Pre-build assessment

AI Automation Readiness Checklist

Automate only after the process has observable inputs, testable outputs, known exceptions, a permission boundary, and an economic reason to exist. A low score means the process needs simplification or instrumentation before an AI system is added.

By: AICLawSkills Editorial Desk

Published:

Last updated:

Editorial review:

How this guide was produced

Original readiness scoring model informed by NIST risk-management guidance and official agent/evaluation documentation. It is not a certification or legal assessment.

AI assisted with research organization and editing. It is not treated as a source. Product capabilities and prices can change; verify the linked primary sources before making a purchase or production decision.

Score the workflow before choosing tools

Give each dimension 0, 1, or 2 points: 0 means absent or unknown, 1 means partially defined, and 2 means documented and demonstrated with evidence. A maximum score is 16.

DimensionEvidence for a score of 2
Process stabilityInputs, outputs, and transitions are documented and do not change weekly.
Acceptance criteriaA reviewer can distinguish an acceptable result from a plausible-looking failure.
Data accessRequired data is available, permitted, current, and attributable to a source.
Exception handlingCommon exceptions and an escalation owner are known.
ReversibilityActions can be previewed, rolled back, or approved before commitment.
Evaluation setRepresentative examples include normal, edge, adversarial, and failure cases.
Security boundaryTools, credentials, users, and sensitive data have explicit access rules.
EconomicsThe value of an accepted outcome exceeds model, tool, review, and failure costs.

Interpret the total

  • 13–16: ready for a bounded pilot. Start with one reversible path, a manual fallback, strict permissions, and a fixed evaluation set.
  • 9–12: prepare first. Resolve the lowest dimensions before connecting production data or external actions.
  • 5–8: redesign the process. Automation is likely to produce high review burden or unstable outcomes.
  • 0–4: do not automate yet. Document the process and establish ownership before evaluating AI tools.

The total is not the only gate. A zero in security boundary, acceptance criteria, or reversibility blocks production use even when the total is otherwise high.

1. Process stability

Collect ten to twenty recent examples. Record which steps were actually performed, which systems were used, and where operators exercised judgment. If every case follows a different path, first standardize the process or narrow the automation to one repeatable subtask.

2. Acceptance criteria

Replace “good answer” with observable checks: required fields, supported citations, policy conditions, numerical tolerances, prohibited actions, or reviewer ratings. If two knowledgeable reviewers regularly disagree, document the disagreement and route uncertain cases rather than forcing automatic completion.

3. Data and permission access

List every source and account. Confirm ownership, retention, confidentiality, geographic, contractual, and user-permission constraints. The model should receive only the information required for the current step, not every document or credential available to the organization.

4. Exceptions and escalation

Sample failures before designing the happy path. Identify missing data, conflicting instructions, rate limits, stale records, unavailable services, and high-impact cases. Each exception needs a safe result: retry without side effects, ask for clarification, send to review, or stop.

5. Reversibility

Drafting and classification are easier pilots than sending, publishing, purchasing, deleting, or modifying permissions. Where an action cannot be reversed, require an explicit preview and human approval tied to the exact target and arguments.

6. Evaluation set

Create a versioned set of real and synthetic cases containing ordinary tasks, edge cases, adversarial inputs, and known failure modes. Store the expected outcome and review rule. Re-run it after model, prompt, tool, retrieval, or workflow changes.

7. Security boundary

Separate read, draft, and write permissions. Keep secrets out of prompts and logs. Treat web pages, email, documents, and retrieved content as untrusted data that cannot grant new authority to the system.

8. Economics

Calculate cost per accepted outcome, not cost per model request. Include retries, failed runs, external tools, infrastructure, monitoring, human review, and maintenance. Compare that total with the current manual process and the business value of faster completion.

Pilot contract

  1. One named workflow owner.
  2. One bounded task and one user group.
  3. One versioned evaluation set.
  4. One tool and data allowlist.
  5. One stop control and manual fallback.
  6. One budget, retry, and latency ceiling.
  7. One weekly review of failures, corrections, and permission changes.

Limitations

This checklist is an editorial planning tool. It does not establish compliance with privacy, employment, financial, medical, safety, or sector-specific requirements. High-impact decisions need qualified domain, legal, and security review.

Next steps

Choose between retrieval, workflow, and agent architecture with RAG vs agents. If the workflow uses tools, apply the security checklist. Estimate the pilot with the cost model before selecting a framework from the AI tools research hub.

Primary sources

Sources were checked on July 17, 2026. Follow the links for current product details.