Profectus

AI Readiness Scorecard · Sample Report

Sample · Not a real client

AI Readiness
Report

A full 30-question diagnostic of your organisation's readiness against PDPL, SDAIA AI Ethics, NCA ECC-2:2024, and ISO/IEC 42001:2023. This sample reflects a fictional Saudi mid-market retail group.

Sample client

Najm Retail Group

Sector

Retail · Logistics

Headcount

247 staff

AI Governance. Mapped to Saudi Law.

Page 01 · Cover

Profectus

Section 01 · Executive Summary

A 60-second view of where you stand

Your readiness, scored against
Saudi law.

Overall readiness

38/100

Gap

Four AI systems in production. No governance scaffolding around any of them. PDPL exposure on customer data is the most urgent gap.

A score below 40 means the foundations of an AI Management System are not in place. Controls exist informally, none are documented, and there is no Data Protection Officer to respond if SDAIA or a customer files a request. The five dimensions below show where the work concentrates. Three pages of detail follow for each.

Five dimensions · scored out of 20

GovernanceISO 42001 · SDAIA

5 /20

Gap

Data PrivacyPDPL

6 /20

Gap

Risk ManagementISO 42001 · NCA

10 /20

Watch

Human OversightSDAIA

9 /20

Watch

Incident ResponsePDPL · NCA ECC-2

8 /20

Watch

Framework coverage

PDPL

30%

Gap

Saudi PDPL · 2023

SDAIA

45%

Watch

AI Ethics v2.0

NCA ECC-2

40%

Watch

2024 revision

ISO 42001

25%

Gap

Cl. 4–10

AI Governance. Mapped to Saudi Law.

Page 02 · Executive Summary

Profectus

Section 02 · How to read this report

Methodology in one page

How this score is built.

The Profectus scorecard runs 30 questions across five dimensions. Each question is mapped to a specific clause in PDPL, SDAIA AI Ethics v2.0, NCA ECC-2:2024, or ISO/IEC 42001:2023. There are no generic best-practice questions. Every answer affects one or more framework coverage scores.

Scoring structure

30 questions, 5 dimensions. 6 questions per dimension. Each question scored on a 0–3 ladder: not in place, partial, in place but undocumented, in place and documented.
Each dimension scored out of 20. Overall score is the sum of the five dimension scores, out of 100.
RAG thresholds, per dimension and overall. On Track ≥70%. Watch 40–69%. Gap below 40%.
Display order follows the live scorecard. Governance → Data Privacy → Risk Management → Human Oversight → Incident Response. Governance and Data Privacy lead because they are the structural and regulatory dimensions that gate the rest.
Framework coverage tiles aggregate across dimensions. A single question often touches more than one framework. For example, a documented breach response procedure scores under both PDPL Art. 20 and NCA ECC-2 sub-control 2-13-3.

What this report does not include

Article-level heatmap. The article-by-article PDPL and NCA ECC-2 mapping is part of the paid Compliance Checklist, not the free scorecard.
Sector-specific control weighting. The scorecard treats all five dimensions as equal weight. A sector-tuned weighting (financial services, healthcare, retail) is part of the paid engagement.
Third-party legal sign-off. This report is a self-diagnosed snapshot. A signed PDPL compliance opinion requires a licensed Saudi compliance expert review.
Vendor and supply-chain AI risk. Touched in the AI Risk dimension only at the policy level. Full vendor scoring is a separate engagement.

Reading conventions

Every regulatory citation in this report names the specific article or clause. If the scorecard cannot pin a finding to a named clause, it is marked unsourced and excluded from the score.
Every gap has an owner role, a first action, and an effort estimate. A diagnosis without a next step is half a deliverable.
Severity uses the brand-locked semantic palette. Gap (red) means below 40% coverage of the controls assessed. Watch (amber) means 40–69%. On Track (green) means ≥70%.

AI Governance. Mapped to Saudi Law.

