You walked out of a leadership meeting with a directive. "We should do AI."
Maybe a board member saw a competitor's press release. Maybe your largest client mentioned a Copilot rollout. Maybe a vendor pitched you a chatbot and the demo was very good. Whatever the trigger, the decision feels urgent. Doing nothing feels like falling behind.
The vendor's deck was confident. The dashboard mockups looked great. The pricing was almost affordable. The objection you could not answer was simple: what data does this tool actually need to see, and where does that data go?
That is the question this checklist is built around. Not "should we do AI?" — the market already decided that. The real questions are: are we ready, where would we start, what could go wrong, and should we use someone else's cloud or build our own?
Path 1 versus Path 2.
Every AI question your business will face sorts cleanly into one of two paths.
Path 1 — Public cloud AI
ChatGPT, Microsoft Copilot, Google Gemini, public Claude, and hundreds of SaaS products built on top of those. The model lives on someone else's infrastructure. Your prompts and data travel across the public internet, land in someone else's logs, and on consumer plans may end up in someone else's training set. The convenience is real. So is the risk.
Path 2 — Private, in-house AI
A model running on your network or in a tenant you control, on your data, under your governance. Chatbots that read your client files without leaking them. Document assistants that draft proposals from your own template library. Voice agents that handle inbound calls. Retrieval-augmented generation (RAG) pipelines that answer questions from your knowledge base without exposing it. Petronella designs and operates Path 2 deployments for clients with sensitive data, compliance obligations, or competitive intelligence to protect.
The mistake we see at almost every readiness call is the same: leadership has been pitched only Path 1, scored their readiness only against Path 1, and not realized that for half their candidate use cases Path 1 is contractually or legally off the table.
Eight dimensions. Ten items each. Composite out of 160.
01 Data readiness
Whether you understand what data you have, how it flows, and which classes can safely touch AI.
02 Infrastructure readiness
Identity, endpoint, network, and logging hygiene. AI sits on this foundation. Weak foundation, leaky AI.
03 People readiness
AUP, training, AI champions in each department, and an escalation channel for "I think I just leaked something."
04 Policy & governance
Written AUP, AI-aware incident response, AI in the risk register, vendor risk assessment that covers AI, board visibility.
05 Use-case readiness
A ranked shortlist of candidate use cases, a quick win identified, success metrics defined, stop conditions written.
06 Vendor & build readiness
A build-vs-buy framework, data-flow maps for every vendor, exit plans, total cost over three years.
07 Compliance readiness
CMMC, HIPAA, GLBA, FERPA, PCI, state privacy laws, EU AI Act, DoD-specific restrictions. AI is not exempt.
08 Security readiness
Threat model that includes prompt injection, model extraction, training-data poisoning. Logging that captures AI usage.
The three readiness postures
Ready to deploy (120+). You have the governance, identity, and data hygiene to put generative AI into a production workload. Ship your highest-ROI use case from Dimension 5, measured against a pre-pilot baseline.
Ready to pilot (60-119). Run controlled experiments in a sandbox with non-sensitive data. Do not put regulated data into any AI tool until you close gaps below 60 — especially in Dimensions 4 (governance) and 7 (compliance). Most SMBs land here on first scoring.
Not ready (under 60). Do not deploy AI yet. Start with the foundation: AUP, MFA, identity provider, data classification, an incident response plan that mentions AI by name. The cleanup of bolting AI onto a fragile stack is always more expensive than doing it right the first time.
Anyone who has to answer "are we ready?" with a number, not an instinct.
SMB owners after a "we should do AI" board meeting
You want a document that turns the directive into a defensible plan — or shows the board why the timeline is wrong.
IT directors at NC defense contractors
CMMC L2 is binding. Any AI tool that touches CUI is in scope. The checklist maps your AI posture to your SSP and scope diagram.
Triangle healthcare practices & their MSPs
PHI to public AI without a BAA is impermissible disclosure. The compliance dimension tells you exactly where you stand.
vCISOs & outside compliance counsel
You need a structured artifact to walk leadership through. Score it together; the disagreements are the value.
Board members preparing to approve AI investment
Founders score themselves high. Outside reviewers score with the document, not the intent. Use this to test management's posture.
The same readiness conversation we run with NC businesses every week.
Cybersecurity, compliance, and private in-house AI — under one roof, in Raleigh, since 2002.
Our compliance practice is led by four CMMC-RP credentialed staff: Craig Petronella (founder), Blake Rea (vCISO lead), Justin Summers, and Jonathan Wood. Our AI practice designs and operates private, in-house AI for the same client base. The readiness checklist is what we walk through before any AI engagement begins — whether you ultimately deploy Path 1, Path 2, or both.
