Agentic Substrate Readiness
Whether autonomous agents can discover, query, and complete conversions through your marketing infrastructure. Not a new pillar — a property that crosses four of the existing ten.
The premise
A growing share of traffic is non-human. ChatGPT browses for answers. Perplexity cites sources. Custom GPTs and Anthropic Claude tools are increasingly authorised to take actions — book a call, request a quote, complete a checkout — on behalf of a user. The infrastructure that supports human visitors does not automatically support agent visitors.
Most existing AI-readiness frameworks score one dimension — usually content discoverability for AI search. That misses four equally important questions: can agents find you, can they act through your funnel, can they convert, and can you see what they did once they’re there. Discovery, capability, conversion, and observability are four different problems with four different responsible functions inside the business.
Yellowhead’s methodology splits the property accordingly. Four sub-scores under four existing pillars, each answering a different question. A composite "Agentic Substrate Readiness" view across all four is a derived reading on the report; the underlying scores live where the responsible function lives.
Four sub-scores, four questions
Agentic substrate readiness is a cross-pillar property. Each sub-score answers a different question about whether your infrastructure works for an autonomous actor. We score each one from 0 to 10 across distinct dimensions, then combine the agentic axis with the conventional axis using a fixed weighting.
Agentic Readiness
Can your systems be operated against by an autonomous agent?
The Tech Stack pillar combines conventional tool efficiency (70%) with agentic readiness (30%).
AI tools directly observed on-site — chatbots (Ada, Tidio AI, Chatbase, Botpress, Voiceflow, Dialogflow), AI content tools (Jasper, Copy.ai, Writer), AI personalisation (Dynamic Yield), AI search (Algolia AI), AI summarisation widgets.
API-first / headless / composable architecture, webhook infrastructure, OAuth or API-key surfaces for delegated agent identity, modern CMS with documented API access. (MCP manifests are scored separately below, not double-counted here.)
Workflow orchestration depth — detected automation platforms (Zapier, Make, n8n, Workato, native automations), AI-assisted automation patterns, evidence of multi-step orchestration.
Integration density between detected tools — the more tools speak to each other, the more agent-operable the stack overall.
The same llms.txt file is scored twice on different questions. Here it is read for agent-operability — does it help an agent understand the site structure and navigate it: sectioning quality, key pages indexed, a navigation path an agent could plan from the file alone. This reading can score high even when the citation-lens reading under Discoverability scores low. Same file, two scores.
A manifest at /.well-known/mcp.json or /.well-known/ai-plugin.json declaring tools and endpoints an agent can call. Presence is a strong positive signal; absence is the modal default for businesses today and not by itself a finding, but it forecloses downstream agentic integration paths.
Browser-native WebMCP tool registration — declarative HTML tool attributes on form/button elements, or imperative navigator.modelContext.registerTool calls (audited by Chrome Lighthouse 13.3+). The declarative API is detectable via static scrape; imperative runtime registration is not yet captured in our pipeline. Modal default in 2026 is absence — the spec is experimental — so absence is not a finding by itself.
AEO & GEO Readiness
Can AI systems extract, cite, and recommend you?
The Discoverability pillar is composed of four sub-scores — Web (20%), SEO (35%), AEO (25%), and GEO (20%). The four AEO dimensions below are the answer-extraction axis; GEO is a holistic off-site score. (Web loadability — Core Web Vitals, mobile, crawlability, and DOM legibility for agents — and traditional SEO ranking are scored under their own sub-scores, not here.)
schema.org / JSON-LD presence, validity, and coverage on the things that matter — Organization, Article/BlogPosting, FAQPage, HowTo, Product, Service, LocalBusiness, Event. Answer-relevant types are materially more likely to be extracted into AI-generated answers.
Explicit allow/deny posture in robots.txt for AI bots — training bots (GPTBot, Google-Extended, ClaudeBot) versus retrieval bots (ChatGPT-User, PerplexityBot, OAI-SearchBot). A differentiated posture (training blocked, retrieval allowed) is a valid strategic choice that scores positively. Retrieval bots blocked caps AEO regardless of other signals — no fetch, no answer-extraction.
Whether content is shaped to be lifted directly into an answer — clear question-and-answer formatting, specific verifiable claims, stable canonical URLs, content addressable by stable identifiers. Hedged or buried facts extract poorly.
The structured summary file read here for its citation/answer-extraction value only — does it help AI systems extract and cite you. On current evidence (Zyppy 2026; Google’s own guidance) llms.txt provides minimal-to-no measurable citation lift today, so most sites score low here regardless of file quality. The SAME file is scored separately under Tech Stack for agent-operability, where it can score high. Same file, two questions, two scores.
The GEO sub-score, holistic and off-site: third-party mentions, earned media and trade-press coverage, analyst and industry citations, presence in authoritative reference sources (Wikipedia, Crunchbase, directories), and dedicated AI-visibility tooling (Obsero, Otterly, Ayzeo) if detected. This is the "get named and recommended" axis, distinct from AEO’s "get into the answer."
Agent Compatibility
Can agents complete a conversion through your funnel?
