AI Readiness Assessment
Conceptual Explanation
Readiness has three independent dimensions. An organization can be highly mature on one dimension and poorly prepared on another:
Dimension 1 ā Data Maturity: Can the AI system access the data it needs, at the quality level it requires, at the volume that will produce meaningful results?
Dimension 2 ā Infrastructure Readiness: Can the AI system run within the client's technical environment, given their cloud posture, network architecture, and security requirements?
Dimension 3 ā Organizational Readiness: Does the organization have the team capacity, governance structures, and change management capability to deploy and adopt an AI system?
Each dimension is assessed independently and scored. The overall readiness score determines which engagement approach is appropriate.
Core Architecture: The Assessment Framework
Dimension 1 ā Data Maturity
Data maturity is assessed across four sub-dimensions: availability, quality, accessibility, and governance.
Data Availability: Does the data the AI needs actually exist in the client's systems?
DATA_AVAILABILITY_ASSESSMENT = {
"use_case": "Discharge Summary AI",
"required_data_elements": [
{
"element": "Active diagnoses (FHIR Condition)",
"required_completeness": 0.90,
"observed_completeness": None, # To be measured in assessment
"source_system": "Epic",
"fhir_resource": "Condition",
"notes": "Must include ICD-10 codes, not just free text"
},
{
"element": "Active medications (FHIR MedicationRequest)",
"required_completeness": 0.85,
"observed_completeness": None,
"source_system": "Epic Pharmacy",
"fhir_resource": "MedicationRequest",
"notes": "Reconciliation status matters ā discharged meds vs active"
},
{
"element": "Vital signs (FHIR Observation)",
"required_completeness": 0.80,
"observed_completeness": None,
"source_system": "Epic flowsheets",
"fhir_resource": "Observation?category=vital-signs",
"notes": "Admit and most recent ā not full flowsheet history"
},
{
"element": "Laboratory results (FHIR Observation)",
"required_completeness": 0.75,
"observed_completeness": None,
"source_system": "Epic / LIS",
"fhir_resource": "Observation?category=laboratory",
"notes": "Pertinent labs ā not necessarily all results"
},
],
"minimum_sample_size": 50, # Encounters to assess for POC viability
"recommended_sample_size": 200 # For meaningful quality evaluation
}Data Quality: Is the data accurate, complete, and consistent enough to produce reliable AI output?
Common data quality issues in clinical AI:
- Conditions coded in free text rather than ICD-10 (not machine-parseable)
- Medications without dosing information
- Vital signs in non-standard units or with transcription errors
- Duplicate patient records (patient matching failures)
- Notes in scanned PDFs rather than structured text (requires OCR pipeline)
Data Accessibility: Can the AI system actually reach the data through approved integration paths?
DATA_ACCESSIBILITY_CHECKLIST = [
"FHIR R4 endpoint URL and environment (sandbox/production) confirmed",
"SMART on FHIR registration process and timeline understood",
"App Orchard (or equivalent EHR app store) review process timeline understood",
"API rate limits documented",
"PHI-in-cloud policy confirmed (on-premises-only vs. cloud-approved vendors)",
"Network path from AI system to FHIR endpoint confirmed (firewall rules)",
"Authentication method confirmed (OAuth 2.0 token endpoint available)",
"Bulk FHIR export available if batch processing is needed",
]Data Governance: Who owns the data and can approve AI system access?
| Question | Why It Matters |
|---|---|
| Who approves new application access to PHI? | Determines the approval timeline and process |
| What is the data residency requirement? | Some organizations prohibit PHI leaving on-premises |
| Is there a data classification policy that covers AI use? | PHI handling rules may already exist |
| Is there a BAA process established? | Determines time-to-contract for AI vendors |
| Who owns the output data (AI-generated summaries)? | Affects how results can be stored and used |
Data Maturity Score:
| Score | Level | Description | Recommended Approach |
|---|---|---|---|
| 4 | Ready | All required data available at required completeness; accessible via approved path | Proceed to POC Design |
| 3 | Near-Ready | Minor gaps in completeness or accessibility; resolvable within 2ā4 weeks | POC Design with data remediation plan |
| 2 | Developing | Significant gaps in one area (quality, accessibility, or governance) | Assessment remediation before POC |
| 1 | Not Ready | Multiple blocking gaps | Data foundation work required before AI engagement |
Dimension 2 ā Infrastructure Readiness
Infrastructure readiness covers cloud posture, network architecture, security, and integration capability.
