Sample client artefact

Readiness review, presented as a board-pack style report.

A visual example of how a client evidence repository becomes a clear stage decision, evidence summary and task list.

Startup readiness review

Company Ready readiness report.

Evidence-led assessment for the Day Zero to Company Ready gate, based on source records, observations, registers and agentic review loops.

Decision

Conditional

Client: Example SaaS company

Review type: Illustrative sample

Stage gate

01

Company Ready

02

POC

03

Pilot

04

Pre-Production

05

Production

06

Scale

Executive summary

The assessed company has enough recorded facts to make the assessment meaningful and move the Company Ready gate to a conditional recommendation. The evidence repository, governance source records and prerequisite observations are strong enough to support a real stage decision.

The remaining work is now carried as explicit conditions: privileged-access evidence, email authentication monitoring, hosting ownership, TLS alerting and policy approval before the next gate is treated as clear.

Overview

Conditional pass actions remain

Confidence describes how complete and current the evidence is. Medium confidence means the assessment has enough evidence to support a decision, while still depending on limitations, assumptions or missing operating proof. Risk severity describes the consequence of the remaining gaps if the company proceeds before those conditions are closed.

Recommendation

Conditional

Readiness score

74%

Risk severity

Medium

Confidence

Medium

Evidence summaries

Identity and Entra

Identity observation summary

Evidence

Adequate

Score

3 / 5

Impact

Conditional

Tenant, domain and privileged-account facts are reviewable. The remaining conditions are operational safeguards around privileged access, break-glass use and monitoring.

  • Tenant and verified domains are visible.
  • Privileged users and emergency access accounts are identified.
  • Conditional Access, MFA posture and break-glass recovery evidence need completion.
  • PIM, risky-user and sign-in risk evidence remain licensing-limited.

Email DNS

Email DNS observation summary

Evidence

Adequate

Score

3 / 5

Impact

Conditional

The approved sender inventory and public DNS facts are good enough to define the next actions. Email authentication should remain conditional until SPF, DKIM alignment and DMARC monitoring are verified.

  • Google Workspace and SendGrid are recorded as approved senders.
  • Google MX and SendGrid CNAME records are visible in public DNS.
  • Root SPF and DMARC are not yet published.
  • Delivered-message authentication evidence is still required.

Domain and Corporate Presence

Core operating facts

Evidence

Adequate

Score

3 / 5

Impact

Conditional

The company domain, DNS owner and public endpoint are known. The remaining work is to make public presence operations reviewable: hosting, publishing access, contact route ownership and TLS renewal alerting.

  • Primary domain, registrar and DNS host are recorded.
  • Public website and TLS certificate facts are available.
  • Hosting and publication route need owner evidence.
  • TLS renewal automation and alerting need recording.

Governance and Registers

Governance registers

Evidence

Adequate

Score

3 / 5

Impact

Passed

The governance baseline is usable for this gate. Source records, controlled assets, risk register and policy register exist and can be reviewed by later loops.

  • Controlled asset register exists.
  • Risk register exists.
  • Policy register exists.
  • Draft policy approval remains a next-step action rather than a gate blocker.

Task list

TaskPriorityOwnerEvidenceDone when
Complete privileged-access evidenceHighTechnology ownerIdentity observation summaryMFA or Conditional Access posture, break-glass custody, alerting and recovery-test evidence are recorded.
Complete email authenticationHighDomain ownerEmail DNS observation summarySPF, DKIM alignment, DMARC monitoring and delivered-message checks are evidenced.
Record public presence operationsHighService ownerCore operating factsHosting, publishing access, contact ownership, TLS renewal and expiry alerting are recorded.
Approve bootstrap governance recordsMediumGovernance ownerPolicy registerBootstrap policies have approval evidence and next review dates.

Appendix

Evidence index.

The report can be generated from the current assessment, observation summaries, source records and registers. The output keeps source paths visible without making the reader inspect every underlying table.

Latest readiness assessment
Identity observation summary
Email DNS observation summary
Core operating facts
Controlled asset register
Risk register
Policy register