AI adoption audit

Bring governance to AI-assisted engineering.

A fixed-scope engineering audit of how your team uses Cursor, Claude Code, and Copilot. Maturity scorecard, custom rules, governance template, and a 30/60/90-day rollout roadmap — delivered in 7 days at a fixed price.

Book a fit callDownload the methodology PDF
  • No SaaS subscription
  • No overlay resale
  • No mandatory retainer

— Audit offer · 2 options

7-day delivery

  • AI Adoption

    €5,000

    7 days

  • Bundle

    €11,000

    21 days

Why now

The operating environment changed.

AI coding tools spread faster than the governance around them — new engineering work that is hard to scope from the inside.

AI adoption

4 shifts

AI coding tools spread faster than the governance around them.

  1. Cursor, Claude Code, Copilot, and ChatGPT are already in daily use across most engineering teams.

  2. Adoption tends to be uneven — different engineers, different tools, different patterns, no shared baseline.

  3. Common gaps include inconsistent code quality, unclear allowed use, and weak repository-specific guidance.

  4. Workflow changes from AI-assisted development often go unmanaged, with no review of how shipping actually changed.

The audit focuses on engineering governance, code quality, and tooling fit — not vendor selection or productivity targets.

What you receive

Concrete artefacts your team can use.

A defined output set — not advice hours.

— Deliverables

9 items

AI Adoption Audit deliverables

  1. Executive summary

    One page for leadership — scope, maturity score, and headline gaps.

  2. Audit report

    8–12 pages covering current usage, governance, and tooling fit.

  3. Maturity scorecard

    0–100 across five dimensions of AI-assisted engineering practice.

  4. Tooling-fit assessment

    Cursor, Claude Code, and Copilot in depth, with lighter coverage of ChatGPT and Codeium.

  5. AI usage risk map

    Engineering governance risks specific to how the team currently ships.

  6. Custom AI rules

    .cursor/rules, CLAUDE.md, Copilot instructions, repo-specific prompting templates, and MCP templates where applicable.

  7. Governance policy template

    A starting-point policy for legal and security to review and adapt.

  8. 30/60/90-day rollout roadmap

    Sequenced steps to close the gaps surfaced by the audit.

  9. One-hour leadership walkthrough

    Live walk through the findings and roadmap with leadership and engineering.

Example outputs

Sample artefacts, not testimonials.

Anonymized from real audit work — built so you can see the shape of the deliverables before you buy.

Maturity scorecard

5 dimensions · 0–100

Example output — anonymized from real audit work

AI maturity scorecard

Tooling adoption is ahead of governance. Strong individual usage, weaker shared standards.

Overall AI maturity score: 62 out of 100.

AI maturity scores by dimension
— DimensionScore
Tooling fit

Cursor and Claude Code in daily use across the team; Copilot retained for pair-review.

74/100
74/100
Code quality controls

Typecheck and lint enforced on PRs; AI-generated diffs land without dedicated review criteria.

58/100
58/100
Repo-specific guidance

One short .cursor/rules at repo root, no per-package context, no MCP config.

46/100
46/100
Security and IP governance

Acceptable-use policy exists; no documented stance on training data or third-party model use.

55/100
55/100
Team adoption consistency

Eight of nine engineers use AI assistants daily; onboarding still ad-hoc.

77/100
77/100

.cursor/rules

30 lines · excerpt

Example output — anonymized from real audit work

.cursor/rules excerpt

# Stack conventions
- Next.js App Router only. Do not introduce pages/ routes.
- Server Components by default. Add "use client" only when interactivity requires it.
- Use existing primitives in components/ui — do not duplicate shadcn components.
- Tailwind utilities only. No CSS modules unless animation requires it.

# File patterns
- New routes go under app/, colocated route handlers in app/**/route.ts.
- Section components live in components/sections/NN-Name.tsx, prefixed by wireframe order.
- Typed content lives in content/*.ts as exported const, not hardcoded in JSX.