The conversations that come up when leadership reads the score together.
Why a checklist beats a vendor pitch deck
A vendor's pitch deck is built to convince you to buy their product. It will be optimistic about integration time, conservative about training-data terms, vague about sub-processors, silent about renewal. None of that is malicious — it is the genre.
A checklist works differently. It is built to slow you down at exactly the moments where vendor enthusiasm wants to speed you up. It puts the data-flow question on paper before the contract gets signed. It defines what "ready" actually means.
For regulated SMBs, the paper trail is not optional. CMMC assessors will ask. Cyber insurance carriers will ask. Counsel will ask after the breach.
How CMMC L2, HIPAA, and GLBA reshape readiness
If you are regulated, AI does not get a carve-out. The same controls apply.
CMMC L2. Any AI tool that touches CUI is in scope. Prompts, document uploads, RAG indexes — all need to be accounted for in your System Security Plan, scope diagram, and audit logging. Petronella's 4 CMMC-RP-credentialed practitioners have done this work.
HIPAA. Any AI vendor that may touch PHI needs a signed BAA before a single byte crosses. Consumer plans of major AI tools do not sign BAAs. Some enterprise plans do, with negotiated terms.
GLBA. The 2023 FTC Safeguards Rule amendments are explicit. Continuous monitoring, written incident response, vendor risk assessment — all apply to AI workloads.
State privacy laws. NC IDTPA, California CCPA, plus Texas, Virginia, Colorado, Connecticut. Several states are passing AI-specific statutes in 2026.
The role of a vCISO in scoring honestly
Founders grade themselves too high. Not a character flaw — it is structural. Founders know the intent. They know what the team was trying to do. They remember the conversation in which the policy was discussed. An outside reviewer scores with the document, not the conversation — and the document is usually thinner than the founder remembers.
A virtual CISO is the bridge. They do the scoring at arm's length, they know what a regulator or assessor counts as "evidence" rather than "intent," and they have walked enough engagements to know which gaps are quick wins and which require structural change.
Petronella offers vCISO engagements in two flavors: Light tier (monthly office hours) and Standard tier (organizations actively closing gaps). Blake Rea, CMMC-RP, leads the practice. He does not soft-pedal the score.
Build versus buy — what "buy" really costs
The vendor demo is always the cheap version. The total cost over three years is what matters.
Year one has the smallest number: license, basic integration, a sliver of change management. Year two adds expansion (more seats, more workloads, more sub-processors). Year three adds renewal pricing, which is rarely what you signed at year one. Soft costs — the consultant, the team's adoption time, the lawyer reviewing the contract — push the three-year number to 2.5x the one-year sticker.
Then there is the exit cost. What happens if the vendor pivots, gets acquired by a competitor, raises prices 3x, or discontinues the product? Can you extract your prompts, fine-tuning data, and outputs in a usable format? For many AI vendors the honest answer is "no, and we hope you do not ask."
Path 2 (in-house) has a different cost profile. Higher upfront capital. Lower ongoing operating cost per token. Much lower exit cost — the model and data sit on infrastructure you control. We have built Path 2 deployments whose three-year total is below the comparable Path 1 SaaS, with data that never leaves the network.
Where Penny, Petronella XDR, ComplianceArmor, and our vCISO fit
We are not selling you a single AI tool. We design and operate the full readiness, deployment, and governance lifecycle.
Penny is our AI scheduler — the proof that a private AI voice agent can handle real client traffic, because she handles ours.
Petronella XDR captures and analyzes egress patterns. As you deploy AI, we detect when an employee has uploaded sensitive data to a public service, or when a Path 2 deployment is exhibiting anomalous behavior.
ComplianceArmor manages your compliance documentation across CMMC, HIPAA, NIST CSF. As AI introduces new control mappings (logging, vendor risk, incident response), ComplianceArmor tracks the evidence.
The vCISO is the human bridge. Blake Rea leads it. The team is small, the engagements are senior, and the reports are written for executives, not engineers.
What "ready to deploy" actually looks like
A client who scores 130 usually has this profile: documented AUP signed by everyone, MFA on all employees, identity provider with conditional access, EDR on every endpoint, network segmentation separating regulated and unregulated workloads, written data classification, current data-flow map for top business processes, a vendor risk process that covers AI vendors, a CMMC or HIPAA scope diagram showing where AI tools sit, and at least one quarter of operating experience with a sandboxed AI pilot.
