Working at AppFox, a good part of what we do is helping teams get their Atlassian instances into a state where all users can be trusted with them, and that includes the implementation of AI (we didn't win Finalist at the Team 26 AI Innovator awards for nothing!).
As such, we look at a lot of instances, and the same age-old adage keeps coming to mind:
Check yourself before you wreck yourself!
Jokes aside, we find that a lot of effort goes into choosing an AI, and very little into asking whether the instance underneath it is in a fit state to be read by one.
That distinction matters more than it used to. AI has moved from a chatbot in the corner to something that actively reaches into your instance - searching, summarising, and increasingly acting. With the MCP updates, Rovo or Claude don't bring judgement to your data; they take what they find at face value and act on it quickly.
Here are the five questions we use to test whether an instance is ready. Most teams, including well-run ones, tend to lose a point or two on at least one of them.
The important part is to not view that as a failing, but as a map to where you need to be in order to let AI agents do their jobs effectively.
Would an agent actually understand your Jira? Common culprits are several custom fields that all do much the same thing, and projects nobody has touched in two years. To a human admin that's an annoyance. To an agent trying to reason about something like "priority," it's misleading.
If an agent pulled an answer from your documentation right now, would it be accurate? A frequent issue is a runbook last updated in 2023 sitting next to the current one, with nothing to indicate which is which. An agent has no way of telling the difference.
Agents operate within the permissions of whoever is prompting them, so legacy access quietly becomes an AI problem - if someone can reach a sensitive page, the agent will summarise it for them. Spaces with permissions nobody has reviewed in years, and little classification or access control of what's genuinely sensitive, are often the biggest gap.
Agents increasingly create content, not just read it. A page can be drafted in seconds, published without review, then ingested back into the graph and cited by the next agent as established fact. Without a sign-off step, AI-generated content can work its way into "truth" unchecked.
A significant amount of good knowledge lives inside diagrams and screenshots. To an agent that content is effectively invisible - dark data that adds nothing to the answer, and is often inaccessible to people too.
AI readiness isn't really about the AI. It's about whether the instance underneath it is tidy, current, governed, accountable and legible enough to be worth reading. The agent amplifies whatever is already there, for better or worse.
It's also worth noting how interconnected these are. A tidy but stale instance still misleads. A governed but illegible one still hides half its knowledge. Fixing one pillar rarely means the job is done.
If any of this feels familiar, that's because it maps closely onto ISO/IEC 42001 - the first international standard for AI management systems. Much of what it asks for (documenting how AI is used, governing access to sensitive information, keeping records reviewed and current, and evidencing sign-off and ownership) is really the formal, auditable version of the same five pillars. Getting your instance ready for agents and working towards ISO 42001 aren't separate projects; the readiness work is a large part of the groundwork.
We've written separately on how Confluence and Marketplace apps can support ISO 42001 compliance if that's on your roadmap.
We turned these five questions into an AI-Readiness Scorecard : it takes a few minutes and gives you a score per pillar plus where to start. If you'd like the longer write-up of the thinking behind it, the full framework is on our blog .
Matthew Joslin_AppFox_
1 comment