AboutBlogBusiness First AIFounder FreedomBook a conversation

Scaling AI from one team into multiple departments

May 18, 2026
Two colleagues reviewing a document together on a laptop at a shared desk in a bright office
TL;DR

Scaling AI from one team into multiple departments works when the governance travels with the tool. The biggest failure mode in owner-managed firms is fragmented adoption: departments pick up AI independently, each with different data habits and no shared controls, creating compliance gaps that a regulator or a client incident will eventually find. The sequence matters more than the speed.

Key takeaways

- Scaling AI means replicating governance, not just copying tools. Test one use case fully before adding departments, and document the controls before you hand them on. - The UK Government's AI Playbook recommends a scan, pilot, scale approach: validate value and controls in one team first, then replicate with shared standards rather than letting each team start from scratch. - The ICO requires firms to maintain a lawful basis and consider data protection impact assessments before deploying AI that processes personal data, including internal use cases like onboarding or HR. - The NCSC advises building access controls, logging, and supplier assurance before rollout. Each new department added to an AI deployment widens the attack surface through more users, prompts, connectors and vendors. - The readiness test before extending to a new department: stable results over at least six weeks, written controls another team can follow, supplier terms reviewed for the new data type, and sign-off from operations or compliance.

The account manager on your marketing team found an AI tool that halved her proposal drafting time. The operations director saw the result and asked whether the same approach would work for client onboarding. The finance lead mentioned invoice processing. Within six weeks you’re fielding three separate requests from different departments, each with a slightly different use case, each involving different data.

This is the scaling moment. The question is how to do it without creating three separate problems.

What does scaling AI across departments actually mean?

Scaling AI across departments means moving from a single contained pilot in one team to a repeatable model other parts of the business can follow safely. The UK Government’s AI Playbook frames this as scan, pilot, scale: test a use case, validate its value and controls, then replicate with governance rather than copying the tool without the safeguards. The gap between those two approaches is where firms lose ground.

For a small services firm, scaling usually involves three shifts. The first is from individual use to workflow integration, where AI becomes part of a team’s standard process rather than a personal shortcut one person happens to use. The second is from informal understanding to written standards, with a shared view of which data is allowed in which tool and who reviews the outputs. The third is from one team’s experience to shared learning, where what the pilot team found out about prompts, errors, and edge cases gets passed on rather than rediscovered.

The UK Government Playbook also notes that capability needs change across the project lifecycle and that teams often need to collaborate across internal functions and external stakeholders. For an owner-managed firm, that means involving someone from operations, IT, or compliance before the rollout starts, not after the first problem appears.

Why does the sequence matter more than the speed?

Fragmented adoption is how scaling most commonly goes wrong: each department adopts AI independently, with different data habits, different tool choices, and no shared controls. The ICO’s AI and data protection guidance requires firms to maintain a documented lawful basis, carry out data protection impact assessments where required, and ensure transparency about how personal data is used in AI systems. Skipping this in one department doesn’t remove the obligation.

The UK Government Playbook’s 10-principle framework addresses this directly. It calls for multidisciplinary teams that include people who can identify risks such as bias and discrimination, and stresses that capability needs change as the project grows. An early decision to standardise access, review, and escalation across departments costs far less than unpicking inconsistent implementations after the fact.

A firm that moves fast but separately ends up with one team that met its compliance obligations and three that didn’t know those obligations existed. The review steps, data permissions, and escalation routes that made the pilot work don’t transfer automatically. They transfer when someone writes them down, hands them to the next team lead, and confirms the team understands them before the tool goes live.

Going department by department without shared standards multiplies exposure rather than value.

Where does fragmented adoption break down?

The cracks appear first at the data layer. A firm might have a sensible prompt policy for its marketing team, preventing client names from going into a public-facing AI tool. When operations picks up the same tool independently, they bring client onboarding data with them, because nobody told them the policy existed. The NCSC’s AI security guidance notes that scaling AI to more teams widens the attack surface through more users, prompts, connectors and vendors.

The second failure point is review and escalation. In the pilot team, someone has been checking AI outputs before they leave the business. When the next department adopts, that review step often doesn’t transfer, because it wasn’t written down and wasn’t part of the handover. The FCA has flagged that generative AI in professional services creates risks around consumer harm, explainability and governance. The same logic applies in any context where AI-assisted output reaches a client.

The third failure point is supplier sprawl. When each department selects its own tool, the firm ends up with multiple AI vendors, multiple data terms, and multiple retention policies, with no single person who knows all of them. The ICO’s guidance on AI makes clear that firms are responsible for how personal data is handled across every tool in the stack, not just the tools IT formally approved.

Each failure point compounds the others, and the longer the firm waits to address them, the harder they become to unpick.

When should you extend to the next department, and when should you wait?

Extend when the pilot team can answer yes to four questions: has the use case produced a stable, measurable result over at least six weeks? Have the data permissions, review steps, and escalation routes been written down in a form another team can follow? Has the firm checked that the tool is appropriate for the data the next department would bring? And has someone in operations or compliance reviewed the plan before rollout?

Wait if the pilot team is still resolving edge cases, if there is no clear data owner for the next department’s work, or if basic cyber hygiene is not in place. The NCSC advises that security controls should be built in before rollout, not retrofitted afterwards. If the firm lacks access controls, logging, or supplier assurance processes, those gaps compound with each department added.

