Plenty of Belgian companies now have AI running in production. A chatbot answering customers, a tool summarising documents, a model scoring leads, something a vendor installed last year. It works — mostly. And nobody has ever checked whether it's actually safe.
That's the gap the AI Readiness Audit fills. It's a fixed-price, two-week review of AI you already have, and you get an honest written verdict: what's fine, what's risky, and what to fix first. €5,500, no open-ended hourly meter.
This post is the transparent version of what that two weeks actually involves. Not a sales page — the real checklist. If you decide to do it yourself instead of hiring me, good. The point is that somebody checks.
Why this is a thing people need now
Most production AI in Belgian mid-market companies wasn't built by an AI specialist. It was added by a generalist agency, bolted on by a SaaS vendor, or vibe-coded by a capable internal developer under deadline pressure. None of those are bad people. But "it demos well" and "it's safe to run in production for two years" are very different bars, and the gap between them is exactly where audits earn their fee.
Add the EU AI Act deadline in August 2026 and the GBA/APD (the Belgian DPA) actively issuing GDPR-and-AI guidance, and "we have AI but we've never reviewed it" stops being a vague unease and becomes a real, dated risk.
The six things I actually check
An audit isn't a vibe. It's the same six dimensions every time, scored honestly. Here's each one and the problem I most often find inside it.
1. Security
Where does the AI sit, and what can reach it? I look at how the system is exposed, how requests are authenticated, and — the big one — where the credentials live.
What I keep finding: API keys to expensive model providers sitting in the browser bundle or a public repo, where anyone can scrape them and run up your bill. Prompt-injection paths where a user can talk the system into ignoring its instructions. An internal tool that's quietly reachable from the open internet. None of these show up in a demo. All of them show up in an audit.
2. EU AI Act compliance
I classify each AI system by risk level and check whether the obligations that follow are actually met. This is the same classification logic I wrote about in "What is high-risk AI?" — applied to your systems, in writing.
What I keep finding: a recruitment or people-management tool that's high-risk under the Act, running with none of the required documentation, logging, or human-oversight design. Or the opposite — a company terrified that its harmless chatbot needs a compliance project it doesn't. Both get fixed by an honest classification on paper.
3. Data handling
What data flows into the AI, where does it go, and who agreed to that? Especially: is personal data being sent to a third-party model, and is that lawful and documented under GDPR?
What I keep finding: customer or employee personal data being piped into an external AI tool with no data-processing agreement, no record of it, and no one having checked whether it's allowed. This is the issue the GBA/APD cares about most, and it's the one companies are most surprised to learn they have.
4. Operational readiness
What happens when it breaks? I check monitoring, logging, error handling, and whether anyone would even notice if the AI started producing garbage.
What I keep finding: no logging of what the AI actually decided, so when a customer complains there's no way to reconstruct what happened. No alerting when the model provider has an outage. No human in the loop for the cases that need one. The system runs fine right up until the day it doesn't, and then there's nothing to fall back on.
5. Code quality
I read the integration code. Is it maintainable, or is it a single 800-line function that only one person understands and that person has left?
What I keep finding: the AI logic tangled into the UI so tightly you can't change a prompt without risking the interface. No tests around the part that costs money per call. Brittle string-parsing of model output that breaks the first time the model phrases something differently. It works today; it's a liability the moment it needs to change.
6. Cost and scalability
What does this cost to run, and what happens to that number if usage triples? I look at how calls are batched, cached, and whether you're paying for a frontier model to do a job a cheaper one would do fine.
What I keep finding: every request hitting the most expensive model with no caching, so the same question gets paid for a hundred times. Costs that are tolerable at today's volume and alarming at next year's. Easy wins worth real money, usually.
How the two weeks are spent
So you know what you're buying, here's the shape of it:
- Days 1–2: Kickoff and access. I map every AI system you're running — including the ones people forgot to mention. The shadow AI is often where the risk hides.
- Days 3–8: The deep review. I work through the six dimensions above for each system, read the code, trace the data flows, and classify each system under the AI Act.
- Days 9–10: Writing. You get a written audit — findings ranked by severity — plus a remediation plan: what to fix, in what order, and a rough sense of effort for each. Not a 40-slide deck. A document you can act on.
The deliverable is deliberately blunt. Green where it's genuinely fine, red where it isn't, and a prioritised list so you're not staring at twenty problems wondering which one matters. The whole point is that you finish knowing exactly where you stand.
What you do with the result
Three honest outcomes, and all three are fine:
- "Mostly green." Good — now you know it's safe, in writing, which is worth having before an auditor or a GBA/APD complaint asks. Most companies are partly here.
- "A few reds, manageable." The common case. The remediation plan tells you what to fix first, and you can either do it in-house or have WDC do it. No obligation to use me for the fixes — the audit stands on its own.
- "This needs real work." Rare, but it happens. Better to learn it from a two-week audit than from a breach or a regulator. The plan turns a scary unknown into a finite to-do list.
Why I price it fixed
A two-week, €5,500 fixed price exists for one reason: trust. An open-ended hourly audit gives the auditor an incentive to find more hours. A fixed price means I'm motivated to be thorough and done — to tell you the truth efficiently and move on. You know the cost before you start, which is exactly the certainty a Belgian KMO leader wants and rarely gets from this kind of work.
The bottom line
If you have AI in production and no one has ever reviewed it, you're carrying a risk you can't see — in security, in compliance, or in a cost line that's about to grow. An audit doesn't have to be a big scary engagement. Two weeks, a fixed fee, and an honest document is usually all it takes to turn "I'm not sure if our AI is safe" into "here's exactly where we stand and what we're fixing first."
I write a short, practical newsletter for Belgian businesses — real engineering, the EU AI Act, and AI integration, in plain language and without the hype. Subscribe below if that's useful.
And if you've got AI running and want an honest verdict on whether it's safe, that's exactly what the AI Readiness Audit is for — start with a conversation.