Free readiness check
The AI Readiness Check
Twenty-four questions before your first production AI workload, following the six steps of Microsoft’s Cloud Adoption Framework, with the EU AI Act obligation that applies added at each step. Work through it use case by use case, since both the Framework and the Act classify at that level, not at the level of the platform as a whole.
- Strategy and plan: use cases classified against Article 5 and Annex III, not just identified, so a prohibited or high-risk use case is caught before the build, not after the pilot.
- Platform and governance: Article 12 logging, a full AI inventory, Annex IV documentation as an engineering deliverable with a named owner, not a policy document nobody updates after go-live.
- Security: prompt injection, data poisoning, and model theft in the threat model, the three attack paths a standard security review does not test for.
- Operations: cost per use case, human oversight under Article 14, and post-market monitoring, the running cost of AI once the novelty wears off.
Common questions
We haven't chosen a use case yet. Can we still run this?
Run it against the use case you are closest to committing to, even if it's not signed off. The Cloud Adoption Framework steps and the EU AI Act obligations both classify at the use-case level, so a generic answer for 'AI in general' does not produce a usable score.
Does a good score mean we're ready to go to production?
It means the six Cloud Adoption Framework steps are covered for that specific use case. A strategy step marked done for a use case that turns out to be Annex III high-risk still needs the classification worked through before anyone calls it production-ready.
How is this different from the EU AI Act Quick-Check?
The Quick-Check classifies a use case's risk tier. This readiness check assumes you already know the tier and asks the platform question underneath it: logging, security, human oversight, and cost, the operational work that classification alone doesn't cover.
What happens if we fail the security section?
Prompt injection, data poisoning, and model theft are the three gaps a standard security review misses, and they are usually fixable before launch, not after. The AI Use-Case Build folds the fix into the same engagement rather than treating it as a separate project.