Cloud and Network Architecture Assessment:
INFRASTRUCTURE_ASSESSMENT = {
"cloud_posture": {
"question": "What is your primary cloud provider and PHI policy?",
"options": [
"Cloud-first: PHI in cloud with signed BAAs (Ready)",
"Cloud-hybrid: PHI in cloud for approved vendors only (Near-Ready)",
"On-premises preference: PHI in cloud requires case-by-case approval (Developing)",
"On-premises only: PHI must not leave on-premises (Blocking)"
]
},
"llm_connectivity": {
"question": "Can the AI application reach external LLM API endpoints?",
"checks": [
"Outbound HTTPS to api.anthropic.com or api.openai.com is permitted",
"No SSL inspection proxy that would break certificate chains",
"DNS resolution for AI vendor domains is available",
"Latency to external API endpoints is acceptable (< 2 seconds baseline)"
]
},
"ai_gateway": {
"question": "Is an AI gateway deployed or planned?",
"options": [
"Deployed (LiteLLM Proxy, Azure AI Foundry, AWS Bedrock) (Ready)",
"Planned within 4 weeks (Near-Ready)",
"Not planned ā direct API calls (Developing)",
"Not permitted ā on-premises LLM only (Blocking)"
]
},
"security_architecture": {
"checks": [
"HIPAA Security Rule technical safeguards in place (TLS 1.2+, AES-256)",
"Audit logging infrastructure available",
"Role-based access control (RBAC) for AI applications",
"Security review process for new applications ā timeline understood",
"Penetration testing requirements for new applications understood"
]
},
"integration_engine": {
"question": "What integration engine is in place?",
"options": [
"Azure Health Data Services / MuleSoft / InterSystems HealthShare (Ready)",
"RHAPSODY or equivalent (Near-Ready with FHIR translation layer)",
"Custom point-to-point integrations (Developing)",
"None ā manual data transfers only (Blocking)"
]
}
}Infrastructure Readiness Score:
| Score | Level | Description | Recommended Approach |
|---|---|---|---|
| 4 | Ready | Cloud PHI approved; LLM connectivity confirmed; security review process defined | Proceed to POC Design |
| 3 | Near-Ready | PHI cloud approval pending; AI gateway not deployed but planned | POC Design with infrastructure provisioning track |
| 2 | Developing | PHI cloud policy unclear; connectivity blocked pending security review | Infrastructure readiness sprint before POC |
| 1 | Not Ready | On-premises only; no connectivity; security review timeline > 8 weeks | Recommend private deployment option or defer |
Dimension 3 ā Organizational Readiness
Organizational readiness is the most frequently underestimated dimension. A technically ready organization with low organizational readiness will fail to adopt the AI system even if the POC is technically successful.
Team Capacity Assessment:
| Role | Question | Why It Matters |
|---|---|---|
| Internal AI technical lead | Is there an engineer who will own the integration post-FDE? | Without ownership transfer, the system atrophies |
| Clinical champion | Is there a physician who will advocate internally for adoption? | Clinical adoption does not happen without peer advocates |
| IT project manager | Is there a project manager who can coordinate the cross-functional work? | FDE time is too expensive to spend on coordination overhead |
| Change management lead | Is there someone responsible for training and adoption? | POC success does not produce adoption without active change management |
| Compliance resource | Is the privacy officer allocated to this project? | HIPAA review delays are the most common production blocker |
Governance Readiness:
GOVERNANCE_READINESS_CHECKS = [
{
"check": "AI governance policy exists",
"why": "Defines approval process for new AI deployments",
"risk_if_absent": "No clear path to production approval ā ad hoc process will be slow and inconsistent"
},
{
"check": "Model Review Board or equivalent exists",
"why": "Provides formal approval mechanism for clinical AI",
"risk_if_absent": "Clinical deployment approval has no defined path or timeline"
},
{
"check": "AI vendor BAA process is established",
"why": "BAA must be signed before PHI is transmitted to any external AI vendor",
"risk_if_absent": "BAA negotiation can take 4ā8 weeks ā blocks POC start date"
},
{
"check": "Clinical workflow change management process exists",
"why": "Deploying AI into clinical workflows requires structured change management",
"risk_if_absent": "Physician adoption will not happen without structured training and champion support"
},
{
"check": "Executive sponsor is identified and committed",
"why": "Cross-functional work stalls without executive authority to resolve conflicts",
"risk_if_absent": "Engagement stalls at first organizational obstacle"
},
]Organizational Readiness Score:
| Score | Level | Description | Recommended Approach |
|---|---|---|---|
| 4 | Ready | Executive sponsor confirmed; clinical champion identified; AI governance in place; internal technical owner designated | Proceed to POC Design |
| 3 | Near-Ready | Most elements in place; 1ā2 gaps resolvable within 2 weeks | POC Design with organizational gap closure plan |
| 2 | Developing | Clinical champion or internal technical owner absent; governance unclear | Recommend organizational readiness sprint |
| 1 | Not Ready | No executive sponsor; no internal technical capacity; no AI governance | Defer until organizational foundation is in place |
Overall Readiness Score and Engagement Recommendation
def calculate_readiness_recommendation(
data_score: int,
infrastructure_score: int,
organizational_score: int
) -> dict:
"""
Map three-dimensional readiness scores to engagement recommendation.
