Rapid Readiness Review
A fixed-structure, buyer-side review for one enterprise AI tool: critical and high severity focus only, with a written position and evidence requests approvers can use. Does not include implementing or operating the product under review.
$15K to $25K
Typical range
2 weeks
Typical timeline
1 tool
Scope
Right for this review
Use Rapid Readiness when approvers need a documented position soon and only critical and high findings need to be on the table, not full structured framework depth or a multi-tool program.
- One AI tool on path to POC, pilot, or production approval
- Often a fit for lighter categories (e.g. SaaS-with-AI, productivity, infrastructure AI); higher categories may still qualify depending on overlays
- Severity focus: critical and high, not full framework depth
- Primary output is an assurance recommendation with conditions, not a vendor certification
Scope
One AI tool. Critical and high severity focus only. No full framework coverage unless overlays clearly require it.
- Platform classification and deployment category
- Trust boundary and data flow documentation
- Critical and high severity review areas assessed
- Evidence requirements identified per finding
- No overlays unless explicitly required by the deployment
Deliverables
Platform classification
Implementation category, deployment pattern, and trust boundary diagram.
Data flow diagram
Data flow with control points showing where data moves, where it is stored, and what controls apply.
Control identification
Critical and high findings identified, evidenced, and severity-calibrated against the actual deployment.
Go/no-go recommendation
Written recommendation with explicit conditions for approval, conditional approval, or block.
Evidence checklist
Per-finding evidence requirements for approval stakeholders to validate before sign-off.
Executive summary
Short summary of posture, recommendation, and approval conditions, suited to security and steering readouts.
RAG Pipeline: Enterprise Knowledge Base
Representative output from a Rapid Readiness Review of an enterprise RAG deployment used for internal policy and compliance Q&A. Critical and high severity only. Client details removed.
POC approved with conditions. Pilot gate blocked pending two critical closures.
Conditions for pilot approval
- Close RAG-001 and RAG-002 with evidence on file before expanding pilot user group beyond 50 seats.
- Complete DPA or routing remediation for RAG-004 before production customer data is indexed in EU-West embeddings.
- Attach automated golden-set results to the next weekly corpus refresh (RAG-006) before pilot exit review.
Critical and high findings: post-review state
| ID | Category | Description | Severity | Status |
|---|---|---|---|---|
| RAG-001 | Access control | Access control: Retrieval index ACLs do not enforce user data classification when building query filters. | critical | Open |
| RAG-002 | Data handling | Data handling: Ingestion pipeline has no PII detection before chunking for internal policy corpus. | critical | Open |
| RAG-003 | Logging and audit | Logging and audit: Prompt and retrieval audit logs retained 14 days; policy requires 365 days for regulated queries. | high | Open |
| RAG-004 | Third-party AI | Third-party AI: Vendor subprocessors for embedding model not listed in current DPA addendum. | high | Open |
| RAG-005 | Resilience | Resilience: No graceful degradation when vector store is unavailable; UI returns stack traces to analysts. | high | Closed |
| RAG-006 | Model risk | Model risk: No documented evaluation for retrieval quality after corpus refresh. | medium | Open |
Evidence checklist: approval stakeholders
Items required for pilot gate sign-off. Delivered to security, privacy, and architecture review board.
RAG-001 closure: classification-aware retrieval filters deployed and tested
Signed test report + prod change ticket
RAG-002 closure: PII classifier before chunk for all connectors
Connector config screenshots + DLP scan logs
RAG-003 closure: HR/legal workspace logs at 365-day retention
SIEM policy diff + sample log line
RAG-004 closure: DPA addendum or routing change for embeddings
Executed addendum or network diagram v2
RAG-005 verified closed in pilot environment
Error page capture + chaos re-run attestation
Pilot readiness sign-off from security architecture lead
Email approval in ticket RAG-PILOT-14
How the engagement works
Two weeks, one tool, fixed-price structure.
2 weeks total
- Discovery callDay 0
30-minute call to classify the tool, confirm scope, and identify any overlays that apply.
- Scoping and proposalDays 1-2
Within 1 to 2 business days: written scope, timeline, and fixed-price proposal.
- Architecture reviewWeek 1
Document request, architecture and data flow analysis, control identification against critical and high severity categories.
- RecommendationWeek 2
Evidence review, severity calibration, go/no-go recommendation drafted and reviewed with the team.
- Final deliveryEnd of week 2
Report delivered, findings presented, evidence checklist handed off to approval stakeholders.
Pricing
$15,000 to $25,000
Fixed-price engagement
Fixed-price, not hourly. Reflects one-tool assurance scope with critical/high severity coverage only.
- Category 3, 4, or 5 tools typically fall at the lower end
- Category 1, 2, or 6 tools typically fall at the higher end
- Regulated data or deeper evidence needs move price up
What moves price
Increases scope and price
- Agentic execution patterns (+$5K to $10K)
- RAG retrieval pipeline (+$3K to $8K)
- Self-hosted model or infrastructure (+$5K to $10K)
- Regulated data (HIPAA, PCI, financial) (+$2K to $5K)
- Broad integration or connector surface (+$2K to $5K)
Discovery calls take twenty minutes.
We confirm deployment fit, outline review scope, and match you to the right packaged offer. No engagement starts until you decide to proceed.