Chapter ★ · Interactive Scorecard — The Agentic Enterprise

A self-assessment is not a certification. It is a mirror. The forty questions below are the ones we have asked, in some form, of every enterprise agent program we have walked through — and the answers, taken together, draw a picture clear enough to act on by the end of the morning.

Score each prompt on the five-point ladder: 1 Initial, 2 Repeatable, 3 Defined, 4 Managed, 5 Optimized. The anchor text on each level is deliberately short and behavioral — pick the rung whose description you can defend with evidence to a skeptical auditor, not the one you wish you were on.

Your answers are saved to this browser only. When you finish, you will see a four-pillar radar, a level badge, a gap heatmap, and a roadmap. A "Share this assessment" button encodes the whole thing into a URL hash you can paste anywhere — no account required.

How long this takes

About 20 minutes alone, or 90 minutes with three people in a room. We strongly suggest the second; the conversations are where the real assessment happens.

0 of 40 answered

Pillar · Governance

Governance

Pillar I — policy, accountability, and risk.

Accountable owner for the agent program

1No named owner. 2Informal owner in IT. 3Named exec sponsor. 4Cross-functional council with charter. 5Board-level oversight with KPIs.

AI / agent acceptable-use policy

1No policy. 2Draft circulated. 3Approved policy, communicated. 4Enforced with controls + training. 5Reviewed quarterly with metrics.

Model & agent inventory

1Unknown what's in production. 2Spreadsheet, partial. 3Central registry with owners. 4Live registry tied to deployments. 5Continuous discovery + reconciliation.

Risk classification (impact × likelihood)

1No tiering. 2Ad-hoc per project. 3Standard tiers, applied at intake. 4Tiers drive control selection. 5Tiers continuously re-scored from telemetry.

Alignment to NIST AI RMF or ISO/IEC 42001

1Not aware. 2Familiar, not applied. 3Mapped controls to one framework. 4Conformance evidence collected. 5Externally audited or certified.

EU AI Act / regional regulatory readiness

1Not assessed. 2Awareness only. 3Gap analysis done. 4Remediation plan funded. 5In-scope systems compliant + monitored.

Incident response for agent failures

1No process. 2General IR, no AI annex. 3AI-specific runbook drafted. 4Tested in tabletop exercises. 5Real incidents handled + post-mortems published.

Bias, fairness, and impact assessment

1Not performed. 2Per-project, inconsistent. 3Standard template applied at launch. 4Repeated through lifecycle. 5Tied to model retraining gates.

Vendor & third-party AI risk

1Vendors unmanaged. 2Standard procurement only. 3AI addendum to contracts. 4Right-to-audit + telemetry. 5Continuous vendor risk scoring.

Workforce policy and disclosure

1No guidance. 2Internal memo only. 3Documented disclosure rules. 4Customers + employees notified at touchpoints. 5Disclosure built into UX, audited.

Pillar · Orchestration

Orchestration

Pillar II — frameworks, runtimes, evals, and guardrails.

Agent orchestration framework standardization

1Each team picks its own. 2Two or three sanctioned options. 3One blessed framework + escape hatch. 4Framework owned by platform team. 5Framework versioned and deprecated centrally.

Memory architecture (short / long / episodic)

1Stateless prompts only. 2Per-app session storage. 3Shared short-term store. 4Long-term memory with TTLs + ownership. 5Episodic memory tied to evals + retraining.

Evals & offline benchmarks

1No evals. 2Spot-checks per release. 3Standard eval suite per use case. 4Evals gate every deploy. 5Eval drift monitored continuously.

Tracing & observability

1No traces. 2Logs, no correlation. 3Trace per run, retained 30d. 4Trace + cost + tool calls, queryable. 5Traces feed automated regressions.

Guardrails (input + output + runtime policy)

1None. 2Single content filter. 3Layered: input/output/runtime. 4Policy engine separate from app code. 5Policy versioned, A/B tested, audited.

Multi-agent coordination patterns

1Single agents only. 2Ad-hoc chained agents. 3Documented orchestrator + worker pattern. 4Multiple patterns standardized + chosen per use case. 5Cross-agent telemetry + shared memory.

Cost & token-budget controls

1Unknown spend. 2Monthly bill review. 3Per-app budgets + alerts. 4Per-run hard caps, per-tenant tracking. 5Unit-economics dashboards in product.

