Article

Getting your data ready for AI: a practical checklist

Most AI projects do not fail at the model. They fail at the data underneath it. Here is a plain, seven-part checklist to judge whether your data is actually ready before you spend on AI.

Key takeaways

  • Data readiness is use-case-specific, not a one-time state: judge data against the specific decision, including its outliers and errors (Gartner, Feb 2025).
  • Most AI projects stall on data, not models: 38% of I&O leaders cited poor data quality or availability as a direct cause of failure (Gartner / The Register, Apr 2026).
  • Access and governance are part of readiness: 97% of AI-related breaches lacked proper access controls and 63% lacked a governance policy (IBM, Jul 2025).
  • Privacy law sets hard edges: India’s DPDP Rules, 2025 phase in by 13 May 2027, and scraped public data may still be personal; Saudi PDPL is enforceable with fines to SAR 5 million.
  • Fund the foundations: successful AI initiatives invest up to four times more in data quality, governance, people and change management (Gartner, Apr 2026).

If you lead IT or run an SME, you have probably had the conversation: a vendor demo lands well, a pilot gets funded, and a few months later the project quietly stalls. The model was not the problem. The data feeding it was thin, badly governed, or legally awkward to use.

The evidence points the same way. In a Gartner survey of 782 infrastructure and operations leaders conducted in November and December 2025, 38% cited poor data quality or limited data availability as a direct cause of AI project failure, and only 28% of AI use cases fully succeeded and met ROI expectations (reported by Gartner and independently by The Register, April 2026). Separately, Gartner predicted that through 2026 organisations will abandon 60% of AI projects unsupported by AI-ready data, noting that 63% of organisations either lacked, or were unsure they had, the right data management practices for AI (Gartner, February 2025).

This article is about the work that happens before the model: deciding whether your data is ready, and what “ready” even means. It is a checklist, not a sales pitch. Use it to have a more honest conversation with your team and your vendors.

What “data readiness” actually means

There is a tempting myth that data readiness is a one-time state you reach and then tick off. Gartner is explicit that this is wrong: it defines AI-ready data as data that is representative of the use case, including every pattern, error, outlier and unexpected case the model needs to learn from or operate on, with the metadata available to align, qualify and govern it. Crucially, Gartner notes there is no single AI-ready state that fits all uses; readiness is judged against a specific use case (Gartner, February 2025).

That single idea changes the question. Instead of asking “is our data ready for AI”, ask “is this data ready for this decision”. A dataset clean enough for invoice matching may be useless for demand forecasting. Readiness is a verdict you reach per use case, not a certificate you hang on the wall.

The seven-part readiness checklist

Work through these seven pillars for the specific use case in front of you. If you cannot give a confident answer on any one of them, you have found where to spend before you spend on the model.

1. Data quality fit to the use case

Start with representativeness, not just cleanliness. Following Gartner’s definition, the data should cover the real range of cases the model will meet, including the rare and the messy ones, because those are often exactly what you need the model to handle. A spotless dataset that only reflects ordinary cases will mislead you in production.

  • Does the data cover the patterns, errors and outliers the model will actually encounter, or only the easy middle of the distribution?
  • Is it current enough for the decision, and refreshed on a known cadence?
  • Do you know its known gaps and biases well enough to state them out loud?
  • Is there enough metadata to align, qualify and govern it, as Gartner’s definition requires?

2. Access control and a governance policy

Access is where readiness meets risk. IBM’s Cost of a Data Breach Report 2025, conducted by the Ponemon Institute across 600 organisations, found that 13% of organisations reported breaches of their AI models or applications, and 97% of those breached lacked proper AI access controls. The same report found 63% of breached organisations either had no AI governance policy or were still developing one, and that one in five (20%) reported a breach involving shadow AI, which added an average of USD 670,000 to breach costs (IBM, July 2025).

The lesson is plain: who can reach the data and the models, and under what written policy, is part of readiness, not an afterthought. Governance maturity is still rare. Drawing on collated 2025 survey figures, only about one in four organisations (25%) had fully operational AI governance programmes, and just 7% had embedded governance into their development pipelines (Knostic, 2025).

  • Is there a written AI governance policy covering who may build, train and deploy on this data?
  • Are AI-specific access controls in place, or are you relying on general IT permissions?
  • Do you have a way to find and shut down shadow AI, where staff feed company data into unsanctioned tools?

3. Labelling and annotation provenance

If your use case relies on labelled data, the labelling itself is a governance concern, not clerical work. Industry guidance notes that regulations such as the EU AI Act and GDPR expect organisations to document the provenance of training data, including who annotated each example, which guidelines were in force, when annotation happened, and whether the data has changed since (Atlan, 2025). Even outside those jurisdictions, this discipline is what lets you trace a bad output back to a bad label later.

  • Can you say who labelled each example, and against which written annotation guidelines?
  • Do you record when labelling was done and whether the data has been modified since?
  • Could you reconstruct the labelling decisions behind a model’s output if a customer or regulator asked?

