A business owner at 20 people is in a specific and difficult spot with AI. Large enough that the productivity question is real. Small enough that a six-figure custom build could genuinely hurt. And surrounded by vendors who would very much like to tell them they need the expensive one.
The decision comes down to a genuinely useful question: what kind of problem are you actually solving?
The choice in front of you
A 20-person owner-managed business typically faces one core AI setup decision: lean SaaS tools running through the software you already use, or a customised system built around your specific workflows and data. The right answer depends less on the size of your ambitions and more on the nature of the specific problem you are trying to solve first, and whether generic tools can get you most of the way there.
Off-the-shelf AI sits inside Microsoft 365 Copilot, ChatGPT Team, HubSpot’s AI features, and Notion AI. At roughly £25-30 per user per month for Copilot, or a comparable figure for ChatGPT Team, a 20-person firm can deploy AI across the whole team for under £10k a year. These tools handle the use cases owner-managed businesses need first: drafting and summarising documents, answering internal questions, improving proposals, managing email, supporting basic analysis.
Custom AI, built around your specific knowledge base or embedded into your operations, is a materially different proposition. Discovery and design alone typically runs £5-20k for a firm of this size. Build and integration adds £20-100k or more. That is before the ongoing cost of maintaining it.
The gap between those numbers is why the choice matters.
When is the lean SaaS stack the right call?
Lean SaaS AI is the right starting point for the overwhelming majority of 20-person owner-managed businesses. The use cases it handles well are the same ones that consume the most staff time: email processing, document drafting, internal knowledge search, basic reporting and client communication. If your firm’s core problem is the volume of low-value admin per person, generic tools address that directly and you can be up and running in two to eight weeks.
Only 29% of UK businesses in the 10-49 employee band are currently using any AI, according to UK government data from April 2024. The firms that move first on the basics have a real window, and the basics are sufficient for a first deployment.
The compliance picture also favours starting here. Microsoft, Google and OpenAI all publish enterprise-level security and privacy commitments for their paid tiers, including commitments not to use business prompts to train their models. That does not replace your own due diligence, but it means the compliance baseline is manageable. You still need to think about what data goes into these tools and document that decision, but a DPIA for a ChatGPT Team subscription is a much lighter exercise than one for a custom system processing client case notes.
BCG’s 2024 study of generative AI use across more than 2,000 workers found that employees who received proper training on how to use these tools were 40% more productive on complex tasks than those who received none. The tool matters less than whether your team has actually been shown how to use it.
When does custom integration actually make sense?
Custom AI justifies its cost when you have a specific, high-value process that generic tools cannot replicate, your underlying data is accessible via an API, and you can genuinely allocate a mid-five-figure budget and the internal time for a three to six month project. That combination applies to a minority of 20-person firms, but where it does apply, the returns can be significant.
The clearest cases are firms where one process drives a disproportionate share of value and the inputs are structured and documented: claims triage in an insurance broker, technical scoping in an engineering consultancy, complex client onboarding in a financial services firm.
What rules out custom for many firms at this scale is the state of their data. McKinsey’s research on generative AI consistently identifies data quality and accessibility as the single biggest determinant of project success. If your documents, CRM and project history are spread across three different systems and partially in people’s heads, a custom build will spend the majority of its budget cleaning that up rather than delivering the AI capability you bought.
Skilled machine learning engineers in the UK command median salaries above £70k, which makes full in-house teams unrealistic at this scale. You are building a dependency on an external supplier. That is manageable with the right contract and a well-scoped brief, but it is a material risk. The Competition and Markets Authority has also flagged concentration risk in the AI foundation model market, which is worth understanding before you build deeply on a single provider’s infrastructure.
What does it cost to get this decision wrong?
The cost of choosing custom AI when lean tools would have done the job is straightforward: wasted capital and a slower return. The cost of treating compliance as something you will come back to later is less predictable and potentially much higher. UK GDPR fines can reach £17.5m or 4% of global annual turnover for serious breaches, and the ICO has demonstrated it will use those powers against AI deployments specifically.
The ICO fined Clearview AI over £7.5m in 2022 and ordered deletion of UK residents’ data, establishing clearly that AI vendors and the businesses using their tools are both accountable for lawful data processing. If your AI setup processes client data, personal contact records, or case information, you need a lawful basis, a data minimisation approach, and in many cases a DPIA. The ICO’s AI and data protection risk toolkit is written explicitly with smaller organisations in mind.
The EU AI Act adds a further layer for any firm with customers or operations in the EU. Fines for non-compliance reach €35m or 7% of global turnover in the most serious cases, with lighter obligations for limited-risk use cases such as AI chatbots.
Cyber exposure compounds the picture. The NCSC warns that AI deployments without basic cyber hygiene, including multi-factor authentication, access controls and patching, increase exposure to prompt injection and data exfiltration. The UK government’s 2024 Cyber Security Breaches Survey found that 32% of businesses reported a breach or attack in the previous 12 months.
What to ask before you commit to either path
Before signing anything, three questions do most of the work. What specific problem are you solving first, and can you measure whether it is solved? What personal data will the AI touch, and have you mapped the compliance implications? And who inside the business will own this, because the evidence from enterprise deployments consistently shows that named internal ownership is the single biggest predictor of whether adoption actually happens.
On the first question: resist the pull toward a broad rollout. Evidence from McKinsey, BCG and OpenAI’s enterprise guidance consistently shows that narrow, measurable use cases deliver better early returns than wide, unfocused deployments. Pick the process where AI will have the clearest effect, run it properly, then expand.
On compliance: work through the ICO guidance before you go live, not after. For regulated firms, the FCA and SRA both have published guidance on AI that applies regardless of whether the tool is off-the-shelf or custom. If AI will touch employee records, client case histories, or financial data, build the compliance review into your timeline from the start.
On ownership: BCG’s research found that productivity gains materialised reliably when a named senior sponsor and a small internal group actively drove usage and training. An AI subscription with no one responsible for it underperforms one with a named owner, and that lesson applies whether you are starting with a SaaS stack or commissioning a bespoke build.
If you want to talk through where your firm sits in this decision, book a conversation.