# Component rules
- One section equals one file. Do not nest two top-level sections in one component.
- Props are typed inline with React.ComponentProps when extending an HTML element.
- lucide-react icons only. Always pass aria-hidden when the icon is decorative.

# Testing expectations
- Run yarn typecheck and yarn lint before proposing a diff.
- Run yarn build for any change touching app/ or next.config.ts.
- New interactive components require a keyboard-only Playwright test.

# Accessibility expectations
- All interactive elements keyboard-operable with a visible focus state.
- Each new dialog requires a focus-trap and focus-restore test.
- Run yarn a11y (axe scan) against any route you changed before opening a PR.

# PR review expectations
- Diffs over 400 lines must be coordinated with the reviewer in advance.
- PR description names the affected wireframe section and the user-facing change.
- Do not commit. The author opens the PR; the reviewer merges.

Rollout roadmap

3 phases · 90 days

Example output — anonymized from real audit work

30 / 60 / 90-day AI rollout roadmap

  1. — Days 0–30

    Stabilize rules and governance

    Owners · Eng lead, Senior IC (AI champion)

    Objectives

    • Adopt a single .cursor/rules at repo root with stack conventions, file patterns, and review expectations.
    • Publish an acceptable-use policy covering model selection, prompt content, and IP-sensitive code.
    • Add a CODEOWNERS-gated review label for AI-assisted PRs over 400 lines.

    Success signals

    • All engineers can locate the rules file and the policy from the repo README.
    • First AI-assisted PR over the threshold is reviewed under the new label.

    Risks

    • Rules treated as documentation theatre if leadership does not reference them in review.

  2. — Days 31–60

    Standardize team workflows

    Owners · Eng leadership, Security partner

    Objectives

    • Roll out a shared MCP configuration and a small set of vetted servers.
    • Document a per-package CLAUDE.md template; pilot in two services.
    • Run two paired sessions per engineer to align on prompt patterns and review criteria.

    Success signals

    • Median time-to-first-PR for new joiners drops below the prior baseline.
    • Sampled PRs show consistent rule references in commit messages and review threads.

    Risks

    • MCP servers introduce supply-chain surface area — pin versions and review provenance.
    • Pilot teams diverge on conventions if the template is left ungoverned.

  3. — Days 61–90

    Measure quality and productivity

    Owners · Eng leadership, Platform team

    Objectives

    • Instrument PR-level signals: revert rate, review-cycles-to-merge, escaped defects.
    • Run a quarterly review of rules and policy against actual PR feedback.
    • Decide retain/replace on each AI tool based on measured fit, not vendor narrative.

    Success signals

    • Quarterly review produces at least three concrete edits to the rules or policy.
    • Tool decisions are written down with the metric that justified them.

    Risks

    • Productivity metrics misread without a quality counterweight — track revert rate alongside throughput.

Methodology

7-day delivery window. Visible steps.

Same scope each engagement, repeatable handoffs.

— Phases

6 phases · 7 days

AI Adoption Audit · 7 days

  1. Day 0

    Intake, NDA, access setup

    • Tool list
    • Repo and access path
    • Interview schedule

  2. Days 1–2

    Stakeholder interviews and tool inventory

    • CTO and VPE
    • Senior ICs
    • Junior engineers
    • Tool inventory

  3. Days 3–4

    PR and code-quality analysis, workflow review

    • 50–100 recent PRs sampled
    • Suspected AI-assisted work reviewed where identifiable
    • Workflow and review process analysis

  4. Day 5

    Tooling-fit and governance gap

    • Tool suitability
    • Risk areas
    • Policy gaps
    • Team consistency issues

  5. Day 6

    Rules, policy, roadmap drafting

    • .cursor/rules
    • CLAUDE.md
    • Copilot instructions
    • Governance policy template
    • Rollout roadmap

  6. Day 7

    Final report and walkthrough

    • Leadership handoff
    • Q&A
    • Next-step recommendations

Scope and exclusions

What’s in scope. What isn’t.

Sophisticated buyers trust boundaries — these are the explicit limits for the AI adoption audit.

