MICKAI®ArticlesThe AI Readiness Framework
Article · 16 July 2026

The AI Readiness Framework

A five-stage maturity model you can diagnose from evidence you already hold, and the trap that keeps organisations at each stage.

The AI Readiness Framework
Author
Micky Irons
Published
16 July 2026
Follow Micky Irons
LinkedInX
ai readinessmaturity modelai governancesovereign aienterprise architecture

Most AI programmes stall for one reason: the organisation cannot name the stage of readiness it is actually at, so it applies stage five ambition to a stage two problem and stage one governance to a stage four exposure. Readiness runs in five stages, Experimentation, Adoption, Integration, Governance and Sovereign AI, and each holds an organisation in place with its own trap. Progress is not made by adding more AI. It is made by naming the trap you are in and paying to leave it.

Why do most AI maturity models fail?

Because they measure ambition rather than evidence. They ask what an organisation intends to do, which is the one thing every organisation answers well. The useful question is narrower: what can you prove today, from artefacts that already exist, to a sceptical auditor who does not care about your strategy? Every stage below is written so that it can be failed.

StageWhat it looks likeThe trap that keeps you hereWhat unlocks the next stage
1 ExperimentationPilots in pockets, assistants bought on personal cards, and no list of the models touching company data.The demo economy. Pilots built to impress, so nothing fails loudly enough to force a decision.An honest inventory, plus one workload chosen because failure there would be visible.
2 AdoptionSeats and usage climb, licences renew, and no line in the P&L moves.The productivity mirage. Time saved that nobody redeployed, and it is comfortable to stop here.Redesign one process rather than accelerate it, and name the decision the model touched.
3 IntegrationOutputs enter workflows without a human retyping them, agents act rather than advise, and the first real incidents arrive.Entanglement. Once a model carries the process, exit cost rises faster than value delivered.Reconstruct any consequential action afterwards, and swap the model without rebuilding the process.
4 GovernancePolicy, a model register, mandated review. Evidence still assembled by people after the fact.The paperwork ceiling. Documentation scales with headcount and AI does not, so governance becomes the brake and is mistaken for prudence.Control on the execution path: authorisation before the action, evidence produced by the act itself.
5 Sovereign AIConsequential workloads on owned hardware in your own jurisdiction, offline if the day requires it. Assurance cost stops rising with usage.Sovereignty theatre. Location is not evidence, and control without proof of control is only a claim.No further stage. The work becomes holding the boundary, so only workloads carrying consequence sit here.
Ariadne kneeling to knot the loose end of her thread around a doorway stone before she pays the rest out into the dark, in a void of pure black, satin gold light running the whole length of the taut stone thread,...
Ariadne kneeling to knot the loose end of her thread around a doorway stone before she pays the rest out into the dark, in a void of pure black, satin gold light running the whole length of the taut stone thread,...

Stage 1: are we experimenting, or collecting demos?

It looks like energy: pilots in pockets, an innovation function, assistants bought on individual cards, procurement unaware. The symptoms are plain once you look. Nobody can list the models touching company data. Every pilot succeeds and almost none renews. What unlocks stage two is unglamorous: an honest inventory, and one workload chosen because failure would be visible. The trap is the demo economy. Pilots are built to impress rather than to survive real data and real failure, so nothing fails loudly enough to force a decision.

Theseus setting his shoulder against a vast labyrinth wall and forcing the slab aside to open one corridor into the next, in a void of pure black, satin gold light breaking through the widening gap onto his straining...
Theseus setting his shoulder against a vast labyrinth wall and forcing the slab aside to open one corridor into the next, in a void of pure black, satin gold light breaking through the widening gap onto his straining...

Stage 2: is adoption the same as value?

It looks like success: thousands of seats, licences renewed, usage trending up. But usage rises and no line in the P&L moves. Benefits are booked as time saved that nobody redeployed. What unlocks stage three is redesigning one process rather than accelerating it, and answering the question a board eventually asks: which decision did the model touch? The trap is the productivity mirage. Minutes saved never aggregate into an outcome unless the process changes shape, and adoption is cheap to defend and reversible, which makes it a comfortable place to stop.

Eris standing alone at a long abandoned banquet table, setting one heavy apple down among the toppled cups, in a void of pure black, satin gold light burning off the apple and her steady outstretched hand, unwelcome...
Eris standing alone at a long abandoned banquet table, setting one heavy apple down among the toppled cups, in a void of pure black, satin gold light burning off the apple and her steady outstretched hand, unwelcome...

Stage 3: what does integration actually change?

It looks like engineering: models wired into systems of record, outputs entering workflows without a human retyping them, agents acting rather than advising. The symptoms are the first real incidents. A wrong output reaches a customer. A cost line appears that nobody forecast. Nobody can reconstruct why the system did what it did. What unlocks stage four is the ability to reconstruct any consequential action afterwards, and to change model without re-engineering the process around it. The trap is entanglement: once a model is load-bearing, exit cost rises faster than delivered value.

