Is Your Organization AI-Ready or AI-Exposed?

Quiz Questions

• 1.
  12 questions. 5 minutes. Your organization's AI risk profile.

  Image Source

  • A.
    I'm ready to get started
  • B.
    I'm curious about AI-Readiness
• 2.
  Before we begin — which best describes your role?

  • A.
    CEO / President
  • B.
    CFO / Finance Lead
  • C.
    COO / Operations
  • D.
    CTO / CIO / Tech Lead
  • E.
    General Counsel / Legal
  • F.
    CHRO / People Lead
  • G.
    CMO / Comms
  • H.
    Chief AI Officer / CAIO
  • I.
     CDO / Procurement
  • J.
    Board Member / Executive Director
  • K.
     Director / Senior Leader
  • L.
    Other
• 3.
  Q1.  When an AI-assisted decision negatively impacts an employee, customer, or vendor, your organization has a documented process for responding.

  Image Source

  • A.
    Often
  • B.
    Sometimes
  • C.
    Never
  • D.
    Not Sure
• 4.
  Q2.  When an AI tool produces an unexpected or harmful output, your organization knows who is accountable for the response.

  Image Source

  • A.
    Often
  • B.
    Sometimes
  • C.
    Never
  • D.
    Not Sure
• 5.
  Q3.  Your organization documents AI-related incidents in a way that could be reviewed by a regulator, insurer, or legal counsel.

  Image Source

  • A.
    Often
  • B.
    Sometimes
  • C.
    Never
  • D.
    Not Sure
• 6.
  Q4.  Your organization can produce a current inventory of every AI tool in use — including features embedded inside software you already own.

  Image Source

  • A.
    Often
  • B.
    Sometimes
  • C.
    Never
  • D.
    Not Sure
• 7.
  Q5. Your organization has a written policy that defines what AI tools are approved, what requires permission, and what is prohibited.

  Image Source

  • A.
    Often
  • B.
    Sometimes
  • C.
    Never
  • D.
    Not Sure
• 8.
  Q6.  Your organization has documentation that demonstrates human oversight of AI-driven decisions

  Image Source

  • A.
    Often
  • B.
    Sometimes
  • C.
    Never
  • D.
    Not Sure
• 9.
  Q7.  Your organization has a process for identifying AI tools employees are using that have not been formally approved.

  Image Source

  • A.
    Often
  • B.
    Sometimes
  • C.
    Never
  • D.
    Not Sure
• 10.
  Q8. When a new AI feature is automatically enabled inside software your organization already owns, someone is responsible for reviewing it before it goes live.

  Image Source

  • A.
    Often
  • B.
    Sometimes
  • C.
    Never
  • D.
    Not Sure
• 11.
  Q9. Your organization's vendor contracts address how third-party AI tools handle, store, and train on your organizational data.

  Image Source

  • A.
    Often
  • B.
    Sometimes
  • C.
    Never
  • D.
    Not Sure
• 12.
  Q10.  Your organization has confirmed with your insurance carrier what AI-related incidents are covered under your current policy.

  Image Source

  • A.
    Often
  • B.
    Sometimes
  • C.
    Never
  • D.
    Not Sure
• 13.
  Q11.  Your organization could provide documented evidence of an AI governance structure — a committee, charter, or oversight body — if your insurer requested it today.

  Image Source

  • A.
    Often
  • B.
    Sometimes
  • C.
    Never
  • D.
    Not Sure
• 14.
  Q12.  Your leadership team has discussed AI risk as an organizational liability — not just a technology issue — in the last 12 months.

  Image Source

  • A.
    Often
  • B.
    Sometimes
  • C.
    Never
  • D.
    Not Sure
• 15.
  Q13. When it comes to addressing your organization's AI risk, which best describes where you are right now?

  • A.
    We are ready to act — we just need the right partner and framework.
  • B.
    We are interested but need to understand the scope and investment first.
  • C.
    We are still building internal awareness — not ready to move yet.
  • D.
    I am not the decision maker but I want to bring this to the right person.

