Previous All Posts Next

AI Readiness Checklist: What Your Score Is Really Telling You

Posted: May 21, 2026 to Cybersecurity.

The leadership team at a 38-person professional services firm here in Raleigh sat down last month with one item on the agenda: "AI strategy." The CEO had been told twice that quarter that competitors were "deploying AI." A board member had forwarded a Microsoft Copilot pitch. The COO had been pricing out a customer-support chatbot. The decision felt overdue.

The first hour was excitement. Use cases on the whiteboard, vendors named, timelines proposed. The second hour was the readiness checklist. By the third hour, the room had gone quiet. Their composite came in at 22 out of 160. They had no acceptable use policy, no data classification scheme, and three of their senior staff had already pasted client data into a public AI tool to "test something." The chatbot was still on the whiteboard, but it had a new note next to it: not yet.

That meeting is the reason this article exists. Every owner asking "should we do AI?" is asking the wrong question. The right question is "what is our readiness score, and what does it tell us to do next?" Because the score is not a vanity metric. It is a strategic instrument.

Why a readiness score exists at all

You score readiness for the same reason a contractor inspects a foundation before pouring concrete. The cost of fixing a weak foundation after the slab is poured is dramatically higher than the cost of fixing it before. AI is the slab. Identity, data classification, policy, network hygiene, and governance are the foundation. Pour AI on weak foundation, and the cracks will run through every dimension of your business: data leakage, compliance findings, vendor lock-in, employee misuse, reputational damage if it goes public.

The Petronella AI Readiness Checklist scores eight dimensions, ten items each, eighty items total. Each item gets a 0 (not started), 1 (in progress), or 2 (production-ready). The composite is out of 160. The interpretation is intentionally blunt: 120 and up, ready to deploy. 60 to 119, ready to pilot only in a sandbox. Under 60, not ready - start with governance.

The score is not the point. The conversation it forces is the point.

What a score under 60 is really telling you

An under-60 score means the foundation is not there yet. Common pattern: no written acceptable use policy, no managed identity provider with MFA on everyone, no data classification scheme, no documented data-flow map for the top business processes, no vendor risk assessment process that even contemplates AI vendors.

None of that is unusual for a fast-growing SMB. It is almost the default. But it does mean that buying a SaaS AI tool right now will not accelerate your business. It will accelerate the leak. Employees will paste client data into ChatGPT because there is no policy telling them not to. Sensitive documents will end up in a Copilot index because there is no classification scheme to gate them. A regulator or insurance carrier will eventually ask the data-flow question, and the honest answer will be "we do not know."

The right next move at this score is not an AI deployment. It is a 30-day Foundation engagement: write the AUP, stand up MFA across the company, build a one-page data classification, and produce a written stance on which classifications may go to public AI and which must stay in-house. Then re-score. Most clients who do this work see their composite jump by 40 to 60 points in the first quarter, simply by writing down what they meant to do all along.

What a score between 60 and 119 is really telling you

This is the most common landing zone. It means you have some foundation in place - usually MFA, an EDR, basic email hygiene, maybe an AUP that has not been updated in two years - but the AI-specific work has not been done. The vendor risk assessment does not yet ask about training-data terms. The incident response plan does not yet mention AI-driven incidents. The risk register has cyber but not AI. The data-flow map exists for core systems but not for the AI tools employees are already using on the side.

At this score, you are ready to pilot - but only in a sandbox, with non-sensitive data, and with stop conditions written down before you start. A pilot is a learning vehicle, not a production deployment. The goal of the pilot is to learn which controls you are missing, not to ship to customers. A common mistake: treating a 90-day pilot as a 90-day vendor evaluation. The pilot is about you, not about the vendor. The output of the pilot is a more honest score in 90 days.

Close the gaps below 60 in the lowest two dimensions first. For most regulated SMBs that is Dimension 4 (policy and governance) and Dimension 7 (compliance). Both are policy-heavy and relatively cheap to close - they need written artifacts, not new hardware.

What a score of 120 or higher is really telling you

If you scored 120 or higher honestly, you have done the foundational work. You probably did not realize how much of it was AI-readiness work at the time. CMMC compliance work, HIPAA gap remediation, GLBA Safeguards Rule implementation - all of it translates almost directly into AI readiness. The data classification you built for HIPAA becomes the basis for the data classification you use to gate AI tools. The vendor risk assessment you built for GLBA becomes the basis for the AI vendor evaluation.

At this score, the risk is no longer "are we ready?" It is "are we moving too slowly?" Competitors at your readiness level are deploying. The right next move is to ship your highest-ROI use case from Dimension 5 of the checklist, measure against a pre-pilot baseline, and re-score in 90 days. You are also the population most likely to benefit from a Path 2 (private, in-house) AI evaluation - because the use cases that score 120+ readiness usually involve regulated or proprietary data that would be uncomfortable in someone else's cloud.

The Path 1 vs Path 2 framing that almost every owner misses

Every AI question sorts into one of two paths. Path 1 is public cloud AI - ChatGPT, Microsoft Copilot, Google Gemini. Convenient, fast, low upfront cost. Your data crosses the public internet and lands in someone else's logs. Path 2 is private, in-house AI - a model running on your network, on your data, under your governance. Petronella designs and operates Path 2 deployments for clients who have something to protect.

Most readiness conversations only score against Path 1. That is a strategic mistake. Many use cases that look attractive on Path 1 are contractually or legally off the table for regulated SMBs. A CMMC Level 2 contractor cannot put Controlled Unclassified Information into a public AI prompt. A HIPAA-covered entity cannot let Protected Health Information cross into a vendor without a signed Business Associate Agreement and a data-flow map. A law firm cannot put privileged client material into a tool whose training-data terms are vague.

