Appendix A — The Operator's Toolkit
These are the print versions — designed to be photocopied, marked up, and handed across a desk. Editable copies (spreadsheets, fillable PDFs, slide files) live on the companion site. The paper versions are here so you can start before you've opened a browser.
A.1 — The AI Readiness Audit (1 page)
Three things separate the firms that get value from AI from the ones that burn a year and a budget: a pre-approved metric, data that's actually usable, and a sponsor who stays. Score yourself honestly. This isn't for a board deck. It's for you.
Rate each line 0 (not true), 1 (partly true), or 2 (true today).
Pre-approved metric — does anyone agree what "working" means? - [ ] There is one number this AI work is supposed to move. _ - [ ] Someone with budget authority has agreed that number is the target. - [ ] We agreed it before picking a tool, not after. __ - [ ] We have a kill-criterion — the result that ends the project. _____
Data readiness — is the data usable, or just present? - [ ] The data this use case needs lives somewhere we can reach it. _ - [ ] It's clean enough that a person trusts it without re-checking. - [ ] We know who owns it and who's allowed to see it. __ - [ ] We are not about to point AI at a spreadsheet nobody reconciles. _____
Sustained sponsorship — will someone still care in week 12? - [ ] A named executive owns the outcome, not just the kickoff. _ - [ ] That person will still be in the role in six months (as far as anyone knows). - [ ] There's a standing review on the calendar, not a one-time launch. __ - [ ] If it works, someone has already agreed to fund the scale-up. _____
Total: _____ / 24
- 18–24 — You're ready to scope a real pilot. Go to the ROI Worksheet.
- 10–17 — One of the three legs is short. Fix it before you spend. The cheapest fix is almost always the metric.
- Under 10 — Don't buy anything yet. You'd be funding a science experiment. Pick one line above, fix it this month, re-score.
The failure data behind this audit: most of the enterprise AI spend that delivered nothing failed on one of these three, not on the model (RAND, 2025). The model is almost never the problem.
A.2 — The ROI Worksheet (1 page)
You don't have a business case until you can fill this in. If you can't, you have a brochure with your logo on it.
The workflow: __________
1. What it costs today (per month)
| People-hours spent on this workflow / month | _ hrs |
| Fully loaded cost per hour | $ _ |
| Labor cost / month (a) | $ _ |
| Error / rework cost / month (b) | $ _ |
| Delay or opportunity cost / month (c) | $ _ |
| Total current cost / month = (a)+(b)+(c) | $ _ |
2. What the AI version costs (per month)
| Inference / token cost (see TokenOps note below) | $ _ |
| Software / platform / seats | $ _ |
| Human-in-the-loop review time (hrs × rate) | $ _ |
| Maintenance + quarterly re-validation (amortized) | $ _ |
| Total run cost / month | $ _ |
3. The honest answer
| Monthly saving = current cost − run cost | $ _ |
| One-time build / setup cost | $ _ |
| Payback (months) = build cost ÷ monthly saving | _ |
The number nobody brings up in the vendor meeting: the proof-of-concept ran on $50 of API calls. Production is a different line item. Before you trust the inference figure, apply the four TokenOps levers — prompt caching (roughly 90% off cached input, per Anthropic's pricing), batch processing (a flat 50% discount across the major providers), model routing (send the easy 80% to a cheaper model — the RouteLLM study from UC Berkeley and Anyscale, ICLR 2025, found intelligent routing cuts cost up to about 85% while holding quality), and context discipline. Estimate the per-task cost at production volume, not at demo volume.
If payback is under 12 months and the Readiness score is 18+, this is a real candidate. If you can't fill in the top box — the current cost — you don't yet understand the workflow well enough to automate it. Go measure it first.
A.3 — The Vendor Triage Framework (1 page)
Most AI vendor pitches are a demo, not a system. Here's how to tell in one meeting. Ask these out loud and watch what happens.
The five questions that end the meeting early
- "Show me realistic production numbers — not the demo." Cost at our volume, latency under load, accuracy on our messy data. If they can't, they're selling you a demo.
- "What does this cost per month at our actual volume, all-in?" Seats plus inference plus the human review it still needs. Get the total cost of ownership, not the sticker.
- "Is it MCP-compatible? A2A-aware? Does it survive a crash mid-run?" These three — tool integration, agent interoperability, durable execution — separate a system from a demo.
- "What happens when it gets it wrong, and who sees the error?" If there's no error log and no exception path, trust never forms. Visible, correctable errors are the whole game.
- "What's our exit?" Data export, model portability, contract-out terms. You're not buying a tool. You're signing a lease — make sure you can break it.
