AIRS — AI-Readiness Score

The composite

AIRS is a weighted average of six axis-scores (each 0–100). Heaviest weights go to AI Readiness and Compliance Risk — the two categories nobody else measures, and the ones EU SMBs face hardest deadlines on in 2025–2027.

AIRS = round(
    Performance       × 0.20  +
    Accessibility     × 0.15  +
    SEO Visibility    × 0.10  +
    AI Readiness      × 0.25  +
    Compliance Risk   × 0.20  +
    Security Hygiene  × 0.10
)

Each axis score is itself a weighted average of its checks. For PSI-anchored axes (Performance, Accessibility, SEO), the PSI category score is blended 70/30 with the check pass-rate so the AIRS axis stays correlated with Lighthouse but adds the EU-specific layer.

Score labels

Performance · weight 20%

PageSpeed Insights mobile run + CWV thresholds. Real users feel speed first; everything else is downstream.

• lcp-good
  LCP < 2.5s

  Optimise hero image, defer non-critical JS, enable a CDN.
• cls-good
  CLS < 0.1

  Set explicit width/height on images and embeds; avoid late-injected ads above the fold.
• inp-good
  INP < 200ms

  Reduce main-thread JavaScript; split long tasks; defer hydration.

Accessibility · weight 15%

PSI accessibility category + WCAG 2.2 AA / EAA-specific checks (text alternatives, contrast, focus visibility, target size).

• image-alt
  Images have alt text

  Descriptive alt text on every image; alt="" only for decorative.
• color-contrast
  Colour contrast ≥ 4.5:1

  Raise text/background contrast to WCAG AA threshold.
• button-name
  Buttons have accessible names

  aria-label or visible text on every interactive control.
• link-name
  Links have discernible text

  Replace "click here" with descriptive link copy.
• lang-attr
  HTML lang attribute set

  <html lang="…"> declares page language for assistive tech.

SEO Visibility · weight 10%

PSI SEO category + presence of structured data and social-graph metadata. AI search engines and traditional crawlers consume the same signals.

• json-ld
  JSON-LD structured data

  Add Organization + WebSite + WebPage JSON-LD on the homepage.
• og-meta
  Open Graph metadata

  og:title, og:description, og:image, og:url.
• twitter-card
  Twitter card metadata

  twitter:card, twitter:title, twitter:image.
• canonical
  Canonical URL declared

  <link rel="canonical" href="…"> to prevent duplicate-content penalties.

AI Readiness · weight 25%

Whether AI bots (GPTBot, ClaudeBot, PerplexityBot) and AI search engines can read, summarise, and recommend this site. The single biggest growth lever for 2025-2027 — and the differentiator AIRS is built around.

• robots-allow-ai
  AI bots allowed in robots.txt

  Remove Disallow: / for GPTBot / ClaudeBot / PerplexityBot / Google-Extended. AI engines that can't crawl you can't cite you.
• llms-txt
  /llms.txt manifest published

  Publish /llms.txt summarising your site's purpose, key URLs, and content hierarchy for LLM context. See anthropic.com/llms-txt.
• json-ld
  JSON-LD schema (AI-readable)

  AI summarisers consume JSON-LD as primary signal — add Organization, Service, Product, FAQPage where relevant.
• og-meta
  Open Graph (AI summarisers)

  AI search results lean on og:title / description heavily — these are your "snippet" in the AI era.
• semantic-html
  Semantic HTML structure

  Replace <div> soup with <header>, <nav>, <main>, <article>, <section>. AI crawlers extract structure, not styles.
• sitemap
  Sitemap discoverable

  Reference sitemap in robots.txt: "Sitemap: https://…/sitemap.xml".

Compliance Risk · weight 20%

EU regulatory exposure: AI Act (Art. 50 transparency), EAA (28 Jun 2025 effective), NIS2 (transposed Oct 2024), GDPR (cookie + privacy).

• ai-act-transparency
  AI Act Art. 50 transparency (if AI features used)

  Add visible "Powered by AI" / "AI-generated" notices near every AI-driven surface.
• eaa-accessibility
  EAA-grade accessibility (WCAG 2.2 AA)

  Address all WCAG AA failures listed in the Accessibility axis.
• nis2-security-txt
  NIS2 — incident contact published

  Publish /.well-known/security.txt with contact + policy URL (RFC 9116).
• gdpr-cookie
  GDPR / ePrivacy cookie consent

  Compliant consent layer (Cookiebot, Iubenda, Usercentrics).
• privacy-policy
  Privacy policy linked

  Footer link to /privacy or /datenschutz.
• imprint
  Imprint / legal notice (TMG §5)

  /imprint or /impressum is mandatory in DE/AT for commercial sites.

Security Hygiene · weight 10%

Response-header analysis: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. Cheap to ship; signals operational maturity.

• hsts
  HSTS header

  Strict-Transport-Security: max-age=31536000; includeSubDomains.
• csp
  Content-Security-Policy

  Whitelist trusted script/style origins; prevents XSS escalations.
• x-frame-options
  X-Frame-Options (clickjacking)

  X-Frame-Options: DENY (or use CSP frame-ancestors).
• x-content-type-options
  X-Content-Type-Options

  X-Content-Type-Options: nosniff.
• referrer-policy
  Referrer-Policy

  Referrer-Policy: strict-origin-when-cross-origin.
• permissions-policy
  Permissions-Policy

  Lock down camera, mic, geolocation by default.

What AIRS does NOT measure

• Conversion rate. Even a score of 100 won't save bad copy or weak product–market fit. AIRS measures technical foundation; conversion is a separate audit.
• Brand quality. A reference-grade score on a Comic-Sans landing page is still a reference-grade score. Visual design is intentionally out of scope.
• Backend reliability. AIRS is an external audit — uptime, database integrity, billing logic are not observable from the homepage.
• Industry-specific compliance beyond EU AI Act / EAA / NIS2 / GDPR. HIPAA, PCI-DSS, SOC 2 etc. are domain-specific and require dedicated audits.

Disputing a score

If you believe a check returned a false negative (e.g. you have a CSP but our parser missed it), email audits@synelostudio.com with the URL and the failing check ID. We rerun the audit and update the spec if our detection logic was wrong.