Agentic Substrate Readiness

AI tools directly observed on-site — chatbots (Ada, Tidio AI, Chatbase, Botpress, Voiceflow, Dialogflow), AI content tools (Jasper, Copy.ai, Writer), AI personalisation (Dynamic Yield), AI search (Algolia AI), AI summarisation widgets.

API-first / headless / composable architecture, webhook infrastructure, MCP manifests at /.well-known/mcp.json or /.well-known/ai-plugin.json, OAuth or API-key surfaces for delegated agent identity, modern CMS with documented API access. Presence of an MCP manifest is a strong positive signal; absence is the modal default for businesses today and not by itself a finding.

Workflow orchestration depth — detected automation platforms (Zapier, Make, n8n, Workato, native automations), AI-assisted automation patterns, evidence of multi-step orchestration.

Integration density between detected tools — the more tools speak to each other, the more agent-operable the stack overall.

schema.org / JSON-LD presence, validity, and coverage on the things that matter — Organization, Article/BlogPosting, FAQPage, HowTo, Product, Service, LocalBusiness, Event. GEO-relevant types deliver ~3.2x higher AI citation probability.

Presence, comprehensiveness, sectioning quality. A well-sectioned llms.txt with key pages indexed signals deliberate GEO strategy.

Explicit allow/deny posture in robots.txt for AI bots. Differentiated training-vs-retrieval posture (training bots blocked while retrieval bots allowed) is a valid strategic choice that scores positively, not negatively. Retrieval bots blocked caps GEO regardless of other signals — blocked retrieval means no AI citation possible.

Sitemap completeness, freshness (recent lastmod dates), declared in robots.txt, accessible at conventional location.

Clean canonical URLs, stable URL patterns, content addressable by stable identifiers, RSS/Atom feeds where applicable, dedicated GEO tooling (Obsero, Ayzeo, Otterly) if present.

Forms accessible without captcha-by-default; no hostile JS gates on essential conversion paths. Targeted captcha on high-risk forms is appropriate; blanket captcha on every form is hostile to legitimate agents. Sparse-homepage-form sites where the conversion model is sales-assisted or hybrid (with a dedicated /contact, /account-opening, or /quote path) are healthy patterns and not penalised — many regulated industries deliberately keep homepage forms minimal.

Cloudflare Bot Management, DataDome, PerimeterX, Akamai Bot Manager, Imperva, Kasada visible in headers or cookies. Presence is neutral-to-positive — it means the business has capability for differentiated bot policy. Absence on a high-stakes funnel (e-commerce checkout with no bot management) is a finding.

Form submissions persist into a system of record (POST destination is a system endpoint, not fire-and-forget mailto:); booking/order pathways have stable URLs; checkout returns addressable confirmation pages.

Calendly / Cal.com endpoints, programmatic checkout (Shopify Storefront API, Stripe Payment Links), exposed booking systems. Optional / positive-only — many businesses don’t have programmatic conversion paths and that’s not a finding for non-API-native businesses.

Does the privacy policy disclose AI usage and named AI vendors? When the audit detects a chat or AI-content vendor (Intercom, Tidio, Jasper, Copy.ai, etc.) but the privacy policy doesn’t name it, that’s a real disclosure gap. Strong AI/ML governance language — automated decision-making references, sub-processor disclosures, named third-party AI providers — scores positively.

Does the AI widget respect consent gating? When a chat widget loads BEFORE consent fires for jurisdictions that require it (PIPEDA, GDPR, UK GDPR), that’s real exposure. Consent-aware widget loading scores positively. When no chat or AI widget exists at all, this dimension is treated as un-evaluable rather than penalised.

Has the business addressed automated agent access in robots.txt and Terms of Service? Robots.txt directives for AI training and retrieval bots PLUS explicit ToS clauses on scraping, crawling, or text-and-data-mining is the strong-posture pattern. Either surface alone is partial.

Same evidence as the Conversion pillar’s anti-bot posture, framed differently. For Conversion: differentiated funnel-policy capability. For Compliance: can the business OBSERVE agent traffic at all? On a regulated entity, absence of any anti-bot infrastructure is a sharper finding here than at the funnel level.

AI-generated content disclosure markers detected in page HTML — attribute markers like data-ai-generated, AI-content meta tags, visible-text disclosure patterns ("Generated with AI", "AI-assisted"). C2PA binary metadata is not currently parsed. Absence is the modal case today; absence is only a finding when the business has detected AI content tooling without disclosure.