The scorecard
| Criterion | Weight | Vendor A | Vendor B | Vendor C |
|---|---|---|---|---|
| Production numbers shown (not demo) | High | |||
| All-in cost at our volume | High | |||
| Data residency / where it runs | High | |||
| Integration (MCP / our stack) | Med | |||
| Governance + audit logging | Med | |||
| Error visibility + HITL gates | High | |||
| Exit / portability | Med |
Disqualifiers (any one kills it): - [ ] Can't or won't show production-realistic numbers - [ ] No answer on where our data lives or who can see it - [ ] No audit trail on what the AI did and why - [ ] Lock-in with no data export
A.4 — The AI Acceptable-Use Policy (1–2 pages)
This is a starting template. Adapt the bracketed parts, get it past whoever owns risk at your firm, and put it in front of the team this week. The point isn't to ban anything. It's to give people a sanctioned path so they stop pasting client data into whatever free tool is open in a browser tab.
[COMPANY] — AI Acceptable-Use Policy Effective: [date] · Owner: [name/role] · Review: quarterly
1. Purpose. This policy says what AI tools you may use, with what data, and where a human has to stay in the loop. It exists to protect our clients, our people, and the firm — not to slow you down.
2. Approved tools. Use only tools on the approved list: [list]. Want something not on the list? Ask [owner] first. Using an unapproved tool with company or client data is a policy violation.
3. Data rules — what you may and may not paste in. - Never put into any AI tool: client confidential data, personal data of customers or employees, anything covered by an NDA, credentials, or anything you wouldn't email to a stranger. - Allowed in approved tools: public information, internal drafts with no sensitive data, your own work product. - When in doubt, don't. Ask [owner].
4. Human-in-the-loop — where a person must sign off. AI may draft, summarize, and suggest. A named human reviews and approves before any of these go out: - Anything sent to a client or the public - Any financial, legal, or contractual commitment - Any hiring, firing, or HR decision (this is a legal requirement in several places — see Appendix E) - Anything that can't be easily undone
5. Disclosure. When AI interacts directly with a customer (chat, voice), we tell them. (As of August 2, 2026 this is law under the EU AI Act for anyone touching EU residents — Article 50.)
6. You own the output. AI makes mistakes confidently. If it's got your name on it, you checked it. "The AI wrote it" is not a defense.
7. Reporting problems. Saw the AI do something wrong, weird, or risky? Tell [owner]. We fix what we can see. We can't fix what nobody reports.
8. Consequences. Violations are handled like any other policy breach: [reference standard policy].
Built around the OWASP LLM Top 10 (2025) — prompt injection is still risk number one — and the shadow-AI reality. The fix for shadow AI is a sanctioned alternative, not a ban people route around.
A.5 — The Board-Ready 5-Slide Template (slide by slide)
Five slides. No more. If you need more than five to explain your AI plan to the board, you don't have a plan yet — you have a hope.
Slide 1 — The problem, in money. - Headline: the one workflow, and what it costs us today (a real number). - One line on why now. (Optional, sober: most enterprise AI spend has failed to deliver business value — PwC's 2026 CEO survey found 56% got nothing back. We're not doing that.)
Slide 2 — The bet. - The single workflow we're automating first. The pre-approved metric. The kill-criterion. - One sentence: "If [metric] doesn't move by [target] in 90 days, we stop."
Slide 3 — The money. - Current cost / month. Run cost / month. Payback in months. (Straight from the ROI Worksheet.) - The all-in number, including the human review it still needs. No demo math.
Slide 4 — The risk and the guardrails. - The top two risks (data, compliance, quality) and the specific control for each. - Where the human stays in the loop. Which laws touch us (Appendix E one-liner).
Slide 5 — The ask and the cadence. - The decision you need today (budget, sponsor sign-off). - The 90-day rhythm and the date of the first review. Who owns it. What "scale it" looks like if it works.
Keep it boring. A board that's been pitched ten AI moonshots will exhale when yours fits on five slides and ends in a payback number.
A.6 — The First-90-Days Plan (1 page)
This is the rhythm, not a Gantt chart. The whole point is that value compounds on a 90-day loop — deploy, measure, redesign around what works — instead of a two-year transformation plan that dies in month nine.
Days 1–15 — Assess. - [ ] Run the Readiness Audit (A.1). Fix the weakest leg. - [ ] Pick the one workflow. Map where the work actually goes (who touches it, how long, where it breaks). - [ ] Run the Data Readiness check on that workflow's data. - [ ] Name the sponsor and the owner. Get the metric pre-approved.
Days 16–45 — Illuminate (the pilot). - [ ] Scope one workflow, in the open, with the pre-agreed metric and kill-criterion. - [ ] Build the boring version — the bounded, form-shaped thing, not the agent that runs the whole function. - [ ] Stand up the error log and the HITL gate before go-live, not after. - [ ] Go live with a small group. Watch the exceptions.