Page 03 · Methodology

Profectus

Dimension 01 of 05 · Governance

ISO 42001 · SDAIA AI Ethics · AI Governance Foundation

Governance.

Tests whether an AI policy, AI Management System, AI register, and risk classification process are in place. Governance is the structural layer that lets every other dimension be sustained. Without it, controls exist informally and fail the documentation test.

Dimension score

5/20

25% · Gap

Q24 · AI policyISO 42001 Cl. 5.2

No written AI policy.

Clause 5.2 requires a documented AI policy signed by top management. No such document exists. The CEO has stated principles verbally; nothing is written, nothing is communicated to staff.

First action: Draft a 1-page AI policy (purpose, scope, principles, ownership) and sign at the next board meeting.

Q25 · AI system inventoryISO 42001 Cl. 6.1.4 / Annex A.6.2.6

No AI register or model inventory.

Annex A.6.2.6 requires an inventory of AI systems with a defined set of metadata per entry. There is no such inventory. The four production AI systems are tracked informally in different team folders.

First action: Stand up a 12-field AI register (system name, purpose, owner, lifecycle stage, data classes, decisions made, oversight role, vendor, hosting region, last review, risk tier, status). Populate the four known systems in 4 weeks.

Q18 · AI risk classificationSDAIA AI Ethics 3.2

AI systems are not classified by risk tier.

Principle 3.2 requires controllers to tier AI systems by impact on individuals. Candidate screening is a high-impact use case under SDAIA's working definition and should sit at the top of the tier. It is currently treated as routine IT.

First action: Tier the four AI systems against the SDAIA matrix in the next 14 days.

Q27 · AI impact assessmentISO 42001 Cl. 6.1.4 / SDAIA AI Ethics 3.2

No AI impact assessment in the last 12 months.

The candidate-screening tool went live in 2025 without an impact assessment. The demand-forecasting model is in its second year of operation; no scheduled review.

First action: Conduct an AIIA on the candidate-screening tool in 30 days; book the demand-forecasting AIIA into the next quarter.

AI Governance. Mapped to Saudi Law.

Page 04 · Governance

Profectus

Dimension 02 of 05 · Data Privacy

PDPL · Saudi Personal Data Protection Law · 2023

Data Privacy.

Tests whether personal data flows have a documented legal basis, a Data Protection Officer, a Record of Processing Activities, and the disclosures PDPL requires from a controller. PDPL has been actively enforced since Q3 2024 and is the dimension with the most public enforcement decisions to date.

Dimension score

6/20

30% · Gap

Q07 · DPO appointmentPDPL Art. 32

No Data Protection Officer is appointed.

Article 32 requires controllers that process sensitive data or systematically monitor data subjects to appoint a DPO. Customer purchase profiling across 14 stores crosses both thresholds. Without a DPO, the 30-day data subject response SLA cannot be met.

First action: Appoint an interim DPO from existing legal or compliance staff within 14 days, then evaluate retained vs. fractional DPO over 90 days.

Q03 · Lawful basis registerPDPL Art. 6

No documented lawful basis for personal data processing.

Article 6 enumerates the six lawful bases for processing personal data. Phone numbers, national IDs (warranty), and purchase history are collected at all stores. Loyalty program enrolments rely on assumed consent at checkout. None of these flows are tied to a documented Article 6 basis.

First action: Map every data flow into a lawful-basis register. Default to consent (marketing), contract (warranty), legitimate interest (fraud detection).

Q09 · Record of Processing ActivitiesPDPL Art. 31

RoPA exists in an Excel sheet, last updated 2024.

Article 31 requires controllers to maintain a Record of Processing Activities. The current spreadsheet covers HR but not retail customer data, e-commerce, or the chatbot. A stale RoPA fails the documentation test under both PDPL and ISO 42001 Cl. 7.5.

First action: Extend the RoPA to cover all five customer-facing data flows; commit to a quarterly refresh.

