FREE CHECKLIST FOR ENGINEERING LEADERS

The AI-Native Engineering Checklist

The 25 controls every engineering org needs before AI velocity becomes AI liability — walk them through your staff engineers and find every gap in 30 minutes.

25 binary controls — five per practice, the whole method on one printable page
For each control: what a confident yes looks like, and what an unchecked box costs you — with the number attached
A self-score that places your org on the maturity ladder and names the first gap to fix
No spam. Unsubscribe anytime.
The AI-Native Engineering Checklist — cover
PDF · ~10 PAGES · 25 CONTROLS
Get the checklist.

25 controls across all five practices — printable, shareable, and free. Find every gap in 30 minutes, before your next incident does.

Your role
Country
WHY THIS CHECKLIST EXISTS

The problem is not AI adoption. The problem is unstructured AI adoption.

Some of your teams are getting 10x from AI. Others are guessing. Nobody can point to where one team's practice ends and another's gap begins — and that unevenness is exactly where the next incident hides. A control that holds on one team and not another is not a control. It is a gap you haven't found yet.

32%

of engineering orgs have any formal AI governance

CORTEX 2026
23.5%

more production incidents per PR without governance

CORTEX 2026
45%

of AI-generated code fails security tests

VERACODE 2025
WHAT'S INSIDE

Five practices. 25 controls. 30 minutes.

01

Curate

The context AI agents consume. 5 controls: codebase indexing · standardised, PR-reviewed AGENTS.md / CLAUDE.md · context ownership and metrics · window-scoping guidelines · AI onboarding and MCP allowlist.

02

Refine

Specs before AI generates code. 5 controls: spec-completeness gate · predicate-form acceptance criteria · systematic edge-case generation · Specify → Plan → Tasks → Implement · requirement-to-code traceability.

03

Architect

Within governed patterns. 5 controls: codified pattern and anti-pattern library · machine-readable ADRs linked from AGENTS.md · AI PR review before human · agentic CI/CD and intelligent test selection · tech-debt registry in AI context.

04

Fortify

Against AI-introduced risk. 5 controls: SAST/DAST/SCA at AI velocity · SBOM/AIBOM provenance · dependency, MCP and extension allowlists · policy-as-code compliance · closed-loop remediation.

05

Test

Before AI ships. 5 controls: higher AI coverage thresholds · adversarial edge-case testing · blocking quality gates · DORA segmented by AI-assisted · failure-to-context feedback loop.

06

Score yourself

Tally your ticks, place your org on the CRAFT maturity ladder — Ad-Hoc to AI-Native — and read off the leftmost practice with an unchecked box. That is where you start on Monday.

THREE OF THE 25 CONTROLS

See it before you gate it.

C2

Maintain AI-Readable Standards

Good — every team feeds AI the same quality of context; instruction files are version-controlled, not personal side files. Risk — each team feeds a different quality of context, and the 10x team stays a personality instead of becoming a practice.

F3

Defend the Supply Chain

Good — allowlists enforced at generation time; AI-suggested dependencies gated against registry-existence and reputation; MCP servers pinned. Risk — AI installs whatever it hallucinates. ~20% of AI-recommended packages don't exist and 43% recur (USENIX 2025) — slopsquatting is a repeatable attack vector.

T3

Gate Quality

Good — AI code faces stricter, blocking thresholds no one can wave through unilaterally. Risk — marginal AI code merges on a green PR. Apiiro found 4× velocity brings 10× vulnerabilities without gates (June 2025).

SCORE YOURSELF → YOUR ARCHETYPE

Count your ticks. Place your org.

0–5
The Ad-Hoc Org
DetailNo structure. Every developer fends for themselves.
01
6–10
The Individual Champions
DetailA few developers have figured it out. Knowledge walks out when they leave.
02
11–15
The Emerging Framework
DetailSome structure. Adoption is uneven across teams.
03
16–20
The Structured Org
DetailReal method in place. Output is consistent.
04
21–25
The AI-Native Org
DetailMeasurable, auditable, governable. Quality scales with velocity.
05
THE ONE MOVE

CRAFT's order is a dependency chain, not alphabetical convenience. Fix the leftmost practice where you have unchecked boxes first — a refined spec still fails if the AI is reading the wrong context, and a downstream practice built on an ungoverned upstream one is built on sand.

WHO IT'S FOR

Read this if you're a leader who…

…has some teams flying with AI and others floundering, with no shared method between them.

…can't get a straight answer to "do we actually have that control on every team, or just one?"

…wants a single page you can print, pass around your staff engineers, and fill in together in half an hour.

…suspects your AI governance is real on one team and theatre on the rest.

It best serves the middle of the maturity ladder — The Emerging Framework (41–60) and The Structured Org (61–80) — where a method exists but adoption is uneven, and naming the gaps is the next move.

THE AUTHOR

CRAFT Method wasn't designed in a boardroom. It was forged in production.

It was forged by building production software with AI, every day, for months. FIKR Space — eleven integrated products, built solo plus AI — is the live proof point.

LUIS GONÇALVESCREATOR OF CRAFT METHOD
THE WINDOW

EU AI Act high-risk obligations enforceable

2 AUG 2026

Article 12 logging is architectural, not retrofittable. If it isn't built in, it isn't there when the audit arrives.

Insurance exclusions for generative-AI claims live

1 JAN 2026

The financial backstop for AI-introduced defects is narrowing. The liability is moving onto the balance sheet.

The decision is yours. The clock is not.

QUESTIONS, ANSWERED

Before you ask.

Is this really free?

Yes. The checklist is a free download in exchange for your email. You'll get the PDF instantly and the occasional field note — unsubscribe anytime, and we never share your email.

How is this different from the Free Scorecard?

The Free Scorecard is the Curate practice only — 25 questions, scored to an archetype, done on screen. This checklist is all five practices, unscored, printable, and built to pass around every team lead. It is the natural bridge: the checklist shows you the shape of the gaps; the full diagnostic scores them.

Do we need a specific AI tool for this to apply?

No. CRAFT Method is tool-agnostic. Every control governs how any AI coding assistant is curated, refined, architected, fortified, and tested — whether that is Claude, Copilot, Cursor, or whatever ships next.

What's the Enterprise Diagnostic?

125 questions across all five practices — five per sub-practice — scored to a number and an archetype for every practice, with a per-sub-practice gap list, plus a 30-minute live debrief with Luis Gonçalves. Listed at €1,500–2,000; free during the 2026 launch period, limited capacity. The Free Scorecard (25 questions, 5 minutes) is always free.