That profile is not magical — it is the result of 12 to 24 months of foundational work done before the AI conversation became urgent. The clients who land in this profile usually started with cyber maturity (CMMC, HIPAA, GLBA readiness) and discovered that maturity translated cleanly into AI readiness. The work compounds.
Three concrete moves once you have your composite.
- Share it. Walk the leadership team through it. Score the items together. Disagreement on a 1 vs a 2 is information — it usually means the policy exists but the implementation does not.
- Pick one dimension to close. Do not try to close all eight in one quarter. Take the lowest-scoring dimension; pick the three items inside it that would yield the biggest jump for the least cost. Usually policy items (Dimensions 3, 4, 5) before infrastructure items (1, 2, 8).
- Re-score in 90 days. Readiness is not a one-time event. Run the exercise again. Track the trend. If you are not moving up, something in your process is broken.
When you are ready to put a second pair of eyes on the score, book a 15-minute readiness consult with one of our CMMC-RP experts. We will walk through your composite, flag the biggest two leverage points, and tell you whether your next move is a Foundation engagement, a Pilot sprint, or a Path 2 build.
The questions owners ask before they download.
What is an AI readiness checklist?
A structured self-assessment that an SMB owner or executive uses to determine whether the organization has the data, infrastructure, people, policy, and security foundation to deploy generative AI safely. The Petronella version scores 80 items across 8 dimensions and produces a composite out of 160, with a clear interpretation: ready to deploy, ready to pilot, or not ready — start with governance.
Who should use this checklist?
Owners, COOs, IT directors, CTOs, compliance officers at SMBs considering AI adoption. Especially useful for regulated SMBs (CMMC contractors, HIPAA-covered entities, GLBA-covered financial services, FERPA-covered education vendors). Also used by board members and outside counsel to test management's posture before approving AI investment.
How long does it take to complete?
A single executive can score it honestly in about 30 minutes. A leadership team going through it together typically takes 60 to 90 minutes — the disagreements during scoring are where most of the value is. Score it twice: once before any conversation, and once again as a group, then compare.
My score is under 60. Should I just buy a SaaS AI tool to get started?
No. A score under 60 means you do not yet have the governance, identity, or data hygiene to deploy AI safely — on Path 1 or Path 2. Buying a SaaS AI tool first will not fix that. It will accelerate the leak. The right move is a 30-day Foundation engagement to stand up an AUP, an identity provider with MFA, and a data classification map. From there, deploy with confidence rather than hope.
What is the difference between Path 1 and Path 2 AI?
Path 1 is public cloud AI: ChatGPT, Microsoft Copilot, Google Gemini, public Claude. Your data travels to someone else's infrastructure, lands in their logs, and on consumer plans may end up in training data. Path 2 is private, in-house AI: a model running on your network or in a tenant you control, on your data, under your governance. The checklist treats both paths as live options on every dimension.
How does CMMC Level 2 affect AI readiness?
Any AI tool that touches Controlled Unclassified Information is in CMMC L2 scope. That means prompts, document uploads, and data fed to retrieval pipelines all need to be accounted for in your System Security Plan, scope diagram, and audit logging. As Registered Practitioner Organization #1449 with 4 CMMC-RP credentialed experts on staff, Petronella maps your AI posture to your CMMC scope as part of every readiness engagement.
Can I use ChatGPT or Copilot if I am HIPAA-covered?
Only if you have a current Business Associate Agreement with the vendor and the specific plan you are using is covered by it. Consumer plans of public AI tools do not sign BAAs. Microsoft, OpenAI, Google offer enterprise plans with BAA coverage on specific tiers — read the contract, do not assume. Even with a BAA, you need a data-flow map showing which PHI fields the tool actually sees and how long they are retained.
How much does it cost to engage Petronella for AI readiness?
From $4,500 for a 30-day Readiness Foundation engagement (suitable for organizations scoring under 60). From $9,500 for a 60-day Pilot Readiness sprint (suitable for organizations scoring 60-119). Path 2 (in-house) AI deployments are scoped individually. All fixed-fee work paid 100% upfront at contract execution. Call Penny at (919) 348-4912 for a scoped quote.
How often should I re-score?
Every 90 days during active AI rollout. Annually after steady state. Whenever a major control changes (new identity provider, new EDR, new vendor, new framework, new regulation). The trend matters more than any single score.
Is this checklist a substitute for a full risk assessment?
No. It is a starting point for executive discussion and a structured input to a deeper engagement. A full risk assessment includes a control-by-control review against your specific frameworks (CMMC L2, HIPAA Security Rule, NIST CSF), an interview with each business owner, and an evidence collection exercise. The checklist is the artifact you use to walk into that engagement prepared rather than blind.