Back to Resources
AI Readiness12 min read

Inside Our AI Readiness Audit: The Research Behind the Score (2026)

Why we score Data, Processes, Team and Governance — and keep Budget and Urgency out of the number — with citations to McKinsey, MIT, NIST, ISO 42001 and Singapore's IMDA framework.

Haojun See
Haojun See

Founder & Director, On The Ground

Updated 11 July 2026

Why most "AI readiness" quizzes don't deserve the name

Search for "AI readiness assessment" and you'll find dozens of them — three to five sliders, a percentage, and a call-to-action for whichever tool or agency built the quiz. Almost none of them say where the scoring logic came from. That's not really an audit; it's a survey with a sales page attached. We built and then rebuilt this audit because we didn't want to be one more instance of that pattern. This page documents what changed, why, and which research each dimension is actually based on — so you (or anyone reviewing our work) can check it rather than take our word for it. The short version: AI readiness research since 2024–2025 consistently finds the same thing — the gap between organisations that get real value from AI and those that don't isn't about which model they use. It's about data structure, process fit, team adoption, and governance discipline. Budget helps you move faster once those foundations exist; it doesn't create them. So that's what we score, and that's why budget doesn't count toward the number.

The frameworks we actually used

Five sources did most of the work in shaping this audit's structure: [McKinsey's State of AI survey](https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai) runs annually and, in its AI Readiness Index framing, evaluates organisations across five dimensions: strategy, data, technology, organisation, and capabilities. The 2025 wave found 78% of companies with a board-approved, business-aligned AI strategy reported positive ROI, against 34% without one — evidence that strategy/leadership commitment isn't just a "soft" factor, it's the largest single predictor in their dataset. [MIT Project NANDA's "The GenAI Divide: State of AI in Business 2025"](https://www.media.mit.edu/groups/nanda/overview/) reviewed 300+ enterprise AI initiatives and found that despite an estimated US$30–40 billion in enterprise GenAI spend, roughly 95% of organisations saw no measurable profit-and-loss impact. The report's core diagnosis: the bottleneck isn't infrastructure, regulation, or even talent — it's that most deployments don't integrate into real workflows or retain feedback over time. We treat this as the single best piece of evidence available for why our "Processes" dimension matters as much as it does (see our companion piece on why 95% of AI projects fail for the full breakdown, including the report's own limitations). [NIST's AI Risk Management Framework](https://www.nist.gov/itl/ai-risk-management-framework) (AI RMF 1.0, published January 2023) structures AI governance into four functions — Govern, Map, Measure, Manage — and is the most widely referenced voluntary framework for organisations of any size. It's sector-agnostic by design, which is exactly why it translates reasonably well to an SME instead of only a regulated enterprise. [ISO/IEC 42001:2023](https://www.iso.org/standard/42001) is the first — and so far only — certifiable AI management system standard. It doesn't replace NIST's AI RMF; the two are complementary, with the AI RMF's risk-management functions slotting into ISO 42001's broader management-system structure (documented processes, defined roles, continual improvement). We don't ask SMEs to pursue certification — that's a real cost and a real commitment — but we do borrow its logic for what "governance maturity" should look like. Singapore's own governance ecosystemIMDA and the PDPC's Model AI Governance Framework, operationalised through the AI Verify testing framework from the AI Verify Foundation — is the most directly relevant reference for a Singapore-based audit. AI Verify converts the Model Framework's principles into 11 testable governance principles (transparency, explainability, repeatability, safety, security, robustness, fairness, data governance, accountability, human agency and oversight, and inclusive growth), each mapped to international frameworks including the OECD AI Principles and NIST's Trustworthy AI characteristics. Layered on top of all of this is Singapore's Personal Data Protection Act (PDPA), which governs what actually happens the moment a staff member pastes client data into a chatbot.

The four dimensions in our AI Readiness Index

We score four dimensions into the number you see on your result: Data — how accessible and structured your business data already is. This maps to the "data" pillar in McKinsey's index and is a direct prerequisite for anything downstream. Processes — how repetitive and well-understood the workflows you'd automate actually are. This is the dimension MIT's 2025 research bears on most directly: the report's central finding is that AI initiatives fail when they bolt onto a process rather than get built into it. Team — adoption comfort and existing hands-on AI usage. Change-averse teams and zero prior AI exposure both predict a slower, more expensive rollout, independent of how good the tooling is. Governance & Risk — leadership backing (weighted 2x, per the McKinsey finding above), what kind of data would actually flow into the AI tools you'd use, whether any written AI usage policy exists, and whether you sit in a regulated sector. This is the dimension almost every lightweight "AI readiness" quiz skips entirely — and the one NIST, ISO 42001, and Singapore's own Model AI Governance Framework all treat as foundational rather than optional. Each dimension score is a weighted average of its questions (0–100), and the overall AI Readiness Index is the average of the four dimension scores.

