AI Readiness Checklist for Regulated Industries (2026)

Enterprises in regulated industries — healthcare, legal, finance, government, construction — face AI adoption challenges that unregulated companies don't. Data can't leave the building. Audit trails are mandatory. Domain experts must stay in the loop. Compliance timelines are immovable.

This checklist covers everything a regulated enterprise needs to assess before starting an AI project. Work through it before you evaluate models, buy GPUs, or hire ML engineers.

1. Data Inventory

• Identified all data sources relevant to the intended AI use case
• Cataloged document types, formats, and volumes for each source
• Determined the split between digital-native and scanned documents
• Assessed the age range and historical depth of available data
• Identified data stored in legacy systems or physical archives
• Estimated total data volume (GB/TB)
• Mapped data ownership (which department/team owns each data source)

2. Data Quality Assessment

• Pulled a representative sample (100-500 documents)
• Assessed OCR quality for scanned documents
• Evaluated document completeness (are required sections present?)
• Measured format consistency within each document type
• Identified quality issues (corruption, missing pages, illegible sections)
• Estimated the percentage of data usable for AI without remediation
• Documented known data gaps or limitations

3. Privacy and Sensitive Data

• Identified PII types present in the data (names, SSNs, addresses, etc.)
• Identified PHI if applicable (diagnoses, treatments, patient identifiers)
• Estimated PII/PHI density (what percentage of documents contain sensitive data?)
• Determined whether anonymization or pseudonymization is feasible
• Assessed whether sensitive data can be processed in-place or must be redacted
• Identified data that cannot be used for AI training under any circumstances

4. Regulatory Compliance

• Identified all applicable regulations (GDPR, HIPAA, EU AI Act, SOX, ITAR, etc.)
• Determined whether the intended AI system qualifies as "high-risk" under the EU AI Act
• Assessed GDPR legal basis for using personal data for AI training
• Identified cross-border data transfer implications
• Determined audit trail requirements for the applicable regulatory framework
• Assessed data retention and destruction obligations
• Identified any industry-specific AI governance requirements (e.g., PCAOB for audit, SR 11-7 for banking)
• Confirmed compliance team is aware of and engaged with the AI project

5. Infrastructure Assessment

• Determined deployment model: cloud, on-premise, or air-gapped
• Assessed existing on-premise compute resources (GPU availability, storage capacity)
• Evaluated network constraints (can data leave the building? the network segment?)
• Identified any air-gapped requirements (classified networks, isolated production environments)
• Assessed whether existing IT infrastructure can support data preparation workloads
• Determined whether Docker/K8s infrastructure exists or if native desktop tools are preferred
• Evaluated backup and disaster recovery capabilities for AI training data

6. Team and Expertise

• Identified who has ML/data engineering expertise (or need to hire/contract)
• Identified domain experts who will participate in labeling (doctors, lawyers, engineers, accountants)
• Assessed domain expert availability (can they dedicate time to labeling?)
• Determined whether domain experts can use the proposed labeling tools (do tools require Python?)
• Identified who will own the AI project end-to-end
• Assessed whether compliance/legal staff need to be involved in data preparation
• Determined training needs for team members unfamiliar with AI workflows

7. Use Case Definition

• Defined the specific AI application (not "use AI" but "classify incoming claims by severity")
• Identified the target user of the AI system (who will use the output?)
• Determined accuracy requirements (what's the acceptable error rate?)
• Defined success metrics (how will you measure whether the AI is working?)
• Assessed whether the use case requires supervised learning (labeled data) or can use unsupervised/RAG approaches
• Estimated the volume of labeled examples needed (hundreds? thousands? tens of thousands?)
• Identified the output format the model needs to produce

8. Tool Selection

• Evaluated data preparation tools against deployment requirements (on-premise, air-gapped)
• Assessed whether tools support the full pipeline or require integration of multiple tools
• Confirmed tools generate audit trails that satisfy regulatory requirements
• Verified tools are accessible to domain experts (not just ML engineers)
• Assessed export format support (JSONL, COCO/YOLO, CSV, chunked text)
• Evaluated vendor viability and support model
• Confirmed tools work with your data types and volumes

9. Timeline and Budget

• Estimated data preparation timeline (typically 60-80% of total project time)
• Budgeted for domain expert time (labeling hours, review cycles)
• Budgeted for infrastructure (compute, storage, tools)
• Budgeted for potential data remediation (OCR improvement, format conversion)
• Identified dependencies and blockers (compliance approvals, data access, expert availability)
• Set realistic milestones with data preparation as the critical path

10. Risk Assessment

• Identified what happens if data quality is worse than expected
• Planned for scope adjustments (start smaller if needed)
• Assessed vendor/tool risk (what if the tool doesn't work with your data?)
• Considered regulatory risk (what if requirements change during the project?)
• Planned for model performance risk (what if results don't meet accuracy requirements?)
• Documented fallback plan (what do you do if the project doesn't work?)

How to Use This Checklist

Score each section:

• Green (Ready): All items checked, no significant gaps
• Yellow (Feasible): Most items checked, gaps are addressable with planned effort
• Red (Not Ready): Major gaps that must be resolved before proceeding

Recommended threshold: No more than 2 red sections. Any red in sections 3, 4, or 5 (privacy, compliance, infrastructure) should be resolved before starting.

What Comes Next

Once this checklist is complete, you'll have a clear picture of whether your organization is ready to start an AI project in a regulated environment. The checklist output feeds directly into project planning — timeline, budget, resource allocation, and tool selection.

For the data preparation phase itself, Ertas Data Suite handles the pipeline from ingestion through export, on-premise, with built-in audit trails and compliance documentation. But the readiness assessment comes first — know your starting point before you plan the journey.