Days 46–75 — Measure and redesign. - [ ] Check the metric against the target. Be honest. Hit the kill-criterion? Kill it. - [ ] Redesign the workflow around what the AI actually changed — don't just bolt it onto the old steps. - [ ] Run an error analysis on real traces (start with 50). Fix the top failure mode.
Days 76–90 — Decide and set the cadence. - [ ] Decision: scale, adjust, or stop. Put it on one slide. - [ ] If scaling: recruit the first champions, set the quarterly re-validation review. - [ ] Pick the next workflow. The loop starts again.
The phase everyone skips is the last one. Set the quarterly re-validation now, while you still care. An agent that nobody re-checks quietly drifts into a liability.
A.7 — The "Case for Help" Memo (template — for the overwhelmed ops leader, ICP 1)
You're the one ops person wearing the AI hat. You don't need a 47-page strategy. You need air cover and a hand. This memo gets it. Keep it to one page. Fill the brackets, send it to whoever holds the budget.
To: [CEO / owner] From: [you] Re: What I need to make the AI work pay off
Where we are. I've been carrying [the AI initiative / the automation push] on top of [your actual job]. We've proven [the one thing that worked — a real number]. But I've hit the limit of what I can do part-time, alone.
What's at risk if we don't act. [The workflow that's still bleeding money / the pilot that'll stall / the team that's about to lose faith]. Specifically: [one number].
What I'm asking for. One of these, in order of what I think we need: 1. [A fractional vCAIO / an implementation partner for one quarter — to get the next two workflows shipped] 2. [Protected time — taking [X] off my plate so I can own this properly] 3. [A defined budget for the next 90 days, tied to the metric in our plan]
What you get back. [The payback number from the ROI Worksheet]. And a repeatable rhythm instead of a hero project that depends on me not getting sick.
The decision I need from you. [One specific thing, by one specific date.]
Don't ask for "support." Ask for one specific thing, tied to one number, by one date. Vague asks get vague answers.
A.8 — "How to Introduce This to Your CEO" Toolkit (for the function leader, ICP 4)
You run finance, HR, customer ops, or marketing. You see where AI would help your function. But the path runs through your CEO. Here's the kit: a one-page memo, a five-minute script, and the FAQ for the questions you'll get.
A.8.1 — The one-page memo
To: [CEO] From: [you, function] Re: A small, paid-for AI move in [function] — and a request
The workflow. In [function], we spend [X hours / $Y] a month on [specific task]. It's repetitive, rule-shaped, and a good fit for AI doing the first pass with us reviewing.
The before/after. Today: [the current steps]. With AI: [the redesigned flow], with a person signing off on [the part that needs judgment].
The money. Roughly [$ saving / month], payback in [N] months. (Detail attached — the ROI Worksheet.)
The guardrail. [The compliance note — e.g., for HR: this stays behind a bias audit and human approval, per NYC Local Law 144 and the live Workday litigation. For finance: full audit trail.]
The ask. A scoped 90-day pilot on this one workflow, with a pre-agreed metric and a kill-criterion. If it doesn't move the number, we stop. [Or: a 30-minute conversation with someone who's done this before.]
A.8.2 — The five-minute script (for the hallway or the 1:1)
"Quick one. There's a workflow in [function] that eats about [X hours] a month — [name it]. It's the boring, repetitive kind that AI is actually good at. I'm not asking to reinvent the function. I want to run a 90-day pilot on that one thing, with a number we agree on up front and a clear point where we kill it if it's not working. Worst case, we learn something cheap. Best case, it pays for itself in [N] months and frees up [the team] for the work that needs a brain. Can I put a one-pager in front of you this week?"
Then stop talking. Let them ask.
A.8.3 — The FAQ (the questions you'll get)
"Isn't this risky? I've read the horror stories." The horror stories are mostly the ambitious, unscoped projects — the chatbot that promised what the company couldn't deliver, the hiring tool that discriminated. This is the opposite: one bounded workflow, a human signing off, a kill-switch. Boring on purpose.
"What's it really going to cost?" [The all-in number from the ROI Worksheet — including the review time it still needs.] Not the demo price. The production price.
"What if it gets something wrong?" It will, sometimes. That's why a person reviews [the output] before it goes anywhere, and why every action gets logged. We see the errors and fix them. That's how trust gets built — not by hoping it's perfect.
"Who's going to run this? You're already busy." [Either: I'll own the pilot — it's scoped small enough. / I'd want a fractional vCAIO or an implementation partner for the quarter, so it doesn't depend on me alone.]
"Why now?" [Honest version: our competitors are doing the boring version of this and getting cheaper at it. And the cost of the technology has dropped to where the math finally works for a firm our size.]
"What do you need from me today?" [One thing. Name it.]
Want a second set of eyes on this in your firm? The no-sell promise applies: if it isn't a fit, I'll tell you in the first ten minutes.
Book a 30-Minute Call →