Q22 · Transparency to data subjectsPDPL Art. 12 / SDAIA AI Ethics 3.3

Customers and applicants are not told when AI is in the loop.

PDPL Art. 12 requires controllers to inform data subjects how their data is processed. SDAIA Principle 3.3 extends that to automated decisions. The chatbot does identify itself; the candidate-screening tool does not appear in the careers-page privacy notice; the loyalty profiling is not disclosed at signup.

First action: Add a one-line AI disclosure to three surfaces: careers page, loyalty signup, customer privacy notice.

AI Governance. Mapped to Saudi Law.

Page 05 · Data Privacy

Profectus

Dimension 03 of 05 · Risk Management

ISO 42001 · NCA ECC-2 · AI Risk Discipline

Risk Management.

Tests whether AI-specific risks (model drift, prompt injection, vendor model change, automated decision error) are named, tracked, and mitigated in a register, plus the discipline applied to AI vendor risk and security review.

Dimension score

10/20

50% · Watch

Q29 · AI risk registerISO 42001 Cl. 6.1.2 / NCA ECC-2 1-1

AI risks are not tracked in any register.

The enterprise risk register lists "AI" as a top-level entry with no children. No system-level risk entries. No mitigation owners. No review cadence.

First action: Add one risk entry per AI system to the existing register, with named owner and review date.

Q30 · Vendor AI risk policyISO 42001 Annex A.10 / NCA ECC-2 4-2

No vendor AI risk policy.

The four AI vendor contracts have no clauses on model change notification, training data provenance, or fallback behaviour on vendor service termination.

First action: Draft a 1-page vendor AI rider; attach to all renewals from July 2026.

Q16 · Vendor security reviewNCA ECC-2 4-2

No NCA ECC-2 attestation requested from AI vendors.

The four AI vendor contracts were signed without an ECC-2 assessment. The candidate-screening vendor is hosted outside KSA and the contract does not name a Saudi data residency requirement.

First action: Issue an ECC-2 short-form attestation request to all four vendors with a 30-day response window.

Q26 · Model risk monitoringISO 42001 Cl. 9.1 / 10.2

No model performance or drift monitoring.

Clauses 9.1 and 10.2 expect controllers to monitor AI system performance and trigger corrective action when it degrades. The demand-forecasting model has no drift metric; the candidate tool has no precision tracking; the chatbot has no satisfaction or escalation rate review.

First action: Define one monitoring metric per AI system and set a monthly review.

AI Governance. Mapped to Saudi Law.

Page 06 · Risk Management

Profectus

Dimension 04 of 05 · Human Oversight

SDAIA AI Ethics · Human-in-the-loop Discipline

Human Oversight.

Tests whether meaningful human review is built into AI decisions, fairness testing is performed, transparency obligations to data subjects are met, and AI decisions are logged for audit. The candidate-screening tool and customer chatbot are the highest-risk surfaces here.

Dimension score

9/20

45% · Watch

Q21 · Human oversight definitionSDAIA AI Ethics 3.4

Human oversight defined only for the chatbot.

Principle 3.4 requires meaningful human oversight of AI decisions affecting individuals. Chatbot handoff to a human agent is set up. The candidate-screening tool has no documented review step before shortlist sign-off; the demand-forecasting model auto-orders without a buyer review threshold.

First action: Add a documented human review step to the candidate-screening shortlist and a buyer-approval threshold to the demand-forecasting auto-orders.

Q19 · Fairness testingSDAIA AI Ethics 3.1 (Fairness)

No fairness or bias testing on the candidate-screening tool.

The vendor's marketing materials state the tool is "bias-free." No internal test, no demographic disaggregation, no rejection-rate analysis by nationality, gender, or age has been run.

First action: Request the vendor's fairness test results in writing; if none exist, run an internal disparate-impact check on the last 90 days of decisions.

Q22 · Transparency to data subjectsSDAIA AI Ethics 3.3

Affected parties are not told when AI is in the loop.

