The board wants AI. The CTO has a proposal. And you, as CFO, are being asked to sign off on a budget that ranges from "let's start small" to "this will transform the company." The problem is that you have seen both claims before — for ERP migrations, for cloud transformations, for digitisation programmes — and the pattern is familiar. Ambitious scope, unclear ROI, cost overruns by month six.
AI does not have to follow that pattern. But it will, unless someone in the room is asking the right financial questions before the first euro is spent.
This checklist is that set of questions.
Why the CFO perspective matters more than you think
Most AI readiness frameworks are built for CTOs. They evaluate technical infrastructure, data maturity, and model capabilities. What they do not evaluate is whether the organisation can absorb the financial and operational cost of an AI initiative without overcommitting resources or triggering compliance obligations that nobody budgeted for.
The adoption curve in German industry has turned sharply. Bitkom's 2025 survey of 604 companies found that 36% now use AI — up from 20% a year earlier, an almost-doubling in twelve months. AI has crossed from experiment to operating expense, and that changes who owns the decision. When an initiative is a science project, it lives in IT. When it becomes a recurring line item with a compliance footprint and a maintenance bill, it lives with finance.
The initiatives that stall rarely fail on technology. They fail on budget authority — the initiative starts in IT, grows beyond the CTO's signing authority, and then sits in a queue for board approval while momentum dies. The CFO who gets involved early — not as a gatekeeper but as a financial architect — is the single biggest lever on whether an initiative reaches production at all. Engaging with the financial dimension of AI readiness before the technical evaluation, rather than after, is what separates a workflow that ships from a slide deck that circulates.
Total cost of ownership: what the first proposal leaves out
The most expensive mistake a CFO can make is approving the build cost as if it were the total cost. It almost never is. The model — or, increasingly, the API subscription to a model someone else trained — is the visible, smallest, and most predictable part of the bill. The cost lives everywhere else.
Integration and data engineering is where first proposals are most consistently optimistic. Getting data out of your existing systems, cleaning it, and piping results back into the ERP, CRM, or core business system is the bulk of the work on most production deployments — not the model. A standalone tool that produces a recommendation a human then re-keys is cheap and largely useless; a workflow that writes back into the system of record is where value lives, and it is also where the engineering hours accumulate. Ask for the integration estimate as a separate, named line, and treat a proposal that folds it into "model development" as incomplete.
Ongoing operations is the line that turns a one-off into a subscription you did not realise you were signing. A production AI workflow needs monitoring, periodic evaluation, and — for anything that touches changing data — retraining or prompt maintenance. Drift is not a hypothetical: a model that performed well at launch degrades as the world it was trained on moves. Budget for operations as a recurring annual cost from day one, not as a surprise in year two.
Change management is the cost most often left out entirely, and the one most likely to quietly kill the return. The team that runs the manual version of this workflow today needs training, communication, and transition time. Skip it and you do not get failure — you get passive resistance, shadow processes, and an adoption rate that makes the business case collapse on contact with reality.
The compliance cost is now a regulatory fact, not a footnote
For any DACH initiative, EU AI Act exposure has moved from "something to consider" to a budget line with statutory teeth — and the CFO needs to know which tier the workflow falls into before signing.
The Act took full effect on 2 August 2026, but the heaviest obligations were deliberately rephased. Under the Digital Omnibus agreement reached in May 2026, the compliance deadline for stand-alone high-risk systems listed in Annex III was pushed to 2 December 2027, and for AI embedded in regulated products under Annex I to 2 August 2028. This is a planning gift, not a reprieve. If your workflow is high-risk — credit scoring, employment and worker-management decisions, and several other Annex III categories qualify — you now have a defined runway for conformity assessment, technical documentation, and registration, rather than a cliff edge. Use it deliberately; do not let it lull the organisation into deferring the work until the runway is gone.
The penalties are calibrated to make non-compliance a board-level financial risk, not an operational nuisance. Article 99 sets fines of up to €35 million or 7% of total worldwide annual turnover for prohibited practices, up to €15 million or 3% of turnover for breaching high-risk obligations, and up to €7.5 million or 1% for supplying incorrect or misleading information to authorities — in each case whichever is higher. The Act does extend proportionality to SMEs, applying the lower of the cap or the percentage. But the headline numbers establish the ceiling, and for a CFO the relevant point is that classification errors carry turnover-scaled consequences.
