Who this questionnaire is for
Product leaders, business owners, governance/risk teams, and engineering leads deciding what AI use cases to build or ship.

What it assesses
Whether a proposed AI use case is safe to pilot or ship, by tiering risk (impact if wrong, decision proximity, user exposure, data sensitivity, and reversibility) and mapping it to required controls.

How it helps
Creates a consistent intake gate so AI doesn’t become “production by default.” Results give you a clear tier (low → critical) plus a practical control checklist for what must exist before you ship (owners, logs, evidence, human-in-the-loop, monitoring, rollback authority).

Best used when

Approving new AI use cases
Expanding scope from pilot → production
Aligning product speed with governance requirements
Deciding “do not ship” boundaries

Oyez Tools

Practical tools and field guides used together to decide what to build, how to ship it, and how to govern AI systems in real organisations.

Field Guides

AI Strategy Field Guide

Executive framing, ownership models, and adoption paths.
Engineering Field Guide

Production systems, reliability, and failure modes.
Governance Field Guide

Controls, accountability, auditability, and compliance.

Strategy & Direction

Strategy & Adoption Readiness (Executive)

Used by executives to set direction, ownership, and ship gates.

Intake & Decision Gates

AI Adoption Readiness

Baseline check for mixed teams starting or scaling AI.
Use-Case Intake & Risk Tiering

Approve, condition, or block AI use cases.

Build & Reliability

Engineering Maturity (Systems)

Assess production readiness and drift risk.
RAG & Grounding Readiness

Shipping retrieval-grounded AI safely.

Governance & Procurement

Governance & Compliance Readiness

Controls, evidence, and regulatory posture.
Vendor Procurement & Due Diligence

Evaluate AI vendors before purchase or renewal.

Operate & Review

Change, Drift & Incident Review

Post-incident and post-release review.

Field guides explain the concepts. Questionnaires test whether they exist in practice.

AI Use-Case Intake & Risk Tiering

Use this intake to decide what to build/ship — and what controls are required before a use case can move from idea → pilot → production. Your risk tier and required actions update as you answer.

Status: Not scored Coverage: 0% Score: — Risk tier: — Decision: —

Use case name (optional)

Business owner (optional)

Primary users (optional)

Jurisdiction (optional)

Your score

out of 45

Answered 0/15

Risk tier

—

Answer the questions to see your risk tier and required controls.

Section A — Use Case & Impact

1) What’s the impact if the system is wrong?

LowMinor inconvenience; no material consequences.

ModerateOperational cost/time; reversible decisions.

HighFinancial/legal/customer harm likely.

CriticalSafety, rights, eligibility, or regulated outcomes.

2) How close is the system to a final decision?

Informational onlyNo decisions; clear disclaimers.

Decision supportHuman decides; system provides options.

Strong recommendationHumans likely follow the output by default.

Automated action / gatekeeperSystem triggers actions or approvals.

3) Who is exposed to the output?

Small internal teamControlled access; trained users.

Broad internalMany employees, varying expertise.

Partners / contractorsExternal parties rely on outputs.

Public / customersExternal users; brand/legal exposure.

4) Is the use case regulated or high-stakes by policy (e.g., finance, health, employment, legal, eligibility)?

NoNot in a regulated/high-stakes category.

AdjacentCould influence regulated decisions indirectly.

Yes — controlledRegulated/high-stakes; clear constraints exist.

Yes — direct impactDirectly affects regulated outcomes/rights.

5) Is there a clear “do not do” scope boundary for this use case?

NoScope is ambiguous; likely to expand.

PartialSome boundaries, not enforced.

MostlyBoundaries documented and communicated.

EnforcedBoundaries enforced in UX/policy/system.

Section B — Data, Privacy & Access

6) What data types will be used or exposed?

Public / non-sensitiveNo personal or confidential data.

Internal confidentialBusiness confidential, low personal data.

Personal dataPII/employee/customer data may appear.

Sensitive personalHealth, biometric, minors, legal, etc.

7) Are data sources mapped with ownership, freshness, and access rights?

NoUnknown sources/rights; ad-hoc access.

PartialSome sources known; gaps remain.

MostlySources mapped; owners identified.

EnforcedAccess governed; freshness and rights tracked.

8) Are outputs grounded with evidence (citations, document IDs, timestamps) when making factual claims?

NoNo consistent citations or traceability.

ManualOccasional citations; not enforced.

MostlyTraceability exists for key claims.

EnforcedEvidence trails are required and logged.

9) Are permissions least-privilege with periodic review (tools, actions, data access)?

