AI Assessments Are Everywhere

From McKinsey to BCG, from the EU to ISO, and from vendors and consulting firms worldwide, everyone has their own version of the AI Readiness Assessment. A quick search will turn up dozens of them, and they arrive in my feeds daily. Some are cursory and superficial, some granular and thoughtful. Some are a series of random questions, while others are carefully categorized into elements like strategy, data, technology, talent, governance, and culture. Some can be completed in an hour, while others require extensive preparation, discovery, and participation.

They all have flaws common to these sorts of instruments: they are self-reported, self-scored, and self-interpreted. All pollsters know that self-reported data is inherently suspect. Pollsters and researchers have a name for what happens when people assess themselves without any external calibration: they call it bias, and it’s been studied exhaustively.

All of the cognitive biases that affect people’s responses to events also show up in survey responses. Once a respondent can see how the questions map to the results and how their responses might be perceived, the instrument stops being a diagnostic and becomes a negotiation between the user and the instrument: “How can I position myself to look my best, highlight my value, or compete with the next guy…” When the scores come back, confirmation bias creeps in, urging us to accept the results we like and reject those we don’t.

I’m not suggesting self-assessments are worthless; I use them with my clients frequently. As an advisor to clients thinking through their preparedness for the AI transition, I’ll often run a facilitated session in which an assessment instrument is the foundation. When thoughtfully applied, with realistic expectations about what a self-assessment can and cannot do, they can spark a useful conversation. They have great value to me as a neutral ‘forcing function’, requiring my clients to dig deeper into the reality of their circumstances without my direct challenge, but instead through the application of a ‘standards’ instrument.

Let’s explore the options for published assessments or maturity models in the AI readiness space.

The Landscape

The most rigorous frameworks come from standards bodies. The NIST AI Risk Management Framework (AI RMF) organizes AI governance across four functions — Govern, Map, Measure, Manage — and is widely regarded as the most coherent and flexible foundation available. It’s an excellent educational and internal management tool, providing a detailed “how-to guide” that organizations can adapt to their specific context. NIST AI RMF is an example of the structured, granular, and comprehensive assessment that regulated industries and hyperscale corporations, with their complex legal and regulatory exposures, might apply.

ISO/IEC 42001 is another example of the disciplined approach taken by international standards bodies in the AI arena. Like many ISO standards, they offer certifications that attest to one’s ability to apply and interpret their assessments. Probably the most precise and strategic of the standards-based surveys, preparation for an enterprise to gain ISO 42001 certification is a multi-month commitment, not a self-assessment you run in a conference room. The payoff is high credibility in the enterprise’s AI safety and integrity.

McKinsey, Deloitte, and BCG each publish maturity models and readiness frameworks, typically built around six dimensions: 

• Strategy
• Data
• Technology
• Talent
• Governance 
• Culture

These instruments are often well-constructed and genuinely informative. Designed at enterprise scale, targeted towards the potential clients of these consulting giants, they are marketing tools as much as they are survey instruments, calibrated to prepare potential clients for the next engagement. A regional retailer, mid-market professional services firm, or specialized financial advisory practice will frequently find that the questions don’t map to their operational reality and that the scores that they derive don’t carry much useful information for their circumstances.

What Self-Assessment Can Do

A well-constructed assessment process, applied thoughtfully, can expose the enterprise's capabilities and gaps and can aid in the prioritization of AI efforts. It has a few important properties beyond its primary use as a ‘scorecard.’

First, it forces structured reflection. Many organizations are deploying AI somewhere, perhaps in an experimental or pilot program, without having formally considered the strategic or operational concerns that will arise as they scale. A credible assessment process creates the occasion to ask them: 

• Do we have a policy for AI-generated client communications? 
• Who has decision rights and accountability for actions AI may take? 
• Have we considered the cultural, educational, and organizational changes we may need to apply?
• Do we have a governance process to set guardrails and standards?

Second, it builds cross-functional alignment. Walking a leadership team through a common instrument often surfaces the fact that the COO, the compliance officer, and the practice leads have fundamentally different assumptions about AI risk and AI opportunity. Surfacing it early, in a structured context, is valuable regardless of where the assessment scores land.

Third, it establishes a baseline. A self-assessment conducted today, repeated in six months, gives you directional data about whether your AI transition strategy is effective, whether the policies you wrote are being operationalized, and whether the training you delivered is changing behavior. That longitudinal function is where the trends become visible.

What It Cannot Do

Organizations, like individuals, often overrate their own capabilities and underrate their own exposure, not from dishonesty, but due to the limits of self-perception. The team filling out the assessment is the same team that built the systems being assessed. They share the same blind spots, the same assumptions, the same organizational memory, and norms. An instrument that asks “Do you have an AI governance policy?” will return “yes” from organizations whose policy is a two-paragraph statement no one has read, and from organizations with a mature, enforced framework. Only the conversation, not the one-word response, can uncover the real workings of the enterprise.

There is also a scale problem. The major instruments were built for either government-scale complexity (NIST, ISO) or enterprise-scale exercises (the big-firm maturity models). A self-assessment produced without rigor or fit produces a slide deck that reassures, and perhaps misleads, leadership, while the real gaps are only exposed during the transition. For organizations without a basis of understanding about AI’s potential, or the cultural ability to have an honest self-improvement conversation, a 200-question framework has the potential to become a low-value quagmire.

How to Do This Well

Clients often come to me with a pre-selected assessment in hand, either to proudly show me their outstanding readiness score or to express concern over their obvious gaps. Many clients want to walk through an assessment with their teams before they engage an advisor. For those, I recommend a few guidelines:

Match the instrument to your context. A small wealth management firm and a multinational manufacturer have different AI risk profiles, different regulatory exposures, and different resource constraints. The NIST AI RMF, applied at full depth, is probably not your starting point if you don’t have a risk management function to operationalize it. A consulting firm maturity model targeted at enterprise transformation may not reflect your operational reality. Calibrate the tool to the right level of complexity for your organization, at the right level of discipline and resource allocation, to ensure AI efficacy and safety for your unique circumstances. Scale your discipline to your evolving maturity.

Run it cross-functionally, not in the IT department. AI transition is a business problem with a technology dimension, not a technology problem with business implications. The assessment should include legal, compliance, operations, and leadership, and the answers from each function should be compared analytically, not averaged into a meaningless score. Rights, roles, responsibilities, and gaps exposed must be engaged.

Be honest about what the score means. A score is a prompt for conversation, not a certification. The process, not the score, is where the value resides. Low scores are more valuable than high marks because they illuminate the potential areas of friction or unpreparedness. If this becomes a competitive exercise, either between departments or organizations, you’re doing it wrong.

Treat the assessment as a beginning, not a conclusion. The output of a self-assessment should be a prioritized set of actions. The questions that surface about data governance, accountability structures, and AI in workflows that haven’t been formally reviewed are the starting point for the deeper, more valuable diagnostic work that inevitably follows.