Do you know where you stand?
Most AI conversations start in the wrong place. They start with the tool. Which model, which vendor, which use case, which budget. All of that assumes you already know where you are. In my experience, almost nobody does.
I've spent seventeen years inside IT leadership, a lot of it in carve-outs and separations where you inherit systems nobody documented and processes nobody wrote down. The pattern is always the same. The org chart says one thing. The reality on the floor says another. And the gap between the two is where every serious problem lives.
AI has made that gap wider and faster.
The question nobody can answer
Walk into most organizations today and ask a simple question: where does your company data go when your people use AI? Not what the policy says. What actually happens, on a Tuesday afternoon, when someone has a deadline and a free tool open in the next tab.
You'll get one of two answers. Either a confident statement about the policy, or an honest shrug. Both are the same answer. Neither knows.
This isn't carelessness. A recruiter pastes a CV into a free assistant to speed up screening. Someone cleans a customer list with sensitive fields in a tool the company never approved. They're not reckless. They're trying to get their work done. But that data now lives somewhere nobody can point to, and one of those moments is all it takes to turn into a problem you have to explain to a client, a regulator, or a board.
Why "do you know where you stand" comes first
Banning the tools doesn't work. It just pushes the usage deeper into the shadow, where you can't see it and can't govern it. Buying a platform doesn't work either, not if you don't know what you're solving for.
The first move isn't a control. It's a measurement. You cannot govern what you haven't located.
That's why the right first question is the boring one: where do you actually stand? Not your ambition, not your roadmap, not the slide that says "AI is a strategic priority." Your real position. What people can access, what data leaves the building, who owns the rules, and what your teams actually do when no one is watching.
Get that wrong and every investment after it is built on a guess. Get it right and the rest becomes obvious.
What a real answer looks like
A useful answer isn't a feeling. It's specific. It tells you, across the dimensions that actually matter, where you're solid and where you're exposed:
Governance: is anyone accountable, or is it everyone and therefore no one?
Reach: how far has AI usage actually spread beyond what you sanctioned?
Identity and access: who can do what, and would you know if that changed?
Privacy and data: what leaves your perimeter, and can you prove it?
People and behavior: what do your teams do in practice, not in theory?
When you score these honestly, two things happen. First, you usually find you rated yourself higher than the reality. Most organizations do. Second, the weak spots stop being vague anxieties and become specific, addressable gaps. That shift, from "we should probably look at AI" to "here are the three places we're exposed," is the entire point.
Start with the number
I built a short self-assessment that does exactly this. It scores where your organization stands on AI exposure across those five dimensions, in about two minutes. You get a number out of 100 and the specific spots where you're weak. No call required to see your result, no pitch attached to it.
It won't tell you what to do about the gaps. That's a separate conversation, and an honest one only works once you know what you're looking at. But it will tell you where you stand, which is the one thing almost nobody can answer today, and the only place a serious AI strategy can actually begin.
If it shows you something you didn't want to know, that's not a flaw. That's the assessment doing its job.