Readiness assessments
Score your organization across every domain of a recognized compliance framework. Each response feeds the auditor export pack alongside the rest of your compliance evidence.
Aligned to NIST AI RMF + ISO/IEC 42001 + OECD AI Principles. Ten domains, four-tier maturity model.
- · Executive mandate + leadership alignment
- · Organizational structure + accountability
- · Responsible AI + ethics
- · Risk management + compliance
- · Operational guardrails + employee enablement
- · Evaluation, monitoring + auditing
- · AI lifecycle governance
- · Third-party + supply chain governance
- · Responsible AI framework + guidance
- · Continuous improvement + adaptation
AICPA Trust Services Criteria. Nine common-criteria domains (CC1-CC9) plus the supplemental criteria for Availability, Confidentiality, Processing Integrity, and Privacy.
- · Control Environment (CC1)
- · Information + Communication (CC2)
- · Risk Assessment (CC3)
- · Monitoring Activities (CC4)
- · Control Activities (CC5)
- · Logical + Physical Access (CC6)
- · System Operations (CC7)
- · Change Management (CC8)
- · Risk Mitigation (CC9)
- · Availability (A1), Confidentiality (C1), Processing Integrity (PI1), Privacy (P1)
How scoring works
Every question carries a weight (1-3). Operators respond on a five-tier maturity scale:
| Score | Band | Characteristic |
|---|---|---|
| 1 | Foundational | Ad-hoc or reactive; no formal process. |
| 2 | Emerging | Some structure forming, applied inconsistently. |
| 3 | Established | Documented, repeatable, consistently followed. |
| 4 | Advanced | Measured, automated where appropriate, monitored. |
| 5 | Optimized | Continuously improved, benchmarked, predictive. |
Domain maturity = weighted average of answered questions in that domain. Overall maturity = mean of domain maturities. Unanswered questions are excluded, so a partial assessment still produces a useful score.
In the auditor pack
Assessment responses + per-domain scores + the recommended next step for the current band of every domain are bundled into the envelope.json and the printable HTML report at /api/auditor-export/bundle?days=N. Auditors see the maturity snapshot at the top of the report, before the agent registry and control mappings.