Nike alighting on the prow of a stone warship, vast wings still spread wide, her feet taking the deck as her own, in a void of pure black, satin gold light raking along every carved feather and the streaming prow,...
Nike alighting on the prow of a stone warship, vast wings still spread wide, her feet taking the deck as her own, in a void of pure black, satin gold light raking along every carved feather and the streaming prow,...

Stage 4: why does governance arrive late and cost so much?

It looks like control: policy exists, a model register is maintained, human review is mandated, obligations are mapped against the EU AI Act, GDPR Article 22, NIS2, DORA and ISO 42001 where each applies. Governance here is documentation about the system rather than a property of it, which is why being stuck is hard to see. Evidence is assembled after the fact by people, and human review becomes a signature rather than a judgement. What unlocks stage five is moving control onto the execution path, so authorisation happens before the action and evidence is produced by the act itself. The trap is the paperwork ceiling: documentation scales with headcount while AI does not, so governance becomes the constraint on deployment, and is mistaken for prudence.

Stage 5: what does sovereign AI look like in practice?

It looks boring, which is the point. The workloads that carry consequence run on hardware the organisation owns, in its own jurisdiction, offline if the day requires it. Every consequential action is sealed before it executes, signed and hash-chained so it can be verified independently, without the vendor. Agents operate inside a gated sandbox under per-action clearance, and models are replaceable components rather than foundations. The symptom of genuine arrival is economic: assurance cost stops rising with usage, and legal can answer prove it without commissioning a project. The trap is sovereignty theatre: buying local hardware and calling it sovereignty. Location is not evidence, and control without proof of control is a claim.

What is the honest counter-argument?

That most organisations should never reach stage five, and a framework that hides this is selling something. For most workloads, public cloud is the correct answer: elastic, well operated, and cheaper than owning the problem. Stage five is set by the consequence of the workload, not by taste: decisions that create legal exposure, data that cannot lawfully leave, systems that must keep working when a supplier or a connection does not. The second counter is sharper. Maturity models imply one organisational number, while real institutions sit at stage four in finance and stage one in marketing. The stage is a property of a workload, not of a logo.

How do we diagnose our own stage this week?

Five tests, all answerable from artefacts you already hold. Grade yourself at the lowest test you fail, never the highest you aspire to.

  • Inventory: can you produce today a complete list of models touching regulated data, each with a named owner and purpose? No means stage one.
  • Outcome: can you name one process whose cost, cycle time or error rate changed, and defend the attribution? Only time saved means stage two.
  • Reconstruction: take one consequential automated action from last month and show what the system knew, who cleared it and what it did, without asking a person. Failure means stage three.
  • Evidence: is your assurance evidence produced by the system at the moment of action, or assembled by people afterwards? Afterwards means stage four.
  • Independence: could a regulator verify your record without your systems, your staff and your cooperation? Only yes is stage five.

Frequently asked questions

Can an organisation skip a stage?

No. Time in each stage can be compressed, sometimes to weeks, but the work cannot be skipped, because each stage produces the artefact the next depends on. An organisation that jumps from adoption to integration without an inventory meets the missing work later, as an incident it cannot explain. Skipped stages are paid for with interest, usually in front of an auditor.

Is stage five only relevant to defence and government?

No. The stage is set by the workload, not the sector. A private bank running credit decisions, a hospital trust handling patient records and a utility running control systems all hold workloads where consequence, the jurisdiction of the data, or the need to operate without connectivity puts them in one class. Most also hold workloads where cloud is plainly the right answer, and both facts can be true at once.

Does stage four governance become redundant at stage five?

No, it becomes enforceable. Policy still decides what is permitted, who may authorise it and what must be retained. What changes is where the policy lives. At stage four it lives in documents describing the system, so compliance depends on people remembering. At stage five it lives on the execution path, so the action cannot occur without the clearance and the record.

How long does the move from stage three to stage four take?

Longer than the technology suggests and shorter than the policy backlog implies, because the binding constraint is decision rights rather than deployment. The real work is agreeing which decisions require clearance, from whom, and what evidence each must leave behind. Organisations that treat it as a legal and operational exercise move quickly. Those that treat it as a tooling purchase buy a register and stay at stage three with better paperwork.

Mickai is a British Sovereign Intelligence Operating System, built and live today, running offline on hardware the organisation owns and inside its own jurisdiction. Every consequential action is sealed in the Open Audit Record before it executes, signed with post-quantum FIPS 204 ML-DSA-65 and hash-chained so a regulator or a court can verify it offline, without us; agents run in a gated sandbox under per-action clearance, across fifty brains and studios mapped to real departments. The architecture is protected by 104 filed UK patent applications carrying 2,340 claims, held by Mickai LTD. The record model is set out at /oar, our wider position at /sovereign-ai, and readiness work at /ai-readiness.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/the-ai-readiness-framework. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles