Readiness assessments

Score your organization across every domain of a recognized compliance framework. Each response feeds the auditor export pack alongside the rest of your compliance evidence.

AI Governance Readiness Assessment
v1.0 · 80 questions

Aligned to NIST AI RMF + ISO/IEC 42001 + OECD AI Principles. Ten domains, four-tier maturity model.

Domains covered
  • · Executive mandate + leadership alignment
  • · Organizational structure + accountability
  • · Responsible AI + ethics
  • · Risk management + compliance
  • · Operational guardrails + employee enablement
  • · Evaluation, monitoring + auditing
  • · AI lifecycle governance
  • · Third-party + supply chain governance
  • · Responsible AI framework + guidance
  • · Continuous improvement + adaptation
SOC 2 Readiness Assessment
v2.0 · 329 questions

AICPA Trust Services Criteria. Nine common-criteria domains (CC1-CC9) plus the supplemental criteria for Availability, Confidentiality, Processing Integrity, and Privacy.

Domains covered
  • · Control Environment (CC1)
  • · Information + Communication (CC2)
  • · Risk Assessment (CC3)
  • · Monitoring Activities (CC4)
  • · Control Activities (CC5)
  • · Logical + Physical Access (CC6)
  • · System Operations (CC7)
  • · Change Management (CC8)
  • · Risk Mitigation (CC9)
  • · Availability (A1), Confidentiality (C1), Processing Integrity (PI1), Privacy (P1)

How scoring works

Every question carries a weight (1-3). Operators respond on a five-tier maturity scale:

ScoreBandCharacteristic
1FoundationalAd-hoc or reactive; no formal process.
2EmergingSome structure forming, applied inconsistently.
3EstablishedDocumented, repeatable, consistently followed.
4AdvancedMeasured, automated where appropriate, monitored.
5OptimizedContinuously improved, benchmarked, predictive.

Domain maturity = weighted average of answered questions in that domain. Overall maturity = mean of domain maturities. Unanswered questions are excluded, so a partial assessment still produces a useful score.

In the auditor pack

Assessment responses + per-domain scores + the recommended next step for the current band of every domain are bundled into the envelope.json and the printable HTML report at /api/auditor-export/bundle?days=N. Auditors see the maturity snapshot at the top of the report, before the agent registry and control mappings.