AI Readiness Assessment

Existence of AI policy: Does your organization have a written AI usage policy that covers all HR functions (recruiting, performance management, employee communication)? Does it specify approved and prohibited AI tools, permissible use cases and data types?

Scope & applicability: Does the policy apply to all staff, contractors, and third‑party partners who use AI on behalf of the company?

Data restrictions: Does the policy clearly state what data (e.g., PII, health data, compensation) may not be entered into AI tools and require anonymization or masking of sensitive data?

Human oversight: Does the policy require meaningful human review before relying on AI outputs in high‑stakes decisions such as hiring, promotion, performance reviews, or terminations?

Ethical guidelines: Does the policy outline principles of fairness, non‑discrimination, privacy, and transparency? Does it mandate periodic bias audits and fairness testing?

Policy governance: Is there a named owner or committee responsible for AI policy oversight, updates, and enforcement? Does the policy set a schedule for review and updates?

Data classification & inventory: Has your organization catalogued what HR data is collected (e.g., resumes, interview notes, performance data, health information, biometrics) and identified which datasets contain PII or sensitive attributes?

Encryption & access controls: Is employee and applicant data encrypted at rest and in transit? Are there role‑based access controls to restrict who can view or modify data, and are changes logged?

Data retention & deletion: Are there defined retention periods for AI decision logs and HR data, and can data be deleted or anonymized on request (e.g., after a candidate withdraws)?

Data residency & jurisdiction: Does your organization know where data is stored (e.g., U.S., EU) and ensure compliance with laws such as GDPR, CCPA, or HIPAA?

Third‑party sharing: Are mechanisms in place to document when HR data is shared with third‑party AI providers (e.g., foundation models or cloud providers) and under what terms?

Anonymization & data minimization: Are data anonymization or pseudonymization techniques used before training or prompting AI tools? Does the organization limit data collection to what is necessary for the specific HR use case?

Incident response & breach notification: Does your organization (or vendor) have a clear plan to respond to data breaches or model leaks and notify affected individuals?

Bias assessment: Does your organization have procedures to test AI tools for bias before deployment, including analysis of demographic groups and fairness metrics?

Ongoing monitoring: Is there continuous monitoring for disparate impact or unfair outcomes in hiring, performance evaluations, or other HR processes?

Independent audits: Are independent third parties engaged to audit AI systems for bias, fairness, and compliance (e.g., quarterly or annually)?

Transparency to candidates & employees: Does your organization disclose when AI is used in recruiting, screening, or performance management? Are consent and opt‑out processes provided where appropriate?

Explainability & documentation: Are vendors required to provide documentation (e.g., model cards) that explain how AI models make decisions?

Human‑in‑the‑loop (HITL): Is there a defined process for human review and override of AI recommendations or scores in hiring, promotion, and termination decisions?

Accountability & governance: Are roles and responsibilities defined for addressing ethical concerns, investigating complaints, and remediating harm?

Vendor evaluation process: Does your organization have a formal process for evaluating AI vendors, including a questionnaire or checklist covering data handling, privacy, bias mitigation, explainability, security, compliance, operational resilience, and vendor reputation?

Data security & privacy practices: Does the vendor encrypt data at rest and in transit, provide access controls, document data residency, and support incident response? Do development systems use anonymized or synthetic data?

Training data provenance & data lineage: Does the vendor document where training data comes from, how it was collected, and whether it has the legal right to use it?

Bias mitigation & fairness testing: Does the vendor test AI models for bias and provide fairness metrics, and are model decisions auditable?

Explainability & documentation: Does the vendor provide model cards or technical documentation explaining how models make decisions and when they may fail?

Regulatory compliance: Does the vendor adhere to relevant laws (e.g., GDPR, CCPA, EEOC, HIPAA) and standards (e.g., NIST AI RMF, ISO/IEC 42001)?

Security controls & access management: Does the vendor provide additional AI‑specific security measures (prompt injection prevention) and allow penetration testing results to be reviewed?

Operational resilience & SLAs: Does the vendor offer service level agreements (uptime, performance) and have plans for fallback and manual overrides?

Third‑party dependencies: Does the vendor document all critical AI dependencies (e.g., foundation models, cloud providers) and provide assurance that subprocessors are bound by appropriate data protection agreements?

Vendor reputation & financial stability: Does your organization assess vendors' market presence, client references, case studies, and financial health?

AI literacy training: Does your organization provide training for HR staff and managers on AI capabilities, limitations, bias risks, and policy requirements?

Change management plan: Is there a structured plan to introduce AI tools, including pilot projects, communication with employees, and mechanisms for feedback?

Cross‑functional collaboration: Are legal, HR, IT, compliance, and procurement teams involved in AI decision‑making and vendor management?

Ongoing support & resources: Does your organization provide accessible resources (e.g., knowledge bases, helpdesks) to answer questions about AI use?

AI decision logs: Does your organization record AI‑generated recommendations, scores, and decisions for hiring and performance management? Can these logs be exported for audit?

Retention & deletion: Are there defined retention periods for these logs and mechanisms to delete or anonymize them when required?

Auditability: Can your organization trace decisions back to model inputs and provide explanations to regulators or affected individuals?

Documentation of human review: Is evidence of human override and decision‑making recorded and retained?