AI Adoption Audit

A fixed-scope assessment of how AI coding tools are being adopted across an engineering team. The deliverables are engineering artefacts, not legal or security artefacts.

Excluded

8 items

  • Not legal advice
  • Not security certification
  • Not legal approval of an AI policy
  • No guaranteed productivity uplift
  • No autonomous AI-performed audit
  • No replacement for legal or security review
  • No ongoing governance unless separately contracted
  • The governance policy ships as a template for internal legal and security approval

Operator proof

Performed end-to-end by one senior frontend engineer.

Muhammed Erdem

Senior Frontend EngineerMadrid

Years
9+shipping production products
Sectors
5AI · fintech · e-commerce · Web3 · mobile
Production AI
WCAG AAled frontend accessibility on a webchat platform
CodePen
#1Most Hearted creator — 2018 & 2019

— Engineering profile

Stack
VueReactNext.jsTypeScript
Standards
WCAG 2.1 / 2.2 AA
Testing
PlaywrightVitestCypress
Practice
Design systemsperformance work
AI
Claude CodeCursorCopilotMCP

— Verify

Access and boundaries

Clear security, independence, and scope boundaries.

Built so internal champions can forward this page to legal, security, and procurement without surprises.

Legal

  • Standard NDA

    Plain-English mutual NDA available before any access discussion.

  • 24-hour countersign

    NDA returned countersigned within one business day.

Access

  • Repo access under NDA

    Read-only repository access handled under signed NDA, scoped to the surfaces being audited.

  • Least-access principle

    Only the access required to deliver the audit — nothing broader, nothing retained.

Independence

  • No outsourcing

    One senior engineer performs the work end-to-end. No subcontractors, no offshore handoff.

  • No overlay resale

    Independent of accessibility overlays, scanner vendors, and remediation widgets.

  • No AI tooling reseller

    Independent of Cursor, Claude, Copilot, and other AI vendors. No referral fees.

Data

  • 30-day data deletion

    Repository copies, engagement notes, and working artefacts deleted 30 days after delivery.

  • Sample PR fallback

    If repo access is not possible, sample changes ship as gists or patch files instead of pull requests.

Forwardable PDF

Download the methodology pack.

— Methodology pack

v1 · 16–20 pages

A 16–20 page document covering audit process, standards, data and access handling, sample outputs, exclusions, and pricing — built for forwarding internally to CTO, VPE, security, and procurement.

  1. 01

    Methodology

    Audit process · Standards covered · Data and access handling

  2. 02

    Deliverables

    EAA deliverables checklist · AI deliverables checklist

  3. 03

    Sample artefacts

    WCAG finding card · AI maturity scorecard · .cursor/rules excerpt · 30/60/90 roadmap

  4. 04

    Summaries

    FAQ and exclusions · Scope summary · Pricing summary

— Request the PDF

Sent to your inbox.

methodology-pack.pdf

PDF · 16–20 pages

  • Sent in seconds
  • Forwardable
  • No newsletter

We send the PDF and a one-line follow-up. No newsletter, no third-party trackers. See our privacy policy for what happens to your email.

FAQ

Short answers to common buying questions.

Calm responses to objections, edge cases, and procurement-style asks specific to the AI adoption audit.

General

6 questions

AI Adoption Audit

6 questions

Commercial and security

5 questions

Next step

Book a 20-minute fit call.

Used to confirm scope, access, timeline, and whether AuditSmith is the right shape for the problem. No self-serve checkout — every engagement starts here.

Booking this week

— Click here

Get on a call this week.

Book a fit callDownload methodology PDF
  • 20-minute call
  • Confirms scope, access, timeline
  • No charge, no commitment

— What happens next

  1. 01

    Fit call

    20-minute video call to confirm scope, access, and timeline.

  2. 02

    SOW + NDA

    Short SOW, invoice, and a mutual NDA before any repository access.

  3. 03

    Kickoff

    Repo access in place, audit timeline starts on the agreed date.