Free Resource
Sovereign AI Readiness Checklist
A 43-point audit checklist across six control domains. Evaluate your organisation's data boundary, model governance, deployment discipline, guardrails, and observability before deploying AI on sensitive workloads.
43
Checklist items
6
Control domains
Free
No signup required
~15 min
Time to complete
Checklist Domains
Six control domains every AI deployment must address
The checklist is structured around the six domains where sovereign AI deployments most commonly fail in practice. Gaps in any single domain create risk across the whole system.
Data Boundary
- All training and inference data is classified by sensitivity level
- Data residency requirements are documented per data class
- PII and regulated data is identified and access-controlled
- Data does not leave approved network boundaries during inference
- Ingestion pipelines strip or mask sensitive identifiers before embedding
- Retention and deletion policies exist for vector store content
- Access logs are maintained for all document and data access
- Third-party data sharing agreements reviewed for AI workloads
Model Selection
- Model sovereignty tier is defined (Fully Sovereign / Conditional / Not Sovereign)
- Approved model list exists and is version-controlled
- Self-hosted models are deployed on infrastructure the organization controls
- Cloud-managed models are within tenant boundary with data residency verified
- Model update and version change process is documented and approved
- Fallback model or degraded-mode behavior is defined
- Model licensing reviewed for commercial and enterprise use
Deployment Control
- AI services are deployed in isolated environments (containers, namespaces, or VMs)
- Secrets, API keys, and credentials are managed via a secrets vault
- Network egress is restricted for AI service containers
- Infrastructure-as-code exists for all AI service deployments
- CI/CD pipeline includes security scan and approval gate before AI service release
- Rollback procedure is documented and tested for AI service deployments
- Environment separation enforced: development, staging, and production are isolated
- GPU or compute resources are sized and monitored with alert thresholds
Governance & Compliance
- AI use policy is documented and approved by leadership
- Approved use cases are defined and prohibited uses are explicitly listed
- Human review process exists for AI outputs before they affect decisions
- Audit trail captures prompts, retrieved sources, responses, and user identity
- Incident response procedure exists for AI system failures or harmful outputs
- Regulatory obligations (GDPR, HIPAA, AI Act) mapped to AI system controls
- Risk assessment completed for each deployed AI use case
- Vendor and third-party AI tools reviewed against data processing agreements
- AI system inventory is maintained and reviewed quarterly
Guardrails & Validation
- Hallucination detection or source-grounding check is implemented
- Response confidence scoring or uncertainty signalling is in place
- Prompt injection and jailbreak input validation is active
- Output filtering for sensitive content categories is configured
- Evidence citations are returned with answers where retrieval is used
Observability & Cost
- Token usage is tracked per user, service, and model
- Inference latency is monitored with SLA thresholds defined
- Monthly AI cost is reported and reviewed against budget
- Retrieval quality metrics (relevance, recall) are measured for RAG workloads
- Alerts are configured for cost spikes, latency degradation, and error rates
- Evaluation runs are scheduled to detect model quality drift over time
Scoring Guide
What your score means
Each item scores one point. Total your score across all six domains to determine your readiness band.
Strong control across all domains. Focus on continuous improvement and quarterly review cycles.
Good foundations with identifiable gaps. Prioritise governance and guardrails domains.
Partial controls in place. Data boundary and deployment control should be addressed first.
Significant gaps across multiple domains. Do not deploy AI with sensitive data at this stage.
Who This Is For
Built for the people responsible for AI in production
This checklist is written for practitioners, not vendors. It asks specific operational questions, not vague maturity questions.
AI / ML Engineers
Verify your deployment architecture covers the control layers that compliance and security teams will eventually ask about.
Enterprise Architects
Map sovereign AI requirements to existing security, data, and governance frameworks before the AI team asks you to approve something.
CTOs and Tech Leads
Run this before your first production AI deployment or before an audit. Know where your gaps are before someone else finds them.
Get Started
Run the checklist now. No signup required.
Complete the interactive checklist and get your readiness score instantly.
Takes around 15 minutes. Results are calculated in your browser. Nothing is stored or sent to a server.