For founders, ops & whoever owns AI governance

If an auditor showed up in90 days, would you pass?

Most teams don't know until someone asks. This triage scores your AI program across seven control domains and gives you a straight answer — AUDIT-READY, PATCHABLE, or WOULD NOT PASS — plus the one thing to fix first. With a gate that catches the failure auditors find fastest: a control nobody owns.

Get the Triage — $79one-time · instant download · yours to keep

A readiness self-assessment and decision aid — not legal advice and not an audit opinion. It does not certify compliance. Confirm scope and evidence with your own counsel or auditor.

Five deliverables · runnable
Readiness Triage (.xlsx)
Workbook
AUDIT-READY / PATCHABLE / WOULD NOT PASS
Verdict
No-owner accountability gate
Gate
Facilitator Playbook (.docx)
Guide
90-Day Remediation Runbook (.docx)
Runbook
Works alongside
Output Audit-Trail Kit · Vendor Data-Flow Register · NIST AI RMF Kit
01.The Problem

Most teams find their gaps the same day the auditor does.

78%

Of organizations say they couldn't pass an AI governance audit on a 90-day notice. The evidence exists in pieces; nobody's assembled it.

“Who owns this?”

The first question in any control review. A domain with great documentation and no accountable owner fails on the spot.

90 days

The window a customer's security review or a regulator typically gives you. You want to know your answer before the clock starts.

02.See It Work

Score the domains. Get the verdict.

Readiness score
92/ 100
WOULD NOT PASS

No-owner gate: 1 in-scope domain has no named owner. That fails the audit regardless of the score.

Tap an evidence cell (0–3), flip an owner, or drop a domain out of scope and watch the verdict move. Worked example as of 2026-06-25.

Control domainWtEvidenceOwnerIn scope
AI system & use-case inventory18
Named owner & accountability14
Acceptable-use policy & approvals14
Output record-keeping & audit trail16
Vendor & sub-processor governance14
Risk assessment & monitoring14
Staff AI-literacy / training record10

Same math as the workbook: weighted evidence renormalized over the in-scope domains, and a no-owner gate that forces WOULD NOT PASS when any in-scope control lacks a named owner — the way the shipped example scores 92 yet still fails. A readiness self-assessment, not legal advice or an audit opinion.

03.The Engine, Run

Five companies. One uncomfortable result.

This is the shipped example, scored by the same engine behind the workbook and the demo. Read Meridian Health closely: it scores 92 out of 100 — comfortably above the AUDIT-READY floor — and still lands WOULD NOT PASS, because one control domain has no named owner. The score alone would have waved it through. The gate didn't.

"Pass a 90-Day AI Audit?" Readiness Triage  (as-of 2026-06-25)
==================================================================
Meridian Health     readiness  92  ->  WOULD NOT PASS  [GATE: vendor governance has no owner]
Northwind SaaS      readiness  59  ->  PATCHABLE       fix: training record
Apex Logistics      readiness  25  ->  WOULD NOT PASS  fix: record-keeping
Cobalt Fintech      readiness  95  ->  AUDIT-READY
Driftwood Agency    readiness  19  ->  WOULD NOT PASS  fix: ownership
04.The Standard

Three rules keep the verdict honest.

Accountability is the spine

Any in-scope domain with no named owner fails the audit — full stop. It's the control auditors test first, so it gates the verdict.

Score what applies to you

Mark a domain out of scope when it genuinely doesn't apply; the weights renormalize over what's left. No padding, no distortion.

One domain to fix first

Every verdict names the single highest-leverage gap — the ownerless control if the gate fired, else the weakest evidence.

05.What This Is — And Isn't

A readiness read, not a compliance certificate.

It is
  • A cross-domain triage of whether you'd pass a 90-day audit.
  • An accountability gate that catches ownerless controls.
  • A remediation runbook that sequences the fixes — owners first.
It isn't
  • An audit opinion or a compliance certification.
  • Tied to one framework — it triages the domains they share.
  • Legal advice. It tells you where you stand; your counsel rules on sufficiency.

A readiness self-assessment and decision aid — not legal advice and not an audit opinion. It does not certify compliance. Confirm scope and evidence with your own counsel or auditor.

06.Who It's For

Whoever has to answer when the request lands.

Founders facing a customer's vendor-risk review
Ops & compliance leads owning AI governance
Teams prepping for SOC 2 / ISO readiness
Anyone who just got an AI-governance questionnaire
Heads of data who inherited the AI tools
Consultants triaging a client's readiness fast
08.Common Questions

Everything else you'd ask before buying.

Any review where someone asks for evidence that your AI is governed — a customer's vendor-risk or security review, a SOC 2 / ISO readiness check, an insurer's questionnaire, or a regulator's request. The triage isn't tied to one framework; it scores the seven control domains those reviews share — inventory, ownership, policy, record-keeping, vendor governance, risk, and training — so you get one cross-domain read on whether you'd pass.

Know your answer
before they ask.

One purchase, lifetime access, 12 months of updates. $79, once.

A readiness self-assessment and decision aid — not legal advice and not an audit opinion. It does not certify compliance. Confirm scope and evidence with your own counsel or auditor.

Sold by RedHub AI LLC · Secured by Stripe · redhub.ai