AI readiness assessment

Make your Microsoft data safe for AI.

AI reads everything a user can reach. Before you connect Copilot, ChatGPT Enterprise, Claude or any AI to your corporate data, we assess your SharePoint, OneDrive and Microsoft 365 tenant against seven gates and show you exactly what to fix, in what order.

Why this matters

AI does not create new access. It exposes the access you already have.

Microsoft 365 Copilot inherits the permissions of the person using it. ChatGPT Enterprise, Claude and other tools reach the same content through connectors and sync. Any of them can read a SharePoint site, a OneDrive file or a Teams message the user can already reach. Every over-shared site, stale permission and ownerless drive becomes a one-question discovery.

The risk is not the AI. It is turning it on over content that was never governed for AI-scale search. We fix the foundation first, so any AI tool surfaces only what a person is entitled to see.

SharePoint

Sites, sharing links, external access and search exposure across every workspace Copilot can index.

OneDrive

Active and orphaned drives, departed-staff content and links that stay live long after people leave.

AI tools

What Copilot, ChatGPT Enterprise, Claude or a connected tool would surface today, and the controls that keep sensitive content out of their answers.

Purview

Labels, data loss prevention and residency controls that enforce your data protection model inside AI responses.

The methodology

Seven gates to safe AI.

We reframe Microsoft's own deployment guidance into seven sequential gates, so you track readiness against one model instead of five separate blueprints. Each gate is a readiness domain. We assess it against evidence from your tenant and score it independently. The gates hold whether you enable Copilot, ChatGPT Enterprise, Claude or a connector.

Gate 1

Tenant and identity baseline

Confirm the licensing, identity and network conditions AI needs to operate inside your risk appetite.

We check: licensing, Conditional Access, MFA coverage, guest and B2B model.

Gate 2

Content lifecycle and ownership

Establish that the SharePoint and OneDrive estate is current, owned and governed before AI indexes it.

We check: inactive and ownerless sites, orphaned drives, retention and disposition.

Gate 3

Oversharing remediation

Reduce the surface area AI can ground on by closing broad sharing and search exposure.

We check: Anyone links, default sharing, broad audiences, restricted search.

Gate 4

Data classification and protection

Apply sensitivity labels, encryption and data loss prevention so AI honours your protection model.

We check: label taxonomy, auto-labelling, DLP covering Copilot, encryption.

Gate 5

Interaction guardrails and insider risk

Make AI interactions inherit your data protections, observed for risky use and insider risk.

We check: label inheritance, DSPM for AI, communication compliance, insider risk.

Gate 6

Regulatory, audit and residency

Prove AI operates inside your regulatory, evidentiary and data residency commitments.

We check: audit logging, eDiscovery for prompts, retention for AI, residency.

Gate 7

Adoption, measurement and operations

Confirm the operating model and change capability to turn a rollout into sustained value.

We check: pilot cohort, scenario backlog, dashboards, KPIs, training, reassessment.

How we score

Every gate is rated on evidence, not opinion: not started, foundational, operational, optimised. A gate cannot rate above not started without an artefact from your environment.

Where you are heading

Three stages of AI. Each one builds on the stage below.

This assessment covers Stage 1, Productivity AI. It is where almost every organisation starts, and the foundation the later stages depend on. Stage 2 and Stage 3 are scoped separately, once your use cases are defined.

Stage 1 · assessed

Productivity AI (consume)

Copilot, ChatGPT Enterprise or Claude for everyday work: summarise, draft, search. AI runs inside the user's existing identity and permissions. Readiness depends on access, classification and data protection.

Stage 2 · forward scope

Connected AI (integrate)

AI joined to external tools and connectors, where data can move outside the tenant. Adds governance of third-party AI and inspection of data going to and from AI services.

Stage 3 · forward scope

Agentic AI (build)

Custom agents and workflows that act on their own and call other systems, often as non-human identities. Adds identity, lifecycle and monitoring controls for machine actors.

What you get

A decision-ready report, not a wall of red.

You get a High-Level Design that names the risk, rates it two ways, and sequences the fix. Every finding carries a risk level, a separate AI deployment impact and a recommended action. You can hand it to your IT team and start Monday.

  • An executive summary and seven-gate scorecard your board can read in five minutes.
  • Prioritised findings with a risk level and a separate Copilot deployment impact.
  • A phased remediation roadmap, from critical fixes to steady-state governance.
  • A target architecture for SharePoint, access and Copilot readiness.

Redacted sample. Client, third parties and figures altered. Deep implementation detail held back.

Sample AI readiness assessment report cover
Sample output Open
The path forward

Assess, plan, build and hand over.

The assessment is the first step, not the whole job. It gives you the map. From there we plan the fix with you, build the controls, and hand the operating model back to your team. We reassess on a defined cadence as your estate changes.

Step 01

Assess

Score the seven gates against evidence from your tenant. Deliver the High-Level Design.

Step 02

Plan

Sequence the fix into phases, from critical exposure to governance foundation.

Step 03

Build

Put the access, classification and Copilot controls in place, gate by gate.

Step 04

Hand over

Return the operating model to your team, with a reassessment cadence to hold the line.

What you walk away with

A clear yes, no or not yet on enabling AI, backed by evidence.

The two or three fixes that matter most, named and costed to sequence.

A view of what AI would surface today, before your users find it.

A plan your own IT team can execute, with no lock-in to us.

Start with the map

Find out what AI would surface today.