Latency & reliability SLOs

1No SLOs. 2P50 watched in chat. 3P50/P95 SLOs per use case. 4Error budgets + on-call. 5SLOs feed roadmap + capacity planning.

Prompt & policy version control

1Prompts in code, untracked. 2Stored, no review. 3Reviewed in PRs. 4Versioned, evals tied to versions. 5Promoted via standard release pipeline.

Red-team / adversarial testing

1Never done. 2External pen-test once. 3Internal red-team per launch. 4Continuous red-team in CI. 5Bug-bounty program for agent failures.

Pillar · Use cases

Use cases

Pillar III — picking the right work, scoring it, scaling it.

Use case intake & qualification

1No process. 2Email + slide. 3Standard intake form. 4Intake gates with scoring. 5Portfolio review tied to OKRs.

Value modeling (ROI / payback)

1None. 2Anecdote. 3Simple value sheet. 4Standard ROI template + finance review. 5Live value tracking after launch.

Feasibility scoring (data, integration, model)

1Not assessed. 2Engineer's gut. 3Standard rubric. 4Rubric + spike before greenlight. 5Post-mortem updates rubric quarterly.

Human-in-the-loop design

1Not designed. 2All decisions reviewed. 3Risk-tiered review thresholds. 4Calibration of reviewers + drift watch. 5Review workload optimized via evals.

User research & adoption metrics

1None. 2NPS only. 3Standard adoption metrics tracked. 4A/B tests per release. 5Use-case retirement decisions data-driven.

Pilot → production graduation

1Pilots forever. 2Promotions ad-hoc. 3Documented graduation criteria. 4Criteria gated by evals + risk review. 5Post-launch reviews close the loop.

Use case retirement

1No retirement. 2Quietly abandoned. 3Sunset criteria documented. 4Sunset reviews on calendar. 5Retired use cases inform next portfolio.

Domain expert involvement

1Engineers alone. 2SMEs consulted late. 3SME on every project. 4SMEs trained as agent designers. 5Domain experts own the prompt + evals.

Customer-facing vs internal balance

1No portfolio view. 2All internal or all external. 3Balanced portfolio with policy. 4Risk-tiered policy by audience. 5Portfolio re-balanced quarterly.

Lessons-learned & reuse

1None. 2Slack threads. 3Project post-mortems shared. 4Shared library of prompts + tools. 5Reuse measured + incentivized.

Pillar · Integration

Integration

Pillar IV — APIs, identity, data, and protocols.

Identity model for non-human actors

1Personal accounts. 2Shared service account. 3Per-agent service principal. 4Scoped tokens + on-behalf-of. 5JIT credentials with full audit.

API & tool catalog

1No catalog. 2Wiki list. 3Reviewed catalog with owners. 4Self-service with approvals. 5Catalog discoverable via MCP.

Data freshness & lineage

1Unknown. 2Best-effort batch. 3Documented SLAs per dataset. 4Lineage tooling in place. 5Lineage feeds eval gating.

Vector / retrieval infrastructure

1None. 2Per-app indexes. 3Shared retrieval service. 4Multi-tenant with quality monitoring. 5Hybrid retrieval + freshness SLOs.

ERP / CRM / ITSM integration depth

1Read-only screen scraping. 2Read APIs. 3Sanctioned read + write APIs. 4Bi-directional with audit. 5Agents are first-class system users.

Protocol adoption (MCP, A2A, OpenAPI)

1None. 2Internal-only RPCs. 3Some MCP for tools. 4MCP standard, A2A piloted. 5Multi-protocol bus + governance.

Data classification & masking

1No classification. 2Tags on some data. 3Classification enforced at retrieval. 4Masking + redaction at runtime. 5Confidential compute for sensitive runs.

Network egress & exfil controls

1Open egress. 2Allow-list, weak. 3Egress proxy + DLP. 4Per-agent egress policy. 5Continuous egress monitoring + automated revoke.

Logging, retention & audit

1No agent logs. 2Logs in app, no retention. 3Centralized agent log store. 4Tamper-evident, retained per policy. 5Logs queryable by auditors on demand.

Disaster recovery & model failover

1None. 2Single provider, fingers crossed. 3Documented DR plan. 4Multi-provider failover tested. 5Active/active with automatic failover.

Your results

The chart and roadmap below update as you answer. They become useful around the 75% mark; before that, treat them as scaffolding.

Overall maturity

—

Awaiting answers

Roadmap — generated from your weakest pillars

Progress over time

No snapshots yet. Click Save snapshot below to track progress.