4. Lineage and provenance you can trace

Two related disciplines matter here, and it helps to keep them separate. Guidance on trustworthy AI pipelines distinguishes data lineage, used by engineering teams to debug pipelines and understand dependencies, from data provenance, used by legal and compliance teams to answer questions about usage rights and audit requirements. The recommended practice is to adopt open metadata standards, OpenLineage for pipeline-run metadata and W3C PROV for machine-readable provenance, and to implement lineage progressively, starting with job-level lineage before adding finer detail (Agility at Scale, 2025).

You do not need perfect lineage on day one. You do need a deliberate plan to build it up, because a model whose training inputs you cannot trace is a model you cannot defend, fix or audit.

  • Can your engineering team trace which data and transformations produced a given model version?
  • Can your compliance team answer where the data came from and whether you had the right to use it?
  • Have you picked metadata standards and a sensible starting granularity rather than aiming for everything at once?

5. A lawful basis and retention under DPDP and PDPL

For organisations in India and the GCC, privacy law now sets hard edges around what data you may use and for how long. India’s Digital Personal Data Protection Rules, 2025 were notified on 13 November 2025, operationalising the DPDP Act, 2023, on a phased timeline: consent manager provisions take effect on 13 November 2026, and the remaining substantive provisions, covering consent, notice, retention, breach reporting, data principal rights and security safeguards, take effect on 13 May 2027 (EY India). Under this regime, organisations building or deploying AI are generally treated as Data Fiduciaries and remain responsible even when data is sourced from third parties; the Act requires a lawful basis, usually valid consent, and enforces purpose limitation, which sits awkwardly with broad AI training. Notably, data scraped from public websites is not automatically exempt and may still be personal data depending on context (Khurana & Khurana).

In the Gulf, Saudi Arabia’s Personal Data Protection Law became fully enforceable on 14 September 2024, regulated by SDAIA, with powers to audit and investigate and fines up to SAR 5 million plus potential criminal penalties (IAPP). In the UAE, Federal Decree-Law No. 45 of 2021 is overseen by the UAE Data Office; as of 2025 the implementing regulations were still pending, but organisations were expected to align proactively with its principles, including valid consent, data subject rights, security measures, records of processing, breach notification and a DPO for high-risk processing (DLA Piper).

  • Do you have a documented lawful basis, typically consent, for each category of personal data the use case touches?
  • Have you applied purpose limitation and a retention period, rather than keeping data open-ended for future AI?
  • Are you treating publicly scraped data as potentially personal, not automatically fair game?
  • Have you mapped which deadlines and regulators apply to you across India, Saudi Arabia and the UAE?

6. Infrastructure that can carry the workload

Infrastructure readiness lags adoption more than most teams admit. Among collated 2025 figures, only 4% of organisations reported their infrastructure was fully prepared for AI at scale, with controls such as dataset version control, documentation standards and audit trails still underdeveloped (Knostic, 2025). The practical point is not to over-build, but to be honest about whether the plumbing, versioning, documentation and audit trails, can support the use case you are funding.

  • Do you have dataset version control, so you know exactly which data trained which model?
  • Are documentation standards and audit trails in place, or assumed?
  • Can the environment actually serve the workload reliably, not just run a demo?

7. Clear ownership and foundational investment

The pillars above need an owner and a budget, or they quietly rot. Gartner found that organisations reporting successful AI initiatives invest up to four times more, as a percentage of revenue, in foundational areas such as data quality, governance, AI-ready people and change management, than those with poor outcomes. The finding draws on a global survey of 353 data, analytics and AI leaders conducted in November and December 2025, in which only 39% of technology leaders were confident their AI investments would positively affect financial performance (Gartner, April 2026).

The simplest reading: money spent on foundations is not a tax on the AI project, it is the part most correlated with the project paying off. Name an accountable owner for the data, and fund the foundations rather than only the model.

  • Is there a named owner accountable for the data behind this use case?
  • Is foundational work, quality, governance, people and change management, funded, not just the model build?
  • Is readiness reviewed as a standing item, given it is use-case-specific and not a one-time state?

Common pitfalls to watch for

Three patterns recur across the evidence above. They are worth naming because they are easy to walk into.

  • Deploying models faster than you can govern them. The IBM figures, where 97% of AI-related breaches involved missing access controls and 63% lacked a governance policy, describe organisations that shipped ahead of their controls.
  • Treating publicly available data as exempt. Under India’s DPDP regime, scraped public data may still be personal data, and you may still be the Data Fiduciary responsible for it (Khurana & Khurana).
  • Under-investing in foundations relative to model work. Gartner’s finding that successful initiatives invest up to four times more in data and governance foundations (April 2026) is the mirror image of this pitfall.

The bottom line

Data readiness is not a gate you pass once. It is a verdict you reach for each use case across seven pillars: quality fit to the use case, access and governance, labelling provenance, lineage and provenance, a lawful basis and retention, infrastructure, and clear ownership. The evidence is consistent that the work feeding the model, not the model itself, is where most projects succeed or stall.

Run the checklist before the pilot, not after it stalls. At Zenith Tech Works, this is how we think about it too: we would rather spend the first weeks of an AI engagement proving the data is ready for the specific decision at hand than discover six months in that it never was.

Sources

Talk to us about your project.

A short conversation is usually enough to tell whether we are the right fit for the work. We will be straight with you either way.

Message us on WhatsApp Or send an enquiry