The Conversion pillar combines the human-funnel score (80%) with agent compatibility (20%). The 80/20 weighting reflects that conversion is still primarily a human concern — agent compatibility is meaningful but secondary at this stage of the agentic economy.
Forms accessible without captcha-by-default; no hostile JS gates on essential conversion paths. Targeted captcha on high-risk forms is appropriate; blanket captcha on every form is hostile to legitimate agents. Sparse-homepage-form sites where the conversion model is sales-assisted or hybrid (with a dedicated /contact, /account-opening, or /quote path) are healthy patterns and not penalised — many regulated industries deliberately keep homepage forms minimal.
Cloudflare Bot Management, DataDome, PerimeterX, Akamai Bot Manager, Imperva, Kasada visible in headers or cookies. Presence is neutral-to-positive — it means the business has capability for differentiated bot policy. Absence on a high-stakes funnel (e-commerce checkout with no bot management) is a finding.
Form submissions persist into a system of record (POST destination is a system endpoint, not fire-and-forget mailto:); booking/order pathways have stable URLs; checkout returns addressable confirmation pages.
Calendly / Cal.com endpoints, programmatic checkout (Shopify Storefront API, Stripe Payment Links), exposed booking systems. Optional / positive-only — many businesses don’t have programmatic conversion paths and that’s not a finding for non-API-native businesses.
Can an autonomous agent reliably identify and complete each field of the conversion form? Label associations (label[for]/wrapping label/aria-label), autocomplete hints (autocomplete="email"/"name"), and the absence of the placeholder-only anti-pattern — placeholder text is a hint, not an accessible name, and disappears once the user types. High label coverage plus autocomplete on identity/contact fields means an agent can fill the form deterministically.
Agent Observability
Can you see and govern agent traffic?
The Trust & Security pillar combines conventional compliance (85%) with agent observability (15%). The 85/15 weighting reflects that most existing regulatory frameworks are still primarily concerned with human-data obligations. AI-specific regulations (EU AI Act, Colorado AI Act) are emerging but not yet broadly operational — agent observability is a meaningful but secondary axis until the regulatory surface broadens.
Does the privacy policy disclose AI usage and named AI vendors? When the audit detects a chat or AI-content vendor (Intercom, Tidio, Jasper, Copy.ai, etc.) but the privacy policy doesn’t name it, that’s a real disclosure gap. Strong AI/ML governance language — automated decision-making references, sub-processor disclosures, named third-party AI providers — scores positively.
Does the AI widget respect consent gating? When a chat widget loads BEFORE consent fires for jurisdictions that require it (PIPEDA, GDPR, UK GDPR), that’s real exposure. Consent-aware widget loading scores positively. When no chat or AI widget exists at all, this dimension is treated as un-evaluable rather than penalised.
Has the business addressed automated agent access in robots.txt and Terms of Service? Robots.txt directives for AI training and retrieval bots PLUS explicit ToS clauses on scraping, crawling, or text-and-data-mining is the strong-posture pattern. Either surface alone is partial.
Same evidence as the Conversion pillar’s anti-bot posture, framed differently. For Conversion: differentiated funnel-policy capability. For Trust & Security: can the business OBSERVE agent traffic at all? On a regulated entity, absence of any anti-bot infrastructure is a sharper finding here than at the funnel level.
AI-generated content disclosure markers detected in page HTML — attribute markers like data-ai-generated, AI-content meta tags, visible-text disclosure patterns ("Generated with AI", "AI-assisted"). C2PA binary metadata is not currently parsed. Absence is the modal case today; absence is only a finding when the business has detected AI content tooling without disclosure.
Why cross-pillar, not a new pillar
A marketing intern can fix a missing schema.org tag. Only an engineer can build a webhook surface. Only an ops lead can stand up agent-traffic monitoring. The pillars correctly model the responsible function. Agentic readiness is a property that crosses functions, so it belongs in multiple places.
Folding everything into a single "AI readiness" pillar would either duplicate existing Tech Stack, Discoverability, and Trust & Security signals or create an eleventh pillar that nobody owns. Splitting cleanly puts discoverable artifacts under Discoverability (AEO/GEO), infrastructure capability under Agentic Readiness, funnel completion under Agent Compatibility, and disclosure / governance under Agent Observability.
The conversion weighting is locked at 80% conventional / 20% agent compatibility. Today’s traffic is predominantly human; agent compatibility is a meaningful but secondary axis. The 80/20 split prevents the new dimension from distorting the score before it has been validated against real agent traffic data.
What we look at
Every score is grounded in directly observable evidence. We don’t infer agent readiness from brand reputation or marketing claims. The Diagnostic runs six pure-analyzer probes on every audit:
- · Anti-bot stack detection — header and Set-Cookie fingerprinting for Cloudflare BM, DataDome, PerimeterX, Akamai BM, Imperva, Kasada, Reblaze, F5 Shape. Presence of any vendor signals capability for differentiated bot policy.