Layered on top is the existing data-protection regime. Under Article 35 GDPR, a Data Protection Impact Assessment is mandatory before processing that is likely to result in high risk — explicitly including systematic, automated evaluation of personal aspects that produces legal or similarly significant effects. A great many AI workflows that touch customer or employee data land squarely in that definition. The DPIA is not optional paperwork to be retrofitted; it is a precondition, and the cost of scoping it — internal counsel time, and external counsel where the use case is novel — belongs in the first budget, not the first audit. Regulated industries carry the heaviest version of this overhead, because sector supervision sits on top of the horizontal rules.
The ROI horizon: what to expect and what to demand
The honest test of a first AI initiative is not a three-year savings projection. It is whether the team can name where value appears, in what metric, and within how many weeks of going live. "We project savings of X over three years" is the language of a programme that has not been scoped. "This workflow now clears the queue faster, and here is the number we will measure" is the language of one that has.
Demand specificity. Not "improved efficiency" but a named metric attached to a named team: hours reclaimed per week in a specific function, a measurable reduction in error rate for a defined process, throughput on a particular workflow, or cost avoided in a quantifiable category such as external review hours. If the proposal cannot name the metric, the workflow, and the team, it is not ready for approval — it is ready for Discovery.
What you should not accept is a horizon measured in years before the first measurable result. If value does not surface within a small number of months, the scope is too broad, the data is not ready, or the integration is harder than the proposal admits. Each of those is a reason to narrow the initiative, not to extend the runway.
The six questions every CFO should ask
Before signing off on any AI initiative, run these six questions. If the answers are vague, the initiative is not ready for budget — it is ready for scoping.
What is the named workflow? Not "customer service" but "inbound email classification and routing for the claims team." If they cannot name it precisely, they have not scoped it, and an unscoped workflow has no defensible budget.
What is the total cost, including integration, compliance, and a full year of operations? Reject any number that covers only the build. Demand integration, the DPIA and legal review, change management, and twelve months of running costs as named lines.
Where does measurable ROI appear, and when? Accept months, not years. Accept specific metrics tied to specific teams, not directional improvements that can never be falsified.
Who is the executive sponsor with operational authority? An AI initiative without a named sponsor who controls the workflow and the team is an orphan. Orphans do not survive their first contact with a competing priority.
What is the EU AI Act and GDPR posture for this workflow? Does it touch personal data? Is it Annex III high-risk? Has a DPIA been scoped? "We will figure that out later" is not an answer — it is a deferred cost and a deferred risk, and you should price both into the timeline now.
What happens if we stop after phase one? Every initiative should be scoped so phase one delivers standalone value. If the business case only works after three phases, the risk profile is wrong for a first move. You are looking for a workflow you would be glad to own even if the roadmap beyond it never arrives.
How the AI Operating System framework handles the CFO perspective
In The AI Operating System, the financial dimension is built into the readiness framework from the start — because the CFO's sign-off is where most Mittelstand AI initiatives either accelerate or die. The framework evaluates budget authority alongside technical readiness, scoping every initiative so that phase one fits within the CFO's direct approval authority: no board escalation required for the first workflow, no multi-year commitment before the first result.
This is deliberate. The fastest path to AI value in a Mittelstand company is not a transformation programme. It is a single workflow, scoped to deliver a measurable result within one quarter, budgeted within existing authority, classified for regulatory risk before it ships, and measured on a metric the CFO already tracks.
A Fit Call applies the six questions above to your specific situation — and surfaces the hidden costs and EU AI Act exposure before they surface in an approval you have already signed.
References: European Commission, "Regulatory framework on AI / AI Act," 2026 (https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai); EU Artificial Intelligence Act, "Article 99: Penalties" (https://artificialintelligenceact.eu/article/99/); Gibson Dunn, "EU AI Act Omnibus Agreement — Postponed High-Risk Deadlines and Other Key Changes," 2026 (https://www.gibsondunn.com/eu-ai-act-omnibus-agreement-postponed-high-risk-deadlines-and-other-key-changes/); "Art. 35 GDPR — Data protection impact assessment" (https://gdpr-info.eu/art-35-gdpr/); Bitkom, "Künstliche Intelligenz 2025" (https://bitkom-research.de/studien/kuenstliche-intelligenz-2025).