Each dimension scored 1-4:
4 = Ready, 3 = Near-Ready, 2 = Developing, 1 = Not Ready
"""
overall = (data_score + infrastructure_score + organizational_score) / 3
# Any dimension at 1 (Not Ready) is a blocker regardless of overall score
blocking_dimensions = []
if data_score == 1:
blocking_dimensions.append("Data Maturity")
if infrastructure_score == 1:
blocking_dimensions.append("Infrastructure")
if organizational_score == 1:
blocking_dimensions.append("Organizational")
if blocking_dimensions:
return {
"recommendation": "Remediation Required",
"rationale": f"Blocking gaps in: {', '.join(blocking_dimensions)}",
"next_step": "Remediation plan before POC Design",
"estimated_remediation_weeks": "4ā8 weeks depending on gap"
}
if overall >= 3.5:
return {
"recommendation": "Proceed to POC Design",
"rationale": "High readiness across all dimensions",
"next_step": "Begin POC scoping session",
"estimated_poc_start": "2 weeks"
}
elif overall >= 2.5:
return {
"recommendation": "POC with Parallel Remediation",
"rationale": "Ready to proceed with parallel track for identified gaps",
"next_step": "POC Design with gap remediation plan",
"estimated_poc_start": "3ā4 weeks"
}
else:
return {
"recommendation": "Readiness Sprint",
"rationale": "Multiple dimensions require strengthening before POC",
"next_step": "4-week readiness sprint with defined exit criteria",
"estimated_poc_start": "6ā8 weeks"
}Architecture Diagram
Common Mistakes
1. Skipping the data quality measurement. Self-reported data quality is almost always more optimistic than actual quality. The FDE must run sample queries and count completeness rates empirically.
2. Treating infrastructure readiness as binary. "We're on Azure so we're fine" is not an infrastructure assessment. The FDE must confirm that PHI-in-cloud is approved, that outbound connectivity to LLM APIs is permitted, and that the security review timeline is understood.
3. Not surfacing organizational blocking issues early. Discovering in week 6 of a POC that the compliance officer has not approved the integration is a failure of the assessment phase. Compliance review must be in the assessment scope.
4. Conflating score with recommendation. A score of 3/4 on organizational readiness does not mean "proceed without addressing the gap." The gap must be identified and a closure plan agreed before the POC begins.
5. Not documenting the remediation plan. When the recommendation is "POC with Parallel Remediation," the remediation plan must be specific: who does what, by when, and what is the POC start dependency.
Best Practices
- Run data quality assessment against a minimum of 50 actual encounters before committing to a POC approach
- Test LLM API connectivity from within the client's network environment before the POC design session
- Include the compliance officer in the assessment ā not at the end as a gate, but as a participant throughout
- Share the Assessment Report with the client for accuracy review before finalizing
- Define the remediation plan before the assessment report is delivered ā not after
- Never start POC execution with a blocking gap unresolved
Trade-offs
Assessment depth vs. time cost: A thorough assessment takes 1ā2 weeks. Clients who want to start the POC immediately will push back. The FDE must hold the position that unknown blocking gaps discovered mid-POC are more expensive than a 2-week assessment.
Transparency about gaps: Sharing an honest assessment that reveals organizational or data gaps can create uncomfortable conversations. The alternative ā proceeding without surfacing them ā creates a failed POC that is harder to recover from.
Interview Questions
Q: A client wants to skip the readiness assessment and go straight to POC execution. How do you respond?
Category: Behavioral Difficulty: Senior Role: FDE
Answer Framework:
The response is to acknowledge the client's urgency, explain the concrete risk of proceeding without assessment, and propose a compressed assessment approach that addresses the most critical unknowns in the shortest possible time.
The concrete risk framing: the most common cause of POC failure and delay is a blocking constraint that was discoverable in week 1 but was only found in week 4 ā a PHI-in-cloud policy that blocks LLM calls, a data quality issue that requires a different integration approach, or a missing BAA that prevents the POC from processing real patient data. These findings restart the POC from scratch and cost more time than the assessment would have taken.
The compressed alternative: if the client's constraint is real, propose a 1-week rapid assessment focused exclusively on the blocking items ā data connectivity test, PHI-in-cloud policy confirmation, BAA status, and compliance officer meeting. This is not the full three-dimension assessment but it identifies the most dangerous unknowns before POC execution begins.
Key Points to Hit:
- Acknowledge the urgency rather than dismissing it
- Frame the risk in terms of POC restarts, not process compliance
- Propose a compressed alternative rather than a binary yes/no
- Hold on the non-negotiables (PHI policy, BAA, connectivity test)
Red Flags:
- Agreeing to skip assessment entirely
- Framing assessment as "our process" rather than the client's risk mitigation
Key Takeaways
- AI readiness assessment covers three independent dimensions: data maturity, infrastructure readiness, and organizational readiness
- A single dimension at "Not Ready" (score 1) is a blocker regardless of overall score
- Data quality must be measured empirically ā self-reported quality is unreliable
- Infrastructure readiness includes PHI-in-cloud policy, LLM API connectivity, AI gateway, and security review timeline
- Organizational readiness covers team capacity, governance, and change management ā not just executive sponsorship
- The assessment produces a written report shared with the client ā not an internal FDE document
- Remediation plans must be specific before the assessment is finalized