Agentic AI implementation readiness checklist

1. Problem definition

• Can you name the single workflow the agent will own end-to-end?
• What breaks today when that workflow runs? (Specific failure mode, not vague "inefficiency".)
• Who owns the outcome the agent is accountable to?

2. Data and identity

• Is every data source the agent will touch already on the approved list?
• Does the agent have its own non-human identity, or is it reusing a human's credentials?
• Can you audit the agent's actions to a specific request-ID chain?
• What happens to the agent's access when the requesting human leaves the org?

3. Threat model

• Prompt-injection surface: has the agent been tested against documented in-the-wild attacks?
• Cross-agent delegation containment: can this agent call other agents, and is that chain logged?
• Kill-switch: who has the authority to stop the agent, and how fast does it take effect?

4. Governance and compliance

• Does the agent fall under EU AI Act Title III high-risk obligations for your deployment geography?
• Is there a named Data Protection Impact Assessment (DPIA) for agents acting on behalf of employees or customers?
• What's the retention policy for agent-generated artefacts (outputs, logs, intermediate reasoning)?

5. Economics

• What is the per-action cost, including inference and orchestration overhead?
• Does the business case survive a 2× price increase from the vendor?
• At what adoption fraction does the per-seat or per-call economics break?
• What is the exit cost — how long to detach, and what data do you lose?

Related tracked claims

The questions above reference ongoing tracked claims under our Holding-up index. Pricing-tier claims specifically: AM-003 (GPT-5 Pro economics, reviewed every 30 days).