer different questions.
Do you need access to our production systems?
Read-only telemetry access is typically sufficient — CASB logs, SaaS audit logs, identity provider exports, network egress data. We do not need administrative credentials, and we do not write to any production system. Where deeper inspection is helpful, it is always opt-in and accompanied by a written scope agreement.
Can the assessment be run remotely?
Yes. Most engagements run fully remote, with stakeholder interviews via secure video and document exchange via your preferred secure channel. On-site presence for the executive readout is available where it adds value, particularly for board-level engagements.
How is the work scoped if our AI footprint is unknown?
Scope is defined by the assessment itself — the discovery phase produces the inventory you may not yet have. The engagement includes time for shadow AI discovery, so unknowns at the start are expected and accommodated.
What happens after the readout?
Most clients follow the assessment with a focused Architecture Review on the highest-risk system uncovered (Service 02). There is no obligation to continue — the assessment stands on its own.
Is this aligned with the EU AI Act?
Yes. EU AI Act applicability and exposure assessment is a core part of the Govern and Assure domains. Where in-scope AI systems trigger high-risk classification under the Act, the report flags the obligations and indicative timelines.
What does it cost?
Pricing is fixed-fee, scoped during a 30-minute discovery call. The fee depends on the size of the in-scope estate, the number of stakeholder interviews, and the breadth of AI tooling already in use. Indicative range available on request.
Begin a Conversation

A 30-minute
scoping call.

The fastest way to know whether the Readiness Assessment is the right next step is to talk. No pitch, no proposal until both sides agree the engagement is right.

Request a Scoping Call → Try the Free Self-Assessment