Principle 3.3 requires data subjects to be informed when an automated system makes or substantially supports a decision affecting them. Three surfaces fail this test: the careers-page privacy notice, the loyalty signup, and the chatbot's escalation notice when handing off to a human.

First action: Add a one-line AI disclosure to each of the three surfaces above.

Q24 · AI decision loggingISO 42001 Cl. 8.4

AI decisions are not logged for audit.

Clause 8.4 requires controllers to retain evidence of AI system operation sufficient to demonstrate conformance. The candidate-screening tool overwrites past shortlists; the chatbot stores only the last 30 days; the demand forecaster does not retain inputs.

First action: Set a 24-month retention on AI decision logs for the candidate-screening and chatbot systems before the next hiring quarter.

AI Governance. Mapped to Saudi Law.

Page 07 · Human Oversight

Profectus

Dimension 05 of 05 · Incident Response

PDPL · NCA ECC-2 · Incident Discipline

Incident Response.

Tests the documented breach response procedure for PDPL events (72-hour SDAIA notification), the AI-specific incident playbook (prompt injection, model drift, automated decision error), and the access control and logging that make detection possible in the first place.

Dimension score

8/20

40% · Watch

Q11 · PDPL breach responsePDPL Art. 20 · 72-hour SDAIA notification

No documented breach response procedure.

Article 20 sets a 72-hour SDAIA notification window for personal data breaches. The IT team has an informal escalation chain but no written procedure, no rehearsal, no roster.

First action: Draft a 1-page PDPL breach procedure with named roles, contact details, and the SDAIA notification template, then run a tabletop exercise.

Q17 · AI-specific incident responseNCA ECC-2 2-13-3

The IR plan does not cover AI-specific incidents.

Sub-control 2-13-3 requires documented incident response. The plan covers ransomware and phishing but has no playbook for AI-specific incidents like model drift, prompt injection on the chatbot, or candidate-tool decision error.

First action: Add three AI-specific scenarios to the existing IR runbook; rehearse the chatbot scenario in the next quarterly drill.

Q15 · Logging and monitoringNCA ECC-2 sub-control 2-12

AI system actions are not logged to a SIEM.

Sub-control 2-12 requires centralised logging of security-relevant events. The chatbot, candidate tool, and demand forecaster log locally only. No 90-day retention is configured. No alerting on anomalous activity.

First action: Forward AI system logs to the existing Microsoft Sentinel tenant; set a 90-day retention and three baseline alerts.

Q14 · Privileged access to AI systemsNCA ECC-2 sub-control 1-3-3

Shared admin credentials on the demand-forecasting platform.

Sub-control 1-3-3 requires individual accountability for privileged access. Three buyers share one admin login on the forecasting platform. There is no audit trail back to a specific person for parameter overrides.

First action: Issue individual admin accounts within 14 days; rotate the shared credential immediately.

AI Governance. Mapped to Saudi Law.

Page 08 · Incident Response

Profectus

Section 03 · Remediation and next steps

The 90-day plan

Five gaps to close first.

Sequenced by regulatory exposure and dependency. Items 1 and 2 unblock everything else: without a DPO and a lawful-basis register, every PDPL response timeline starts with "we'll find someone." Item 3 gives the AI work a structural frame. Items 4 and 5 are the highest-impact ECC-2 fixes.

#	Gap	Reference	Owner	Effort
01	No documented lawful basis for personal data processingMap every data flow into a lawful-basis register. Default to consent for marketing, contract for warranty, legitimate interest for fraud.	PDPL Art. 6	DPO (interim)	3–4 weeks
02	No Data Protection Officer appointedAppoint interim DPO from existing legal or compliance staff, then run 90-day brief to retain or contract a fractional DPO.	PDPL Art. 32	CEO & Head of Legal	2 weeks
03	No AI Management System or model inventoryStand up a 12-field AI register before any further AI procurement. Draft and sign a 1-page AI policy at the next board meeting.	ISO 42001 Cl. 4–10	Head of IT	4 weeks (register)
04	Shared admin credentials on AI platformsIssue individual admin accounts for forecasting, candidate, and chatbot platforms; rotate the shared credentials immediately.	NCA ECC-2 1-3-3	Head of IT	2 weeks
05	No fairness testing on candidate-screening toolRequest vendor fairness test results in writing; if none, run an internal disparate-impact check on the last 90 days of decisions.	SDAIA AI Ethics 3.1	Head of HR & DPO	3 weeks