Quiz Outcomes

• 1.
  🟢  AI-READY | Score 0-18

  Your Organization Is AI-ReadyYour score puts you ahead of most organizations your size. Your leadership team has built practices, awareness, and accountability that most mid-market organizations are still trying to establish. That is genuinely valuable — and it puts you in a stronger position than you may realize.But being ahead of the curve is not the same as being protected.⚠️ BEFORE YOU READ YOUR RESULT — THIS APPLIES TO EVERY SCOREEven if your organization has strong AI practices, aware leadership, and capable teams — if those practices are not formally documented, your insurance carrier cannot see them. Undocumented governance is invisible governance. At renewal, at audit, and at the moment of a claim, the only thing that protects your organization is what exists on paper. Informal does not equal insurable.AI governance is not a once-a-year compliance exercise. Unlike an annual audit or a policy renewal, AI governance is a living program. Your AI tools change. Your vendors update their terms. New regulations take effect. New features get pushed to your platforms without notice. A governance program that was accurate six months ago may already have gaps today.AI governance is not covered by your cybersecurity program. If your organization has SOC 2 certification, cyber liability insurance, or an IT security framework — that is valuable. It does not cover AI governance. SOC 2 was not designed for AI. It does not address bias detection, model drift, human-in-the-loop requirements, AI acceptable use policy, or workforce AI decisions. Your cyber carrier and your AI exposure are two completely separate conversations. Most organizations do not know this until they file a claim.🟢 YOUR RESULT — AI-READYYou have done what most organizations have not. You have built awareness, assigned accountability, and established practices that reflect a leadership team taking AI seriously. That puts you in a defensible position.The question that matters most at this tier: is any of it formally documented?Strong instincts and capable teams are not enough when your carrier asks for evidence of a governance program at renewal. The organizations that survive AI-related incidents are not the ones with the best intentions. They are the ones with the documentation to prove it. The investment required to formalize what you have already built is a fraction of what it would cost to defend an undocumented program in front of a carrier, a regulator, or a plaintiff's attorney.⚠️ THE DOCUMENTATION REALITYIf your insurance carrier called today and asked for your AI governance documentation — your committee structure, your acceptable use policy, your AI systems inventory, your incident response protocol, your human oversight trail — what would you hand them?Strong practices that live in people's heads do not protect your organization. Informal agreements about who owns what do not satisfy an underwriter. The organizations that are AI-insurable are the ones that have built the paper trail that proves their governance program exists.Your next step is formalizing what you have built so it is defensible when it matters most.
• 2.
  🟡  AI-RISKY | Score 19-34

  🟡 Your Organization Is AI-RiskyYour score reflects what most honest mid-market leaders discover when they look closely — your organization is using AI, and your governance has not kept pace with your adoption. That awareness is more valuable than you think. Most leaders either overestimate their coverage or have never asked the question at all. You are asking it now.But awareness without documentation does not protect you.⚠️ BEFORE YOU READ YOUR RESULT — THIS APPLIES TO EVERY SCOREEven if your organization has strong AI practices, aware leadership, and capable teams — if those practices are not formally documented, your insurance carrier cannot see them. Undocumented governance is invisible governance. At renewal, at audit, and at the moment of a claim, the only thing that protects your organization is what exists on paper. Informal does not equal insurable.AI governance is not a once-a-year compliance exercise. Unlike an annual audit or a policy renewal, AI governance is a living program. Your AI tools change. Your vendors update their terms. New regulations take effect. New features get pushed to your platforms without notice. A governance program that was accurate six months ago may already have gaps today.AI governance is not covered by your cybersecurity program. If your organization has SOC 2 certification, cyber liability insurance, or an IT security framework — that is valuable. It does not cover AI governance. SOC 2 was not designed for AI. It does not address bias detection, model drift, human-in-the-loop requirements, AI acceptable use policy, or workforce AI decisions. Your cyber carrier and your AI exposure are two completely separate conversations. Most organizations do not know this until they file a claim.🟡  YOUR RESULT — AI-RISKYYou are running an organization with real AI gaps and real consequences attached to them. The leader who knows their organization has AI governance gaps and has not formally addressed them carries a different kind of exposure than one who simply did not know. You now know. What you do in the next 90 days will determine whether your organization moves to AI-Ready or slides toward AI-Exposed.Your economic reality: organizations at this tier are one AI-related employment claim, one denied insurance claim, or one regulatory inquiry away from a cost that dwarfs the investment required to prevent it. ISO AI exclusions CG 40 47 and CG 40 48 went into effect in January 2026. Over 70% of commercial renewals now include AI underwriting supplements. If your current practices are not formally documented your carrier does not know they exist — and your coverage may not hold at the moment you need it most.The gap between AI-Risky and AI-Ready is not a technology gap. It is a documentation and leadership decision.⚠️ THE DOCUMENTATION REALITYIf your insurance carrier called today and asked for your AI governance documentation — your committee structure, your acceptable use policy, your AI systems inventory, your incident response protocol, your human oversight trail — what would you hand them?Strong practices that live in people's heads do not protect your organization. Informal agreements about who owns what do not satisfy an underwriter. The organizations that are AI-insurable are the ones that have built the paper trail that proves their governance program exists.Your next step is a structured conversation about where your specific gaps are and what closing them looks like for an organization your size.
• 3.
  🔴  AI-EXPOSED | Score 35-50