Why we pulled Budget and Urgency out of the score

The previous version of this audit blended Budget and Urgency directly into the overall score, alongside Data, Processes, Team, and Governance. On review, we concluded that was a mistake worth correcting publicly rather than quietly. Budget and urgency are real and useful signals — they tell us (and you) what size of engagement makes sense *right now*. But they are not readiness signals in the sense that McKinsey, MIT, NIST, ISO, or IMDA use the term. A company with S$200,000 to spend and no data governance is not more "AI ready" than a company with S$10,000 and a clean, well-governed dataset — it's simply better funded. Conflating the two flatters well-funded prospects and undersells disciplined ones, which is exactly the kind of scoring bias a credible assessment should avoid. So now: your AI Readiness Index is calculated only from Data, Processes, Team, and Governance. Budget and Urgency are still collected — we show them back to you as "Engagement fit" — and they still influence which of our service tiers we'd recommend (a high-readiness, low-budget business gets pointed at a smaller, well-scoped sprint rather than a large retainer), but they no longer inflate or deflate the readiness number itself.

How to read your result

A high AI Readiness Index (80+) means your data, processes, team, and governance can support a multi-workflow, retainer-style engagement — not that you're guaranteed success; MIT's research is a reminder that even well-resourced organisations fail when integration is weak. A mid-range score (40–79) usually means one or two dimensions are the binding constraint — Governance is the most commonly under-built one we see, followed by Data. Below 40, the evidence-backed move is the one MIT's report points to directly: fix workflow and data foundations with one small, well-scoped pilot before spending on anything larger. If Governance is your lowest dimension, our companion guide, AI governance for Singapore SMEs, walks through NIST, ISO 42001, and IMDA's framework translated into what a 10–50 person business can actually implement — including a one-page policy template.

Frequently asked questions

Is this a real audit, or a lead-generation quiz with a fancy name?

Honestly: both, and we'd rather say so than pretend otherwise. It's free, self-scored, takes under five minutes, and ends with a recommendation for our own services — that's a lead-qualification tool by any definition. What makes it more than a generic quiz is that the scoring logic is disclosed, sourced against named frameworks (McKinsey's AI Readiness Index, MIT Project NANDA's 2025 research, NIST's AI RMF, ISO/IEC 42001, and Singapore's IMDA/PDPC Model AI Governance Framework), and open to scrutiny on this page. It is not, and does not claim to be, a certified assessment against ISO/IEC 42001 or a conformity assessment under any regulation — that requires a formal audit, evidence collection, and usually an accredited third party.

What's the difference between an AI readiness assessment and a formal AI audit?

A readiness assessment (like ours) is a directional self-screen: it tells you roughly where you stand and what to fix first. A formal AI audit — under ISO/IEC 42001, the EU AI Act's conformity assessment regime, or IMDA's AI Verify testing framework — is evidence-based: it requires documented processes, test results against defined criteria, and usually sign-off from someone other than the organisation being assessed. If a client, regulator, or investor needs proof rather than direction, you need the latter, not a quiz.

Why does leadership backing count double in the scoring?

McKinsey's 2025 State of AI survey found that 78% of companies with a board-approved, business-aligned AI strategy reported positive ROI, versus 34% of companies without one — the single largest gap of any factor McKinsey measured. Weighting every question equally would understate the one factor with the clearest evidence behind it, so we weight leadership backing 2x within the Governance & Risk dimension.

We're not in a regulated industry — does the Governance dimension still matter?

Yes. Regulation status is one of four questions in that dimension; data handling and having a written AI usage policy are the other two, and both apply regardless of industry. Every business that puts client or staff data into a third-party AI tool has a PDPA exposure and a governance decision to make, whether or not a regulator is watching.

Can I use this audit's result to satisfy a client's or regulator's due-diligence request?

No — treat it as an internal starting point, not evidence. If a client, panel, or government tender specifically asks for alignment with ISO/IEC 42001, IMDA's AI Verify, or PDPA, you need a documented assessment against those specific criteria, which is a different (and more involved) exercise than a 14-question self-assessment. Our companion guide on AI governance for SMEs walks through what that heavier process looks like and when it's actually warranted.

How often should we retake the audit?

Every 6–12 months, or immediately after any material change: a new AI tool rolled out team-wide, a new regulated client segment, a leadership change, or a data breach/near-miss. Readiness is not static — most of the four dimensions we score move as fast as your team's habits do.

Want to Apply This to Your Business?

We're a Singapore AI development and automation agency. Let's discuss how we can help solve your specific challenges.