NoBroad access; no review cycle.

PartialSome controls; inconsistent reviews.

MostlyRoles defined; access is reviewed sometimes.

EnforcedLeast-privilege + scheduled reviews + logging.

10) Do you have a retention policy and audit-ready logs (inputs, retrieval, outputs, versions)?

NoCannot reconstruct what happened.

PartialSome logs, incomplete coverage.

MostlyGood logs; exportability varies.

EnforcedStructured, exportable logs with retention policy.

Section C — Controls & Shipping Gates

11) Is there a “safe to ship” definition (quality threshold, refusal behaviour, escalation for high-stakes)?

NoNo thresholds or escalation paths.

PartialInformal expectations; not tested.

MostlyDocumented thresholds exist.

EnforcedDocumented + tested + monitored gates.

12) Are failure paths tested (missing evidence, contradictions, prompt injection, tool failure)?

NoNo structured negative testing.

PartialOccasional checks; not a suite.

MostlyCommon failures tested before ship.

EnforcedRegression suite + repeatable evaluation.

13) Is monitoring in place with owners (quality/drift, refusal, latency/cost) and alerting?

NoNo monitoring or on-call ownership.

PartialSome monitoring; unclear thresholds/owners.

MostlyMonitoring exists; alerting is limited.

EnforcedSLOs + alerting + named response owners.

14) Is incident response defined for this use case (triage, rollback/kill, comms, learning loop)?

NoNo playbook; no authority to pause.

PartialInformal; not rehearsed.

MostlyDocumented with escalation paths.

EnforcedPracticed; measurable; post-incident reviews.

15) Are change logs and approvals required (prompts, models, tools, data access) before shipping changes?

NoChanges are ad-hoc; no approvals.

PartialSome tracking; inconsistent approvals.

MostlyConsistent logs; approvals for major changes.

EnforcedLogged + approved + auditable change control.

Tip: Use this before every new use case. If the tier is High/Critical, treat “controls” as prerequisites — not post-launch fixes.

Risk tier

—

Decision

—

Required actions (controls before ship)

Built for intake discipline: define scope, map data/rights, enforce gates, and ship only when evidence and ownership exist.

Oyez Tools

Practical tools used together to decide what to build, how to ship it, and how to govern AI systems in real organisations.

Strategy & Direction

Strategy & Adoption Readiness (Executive)

Used by executives to set direction, ownership, and ship gates.

Intake & Decision Gates

AI Adoption Readiness

Baseline check for mixed teams starting or scaling AI.
Use-Case Intake & Risk Tiering

Used by product and governance to approve or block AI use cases.

Build & Reliability

Engineering Maturity (Systems)

Used by builders to assess production readiness and drift risk.
RAG & Grounding Readiness

Used by teams shipping retrieval-grounded AI systems.

Governance & Procurement

Governance & Compliance Readiness

Used by risk, legal, and policy teams to assess controls.
Vendor Procurement & Due Diligence

Used before buying or renewing AI tools or models.

Operate & Review

Change, Drift & Incident Review

Used after releases, incidents, or drift events.

Field guides explain the concepts. Questionnaires test whether they exist in practice.

AI Use-Case, Intake & Risk Tiering Questionnaire

AI Use-Case Intake & Risk Tiering

Section A — Use Case & Impact

1) What’s the impact if the system is wrong?

2) How close is the system to a final decision?

3) Who is exposed to the output?

4) Is the use case regulated or high-stakes by policy (e.g., finance, health, employment, legal, eligibility)?

5) Is there a clear “do not do” scope boundary for this use case?

Section B — Data, Privacy & Access

6) What data types will be used or exposed?

7) Are data sources mapped with ownership, freshness, and access rights?

8) Are outputs grounded with evidence (citations, document IDs, timestamps) when making factual claims?

9) Are permissions least-privilege with periodic review (tools, actions, data access)?

10) Do you have a retention policy and audit-ready logs (inputs, retrieval, outputs, versions)?

Section C — Controls & Shipping Gates

11) Is there a “safe to ship” definition (quality threshold, refusal behaviour, escalation for high-stakes)?

12) Are failure paths tested (missing evidence, contradictions, prompt injection, tool failure)?

13) Is monitoring in place with owners (quality/drift, refusal, latency/cost) and alerting?

14) Is incident response defined for this use case (triage, rollback/kill, comms, learning loop)?

15) Are change logs and approvals required (prompts, models, tools, data access) before shipping changes?

Risk tier

Decision

Required actions (controls before ship)

About the Oyez