A practical guide from what the rules require to what your business actually needs in place.
Most organisations have spent the last two years asking what AI can do for them. The more useful question now is whether the business is set up to use it well.
Following our article on the EU AI Act, several people asked the same underlying question: what does “good” look like in practice? The Act is clear about obligations, risk tiers and timelines but day to day, leaders still have to make decisions about data, suppliers, skills and use cases without waiting for every detail to be settled.
AI readiness is not a single project. It is a small number of foundations that determine whether AI investment delivers value or quietly creates risk. The checklist below is the one we work through with clients before any model goes near a production system.
The 5-Point Checklist
1. Data foundations you can trust
AI is only as good as the data feeding it. Before introducing any model, the data underneath it needs to be accurate, accessible and properly governed.
Practical questions to ask:
- Do we know where our most important data lives, who owns it, and how it flows between systems?
- Is the data clean, current and complete enough to support automated decisions?
- Are access controls, retention and classification policies actually being applied?
- Could we explain to a regulator, customer or auditor exactly what data an AI tool was trained on or has access to?
If those answers are not clear, the first AI investment should be in data governance rather than in models.
2. Security, privacy and compliance alignment
AI does not exist outside your existing obligations. GDPR, sector regulation and the EU AI Act all apply, alongside any contractual commitments to clients.
Areas to check:
- Have you mapped which AI use cases fall into the EU AI Act’s prohibited, high-risk or limited-risk categories?
- Are AI systems covered by your information security management system (ideally ISO 27001-aligned), not treated as a separate stream?
- How is personal data handled when it enters a third-party AI tool, including “free” ones used informally by staff?
- Do supplier agreements set clear expectations on training data, model behaviour, security and audit rights?
Organisations that already operate within a structured security framework find this far easier. AI becomes another set of controls within an existing system, rather than a new compliance project from scratch.
3. Skills, culture and shared accountability
The biggest barrier to AI adoption is rarely technology. It is people, process and confidence. Teams need to understand what AI can and cannot do, where it fits in their workflow, and where human judgement still matters.
Look for:
- Baseline AI literacy across leadership, not just the technology team — required under the EU AI Act for staff using AI systems.
- Clear policies on acceptable use of public AI tools, with practical examples rather than generic warnings.
- Shared ownership between business, technology, security and risk functions, not a single “AI lead” carrying it alone.
- A culture where employees can flag concerns about AI outputs without it being seen as resistance.
AI readiness is a leadership topic. If only the technical team are engaged, the organisation is not ready.
4. Use cases chosen for value, not novelty
The fastest way to lose momentum is to pick the wrong first AI project. Impressive demos rarely translate into measurable business outcomes.
Stronger candidates usually share a few traits:
- They solve a problem the business already understands and measures e.g. cost, cycle time, error rate, customer experience.
- The data needed already exists in a usable form, or can be made usable with reasonable effort.
- There is a clear human in the loop where decisions affect customers, employees or compliance.
- Success and failure can be defined in advance, not rationalised afterwards.
It is often more valuable to deliver a focused, low-risk use case well than to chase the most ambitious one first. Confidence and capability are built through delivery.
5. An operating model that holds it all together
Once AI is in use, it needs to be supported like any other business-critical system. That means clear ownership, monitoring, change control and the ability to step in when something goes wrong.
Things to put in place early:
- A simple AI register: which systems are in use, what they do, what data they touch, who owns them, what risk tier they sit in.
- Defined approval routes for new AI use cases, proportionate to their risk.
- Ongoing monitoring of model performance, drift and unexpected behaviour, not just a one-off launch review.
- An incident response process that includes AI-specific scenarios such as biased outputs, hallucinations or prompt-injection attacks.
If your organisation already has mature DevOps, change management and incident response practices, AI fits naturally on top of them. If those foundations are weak, AI will expose that quickly.
Common Pitfalls to Avoid
- Treating AI as a side experiment owned by one person, with no link to wider security, risk or operations.
- Investing in tooling before agreeing on use cases, governance and success measures.
- Allowing “shadow AI” i.e. staff using public tools with sensitive data because there is no sanctioned alternative.
- Confusing pilots with production. A successful proof of concept is the start, not the finish.
- Underestimating change. AI changes how work is done; that needs leadership, communication and training, not just a rollout email.
Where to Start
If the checklist above feels uneven, i.e. strong in some areas, less so in others, that is normal. Most organisations are partially ready.
A practical first step is to spend a focused half-day on three questions:
- Where are we already using AI today, including informal use by individual staff?
- Where could AI realistically deliver measurable value in the next 6–12 months?
- What in our current data, security and operating model would need to be tightened before we could go further with confidence?
The output is not a strategy document. It is a short, honest view of strengths, gaps and the next two or three things worth doing combined with the regulatory picture from the EU AI Act and your sector’s requirements.
How Fretec Can Help
At Fretec we help organisations move from AI conversations to AI capability – covering the data foundations, security and compliance alignment, governance and operating model that determine whether investment delivers.
Because we operate under an ISO 27001-certified information security management system and work across DevOps, cloud, network and managed services, we bring AI readiness into a wider engineering and security context, not as a standalone exercise.
If you would like to talk through where your business stands against the checklist above or how the EU AI Act applies to your specific use cases we would be happy to have that conversation with you – just email info@fretec.ie.