  🔴 Your Organization Is AI-ExposedYour score reflects significant AI exposure and limited documentation to defend it. That is not a technology failure. It is a governance gap that sits at the leadership level. The fact that you completed this assessment means you already suspected this. Now you have confirmation — and confirmation is the first step toward protection.This is urgent. But it is fixable⚠️ BEFORE YOU READ YOUR RESULT — THIS APPLIES TO EVERY SCOREEven if your organization has strong AI practices, aware leadership, and capable teams — if those practices are not formally documented, your insurance carrier cannot see them. Undocumented governance is invisible governance. At renewal, at audit, and at the moment of a claim, the only thing that protects your organization is what exists on paper. Informal does not equal insurable.AI governance is not a once-a-year compliance exercise. Unlike an annual audit or a policy renewal, AI governance is a living program. Your AI tools change. Your vendors update their terms. New regulations take effect. New features get pushed to your platforms without notice. A governance program that was accurate six months ago may already have gaps today.AI governance is not covered by your cybersecurity program. If your organization has SOC 2 certification, cyber liability insurance, or an IT security framework — that is valuable. It does not cover AI governance. SOC 2 was not designed for AI. It does not address bias detection, model drift, human-in-the-loop requirements, AI acceptable use policy, or workforce AI decisions. Your cyber carrier and your AI exposure are two completely separate conversations. Most organizations do not know this until they file a claim.🔴   YOUR RESULT — AI-ExposedYour organization is carrying significant AI exposure right now. ISO AI exclusions CG 40 47 and CG 40 48 went into effect in January 2026. Over 70% of commercial renewals now include AI underwriting supplements requiring governance documentation. Organizations that cannot produce a governance program are facing denied claims, 20 to 50% premium surcharges, and personal D&O exposure for the executives who knew the risk existed and did not act.Your economic reality: the legal cost to dispute a denied AI-related claim routinely exceeds six figures. The governance infrastructure that would have prevented it typically takes 90 days to build from zero. A charter, a committee structure, an acceptable use policy, a vendor contract checklist, an incident response protocol — these are buildable documents with a defined scope and a defined timeline.You do not have a technology problem. You have a leadership urgency problem. And the most expensive version of this situation is the one where the incident happens before the documentation exists.⚠️ THE DOCUMENTATION REALITYIf your insurance carrier called today and asked for your AI governance documentation — your committee structure, your acceptable use policy, your AI systems inventory, your incident response protocol, your human oversight trail — what would you hand them?Strong practices that live in people's heads do not protect your organization. Informal agreements about who owns what do not satisfy an underwriter. The organizations that are AI-insurable are the ones that have built the paper trail that proves their governance program exists.Your next step is an urgent conversation about what your organization is actually exposed to right now and how to build the governance infrastructure that protects you before the next renewal — or the next incident.