- · Form analysis — homepage
<form>action URLs, methods, and captcha tooling (reCAPTCHA, hCaptcha, Cloudflare Turnstile, Friendly Captcha, Arkose Labs). Distinguishes fire-and-forgetmailto:forms from system-of-record POSTs. - · MCP manifest probe — checks
/.well-known/mcp.jsonand/.well-known/ai-plugin.json. Presence is a strong positive; absence is the modal default and not a finding. - · AI disclosure scan — privacy policy and Terms of Service text are scanned for named AI vendors, AI/ML governance language, and explicit scraping/crawling/text-and-data-mining clauses. When the audit detects an AI vendor that the privacy policy doesn’t name, that’s a real disclosure gap.
- · Provenance markers scan — homepage HTML is scanned for AI-generated content disclosure markers:
data-ai-generatedattributes, AI-content meta tags, visible-text disclosure patterns. C2PA binary metadata is not currently parsed; we add it when external prevalence justifies the parsing cost. - · Robots and structured data parsing — already present in the Diagnostic. Differentiated training-vs-retrieval bot policy, schema type coverage (FAQPage, Article, HowTo, Product, Service, Organization), llms.txt comprehensiveness.
The composite "Agentic Substrate Readiness" view is a derived reading across the four sub-score breakdowns — not a separate persisted score. Each pillar card carries its own dimensional pills under the existing composite axes.
Where each layer is covered
The Diagnostic answers what an external observer can see. The full picture of agentic readiness in a regulated environment also requires internal governance — covered separately.
Diagnostic
Is the external surface governed?
Externally detectable signals only — what an autonomous agent would see if it tried to discover, query, and convert through your infrastructure. The cross-pillar sub-scores on this page run on every Diagnostic.
DiagnosticInfrastructure Audit
What’s actually inside the systems?
The deeper-evidence variant of the Diagnostic. With read-only admin access to the platforms the Diagnostic flagged — GTM containers, AI vendor consoles, consent stack, CRM, ad platforms — we confirm from the inside what the external scan only inferred. For agentic substrate readiness specifically: prompt registries, model logs, DPIA evidence, and admin-tier configuration that has no external footprint.
Infrastructure AuditStrategic Assessment
Is the organisation governed?
Internal AI governance posture: AI use register, policy review, DPIA / AIA review, incident response posture, vendor procurement controls, regulatory exposure mapping. Covered in the Strategic Assessment AI Governance Posture module — interview-driven, document-review, not externally detectable.
Strategic AssessmentArchitect
Build what’s missing.
When the Strategic Assessment surfaces governance gaps, Architect engagements build the artifacts: AI policy, acceptable-use policy, DPIA / AIA, incident response runbooks, vendor due-diligence templates, logging instrumentation specs.
Architect streamAssist
Keep it current.
Quarterly reconciliation cadence: AI use register refresh, vendor inventory updates, regulatory monitoring, incident review. The Diagnostic re-runs catch external-surface drift; Assist catches organisational drift.
Assist streamWhat the Diagnostic does not detect
The Diagnostic measures externally observable infrastructure. Several aspects of agentic readiness are not externally visible at all — they are organisational rather than technical:
- · Internal AI governance documents (AI policy, AUP, DPIA / AIA register, incident response runbooks)
- · Audit trails of AI tool usage by employees
- · Model risk registers and red-teaming posture
- · Procurement controls for AI vendors (due-diligence templates, contractual data-handling clauses)
- · EU AI Act / Colorado AI Act risk classification of internal use cases
- · Employee AI training programmes
These belong to the Strategic Assessment and the Architect governance artifact build deliverables — not to the automated Diagnostic. A clean Diagnostic score with weak internal governance is a real risk pattern, particularly in regulated sectors. The Strategic Assessment AI Governance Posture module is where internal posture gets covered.
Methodology versioning
Every audit report carries a methodology version tag in its header and print/PDF view. The tag identifies which revision of the rubric produced the scores, so trend comparisons across the same business over time can segment cleanly when the methodology evolves.
Earlier-version reports keep their original scores — we do not retrofit historical results when a rubric refinement ships. New reports score under the current rubric, and the version tag travels with the report so any later comparison knows which methodology generated each side of the delta.
Related reading
The 10 Pillars of Marketing Infrastructure
The systems your marketing runs on — what each pillar covers, including the conventional and agentic axes inside Tech Stack, Discoverability, Conversion, and Trust & Security.
SEO, AEO & GEO
SEO, AEO, and GEO measure different things — get ranked, get into the answer, get recommended. The AEO & GEO Readiness sub-score on this page is the Diagnostic’s answer-extraction and off-site-consensus measurement.
The Modern Marketing Stack
The four-layer view of marketing infrastructure. The agentic layer this page describes is the emerging fifth layer — it sits above Layer 4 (infrastructure management) and depends on it.
The MIDAS Score
The composite 0-100 score covering pillar performance, perception accuracy, infrastructure coherence, and budget efficiency. Agentic substrate readiness contributes to MIDAS through the refined sub-scores.
See your agentic substrate readiness
The free Diagnostic produces all four sub-scores with full dimensional breakdowns. No sales call required.