What happens next

Option A · Self-remediation

Use this report as a 90-day plan.

The five priorities above, with owners and effort estimates, are enough to assemble an internal plan. The free scorecard does not include implementation templates or PDPL-compliant document drafts.

Option B · Profectus GenAI Policy Pack

21-day delivery of all 12 artifacts.

Bilingual AI policy, RoPA, DPO appointment pack, AI register, AIIA template, vendor rider, PDPL breach procedure, board pack, training brief, plus the seven other artifacts. Fixed fee SAR 28,000 inclusive of VAT.

AI Governance. Mapped to Saudi Law.

Page 09 · Next steps

Profectus

Section 04 · About Profectus

A note from Profectus

Mid-size KSA private sector only.

We work with KSA mid-market private companies, 100–1,000 staff, where AI is in production but governance is not. We do not serve enterprises, government entities, or international clients. We do not write generic frameworks with a Saudi cover sheet. Every artifact we produce is tied to a specific PDPL, SDAIA, NCA, or ISO 42001 clause.

Methodology in fine print

Source frameworks. Saudi PDPL (2023), SDAIA AI Ethics Principles v2.0 (2024) and SDAIA GenAI Governance Guidelines, NCA ECC-2:2024, ISO/IEC 42001:2023.
Scoring. 30 questions × 5 dimensions × 0–3 ladder = 90 raw points. Each dimension out of 20 (normalised). Overall out of 100. RAG thresholds: On Track ≥70%, Watch 40–69%, Gap below 40%.
Coverage tiles. Aggregated per framework from across all dimensions; a single question can touch multiple frameworks.
Citations. Every clause referenced in this report is from the canonical source document, not a paraphrase or third-party summary.
Limits. This is a self-diagnosed snapshot. Not a legal opinion. Not a substitute for licensed Saudi compliance expert review.

Sample disclosure

Najm Retail Group is a fictional Saudi mid-market retail and logistics company built for this sample. Any resemblance to a real entity is unintentional. The scores, gaps, and recommendations reflect a plausible KSA mid-market reality circa 2026. The regulatory citations are real and current.

AI Governance. Mapped to Saudi Law.

Page 10 · End of report

AI ReadinessReport

Your readiness, scored againstSaudi law.

How this score is built.

Governance.

No written AI policy.

No AI register or model inventory.

AI systems are not classified by risk tier.

No AI impact assessment in the last 12 months.

Data Privacy.

No Data Protection Officer is appointed.

No documented lawful basis for personal data processing.

RoPA exists in an Excel sheet, last updated 2024.

Customers and applicants are not told when AI is in the loop.

Risk Management.

AI risks are not tracked in any register.

No vendor AI risk policy.

No NCA ECC-2 attestation requested from AI vendors.

No model performance or drift monitoring.

Human Oversight.

Human oversight defined only for the chatbot.

No fairness or bias testing on the candidate-screening tool.

Affected parties are not told when AI is in the loop.

AI decisions are not logged for audit.

Incident Response.

No documented breach response procedure.

The IR plan does not cover AI-specific incidents.

AI system actions are not logged to a SIEM.

Shared admin credentials on the demand-forecasting platform.

Five gaps to close first.

Use this report as a 90-day plan.

21-day delivery of all 12 artifacts.

Mid-size KSA private sector only.

AI Readiness
Report

Your readiness, scored against
Saudi law.