The Path 2 question - "could we run this in-house?" - changes the readiness conversation entirely. Path 2 has different infrastructure requirements (GPU capacity, model hosting), different vendor dynamics (smaller specialist vendors, open-weight models), and different compliance posture (data never leaves your network, which is dramatically simpler to defend in an audit). The checklist treats both paths as live options on every dimension. Score yourself against both.

The bias every owner has when they score themselves

Founders grade themselves too high. It is structural, not personal. Founders know the intent. They remember the meeting where the policy was discussed. They know the team was about to write it down. An outside reviewer - a vCISO, a CMMC-RP-credentialed practitioner, outside counsel - scores with the document, not with the conversation. And the document is usually thinner than the founder remembers.

The fix is simple and uncomfortable. Score the checklist twice. Once alone, before any conversation. Once as a leadership group. The disagreements between the two scores are where the real readiness lives. A 1-vs-2 disagreement on an item usually means the policy exists but the implementation does not. Capture those disagreements in the meeting notes. They become your action items for the next 90 days.

Better: score it a third time with an independent vCISO who has done this assessment dozens of times for businesses your size. The independent score is almost always lower than the leadership score, and the gap is where you find the easiest wins.

Where Petronella fits in this picture

We are not selling you an AI tool. We are selling you the readiness, the governance, and where appropriate the Path 2 deployment that lets you deploy AI without the leaks. Blake Rea, CMMC-RP, leads our vCISO practice. He has run the readiness assessment for North Carolina businesses across financial services, healthcare, professional services, and DoD supply chain. Craig Petronella, CMMC-RP, NC Licensed Digital Forensic Examiner #604180, founded the firm in 2002 and is the founder-level executive on every CMMC engagement.

Petronella is Registered Practitioner Organization (RPO) #1449. We have 4 CMMC-RP credentialed experts on staff: Craig, Blake, Justin Summers, and Jonathan Wood. We have been securing North Carolina businesses for 24 years. The work compounds.

Get the printable checklist. Pin it above your monitor. Score it twice. Bring it to your next leadership meeting. When you are ready for an independent second opinion, call Penny.

Download the AI Readiness Checklist

What to do this week

Three concrete moves, regardless of where you score.

This week: Score the checklist yourself, alone, in 30 minutes. Honestly. Write the number down.

Next week: Run the same exercise with your leadership team. Compare scores. Note the disagreements.

The week after: Pick the lowest-scoring dimension and the three items inside it that would yield the biggest jump for the least cost. Assign each item to a named owner with a 30-day deadline.

That is it. You do not need a six-month transformation program. You need a quarterly cadence of scoring, gap closure, and re-scoring. The compound effect over 12 months is the difference between an organization that is ready for the next wave of AI and one that is buying tools to compensate for a foundation it never built.

If you want a second pair of eyes on your score, Penny will book you a 15-minute scoping call with one of our CMMC-RP experts. (919) 348-4912.

"Doing nothing on AI feels like falling behind. Doing the wrong thing on AI feels worse, looks worse on the front page, and costs ten times as much to clean up. The checklist is what you do in between."

About the author

Craig Petronella is the founder of Petronella Technology Group, Inc., a Raleigh NC cybersecurity firm serving North Carolina businesses since 2002. He is CMMC-RP credentialed and leads a 4-person CMMC-RP team operating as Registered Practitioner Organization #1449.

Need help implementing these strategies? Our cybersecurity experts can assess your environment and build a tailored plan.
Get Free Assessment
Explore Our Services
Cybersecurity AI Services Compliance HIPAA CMMC Managed IT

About the Author

Craig Petronella, CEO and Founder of Petronella Technology Group
CEO, Founder & AI Architect, Petronella Technology Group

Craig Petronella founded Petronella Technology Group in 2002 and has spent 20+ years professionally at the intersection of cybersecurity, AI, compliance, and digital forensics. He holds the CMMC Registered Practitioner credential issued by the Cyber AB and leads Petronella as a CMMC-AB Registered Provider Organization (RPO #1449). Craig is an NC Licensed Digital Forensics Examiner (License #604180-DFE) and completed MIT Professional Education programs in AI, Blockchain, and Cybersecurity. He also holds CompTIA Security+, CCNA, and Hyperledger certifications.

He is an Amazon #1 Best-Selling Author of 15+ books on cybersecurity and compliance, host of the Encrypted Ambition podcast (95+ episodes on Apple Podcasts, Spotify, and Amazon), and a cybersecurity keynote speaker with 200+ engagements at conferences, law firms, and corporate boardrooms. Craig serves as Contributing Editor for Cybersecurity at NC Triangle Attorney at Law Magazine and is a guest lecturer at NCCU School of Law. He has served as a digital forensics expert witness in federal and state court cases involving cybercrime, cryptocurrency fraud, SIM-swap attacks, and data breaches.

Under his leadership, Petronella Technology Group has served hundreds of regulated SMB clients across NC and the southeast since 2002, earned a BBB A+ rating every year since 2003, and been featured as a cybersecurity authority on CBS, ABC, NBC, FOX, and WRAL. The company leverages SOC 2 Type II certified platforms and specializes in AI implementation, managed cybersecurity, CMMC/HIPAA/SOC 2 compliance, and digital forensics for businesses across the United States.

CMMC-RP NC Licensed DFE MIT Certified CompTIA Security+ Expert Witness 15+ Books
Related Service
Protect Your Business with Our Cybersecurity Services

Our proprietary 39-layer ZeroHack cybersecurity stack defends your organization 24/7.

Explore Cybersecurity Services
Previous All Posts Next
Free cybersecurity consultation available Schedule Now