The EU AI Act, which took effect in 2024 and is being phased in through 2025 and 2026, creates documentation, transparency, and human oversight obligations for certain AI system types. These apply to UK firms serving EU clients or using EU-based deployment infrastructure. A firm that has been careful with one department may need to review its position when the next department handles EU client data or uses an EU-based supplier.

If management cannot enforce tool choice and data rules across the business, holding at one team until that governance authority is established is the more pragmatic option.

What else do you need to understand before you start?

Scaling AI across departments sits at the intersection of three other areas of the business: data governance, supplier management, and change management. Understanding how they connect before you start the second department rollout saves time and reduces the chance of a compliance gap appearing six months later. Each one demands a different kind of attention, and none of them belongs to IT alone.

Data governance starts with the ICO’s AI and data protection guidance, which sets out the requirements for lawful processing, data minimisation, security, and, where required, a data protection impact assessment before deploying AI in higher-risk contexts. For firms that have never written a formal data policy, the DPIA process is often the moment they first map what data flows where across the business. That mapping is valuable regardless of AI.

Supplier management means reviewing contracts, data retention terms, and subprocessor arrangements for each new tool before the next department goes live. The NCSC’s AI security collection covers supplier assurance as part of secure AI deployment and is a practical starting point for small firms without a dedicated procurement function.

Change management is where rollouts most commonly stall. Teams who weren’t involved in the pilot don’t trust the tool. Reviewers who weren’t trained skip the check. Managers who weren’t briefed don’t hold the standard. The UK Government’s AI Playbook repeatedly emphasises the need for domain expertise alongside technical skill, and for collaboration across internal functions. In a small firm, that means the person coordinating the rollout needs more time with people than with software.

The firms that scale AI well don’t do it quickly. They do it once, properly, then use what they learned to move faster with the next department. If you’d like to work through what a staged rollout could look like for your firm, book a conversation.

Sources

- Government Digital Service (2025). Launching the Artificial Intelligence Playbook for the UK Government. Blog post announcing the playbook, covering multidisciplinary teams, scan-pilot-scale approach and sandboxed experimentation for safe AI adoption. https://gds.blog.gov.uk/2025/02/10/launching-the-artificial-intelligence-playbook-for-the-uk-government/ - UK Government (2025). Artificial Intelligence Playbook for the UK Government. Full playbook setting out 10 principles for safe, responsible AI use, team composition, governance requirements, and capability needs across the AI project lifecycle. https://www.gov.uk/government/publications/ai-playbook-for-the-uk-government/artificial-intelligence-playbook-for-the-uk-government-html - Information Commissioner's Office (2024). AI guidance for organisations. Core ICO resource on lawful basis, fairness, accuracy, bias testing, and governance obligations for AI systems that process personal data. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/ - Information Commissioner's Office (2024). AI and data protection detailed guidance. Specific ICO guidance on data protection obligations when deploying AI, including data minimisation, transparency, and when a DPIA is required. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/ai-and-data-protection/ - National Cyber Security Centre. AI security guidance. NCSC guidance on treating AI as part of the cyber risk picture, covering access control, secure configuration, supplier assurance, monitoring and incident response for AI deployments. https://www.ncsc.gov.uk/guidance/ai - National Cyber Security Centre. AI security collection. NCSC collection of resources on securing AI systems, relevant to the widened attack surface when AI scales across departments and additional vendors. https://www.ncsc.gov.uk/collection/ai-security - Financial Conduct Authority (2024). Research note: generative AI in financial services. FCA research on the governance, consumer harm, explainability and conduct risks that arise when generative AI is used in regulated and professional services contexts. https://www.fca.org.uk/publications/research/research-note-generative-ai-financial-services - Financial Conduct Authority (2024). Artificial intelligence: future regulation. FCA forward guidance on AI governance, accountability, and third-party reliance obligations relevant to any firm where AI outputs reach clients. https://www.fca.org.uk/publications/future-regulation/artificial-intelligence-ai - European Parliament and Council (2024). Regulation (EU) 2024/1689 on Artificial Intelligence (EU AI Act). Risk-based regulatory framework with phased obligations on documentation, transparency, human oversight and supplier management, relevant to UK firms with EU clients or EU-based deployment infrastructure. https://eur-lex.europa.eu/eli/reg/2024/1689/oj

Frequently asked questions

How do I know when my AI pilot is ready to scale to other departments?

The pilot is ready when it has produced consistent, measurable results for at least six weeks, the data permissions and review steps are documented in a form another team can follow, and a compliance or operations lead has reviewed the plan. If the team is still resolving edge cases or the governance exists only in one person's head, the pilot is not finished. Write it down first, then expand.

Does UK data protection law apply to AI tools my team uses for internal work?

Yes. The ICO's AI and data protection guidance is clear that UK GDPR applies whenever AI systems process personal data, including internal use cases such as HR communications, client onboarding records, or staff scheduling. Firms need a lawful basis, appropriate security measures, and, for higher-risk processing, a data protection impact assessment before scaling. If personal data goes into the tool, the full set of UK GDPR requirements applies regardless of whether the use is internal or client-facing.

What is the biggest mistake firms make when scaling AI beyond the first team?

Letting each department choose its own AI tool without central oversight. When teams select independently, the firm ends up with multiple vendors, multiple data terms, and no shared controls, which creates compliance gaps and inconsistent outputs. The second most common mistake is assuming a successful pilot validates the tool for every context. What works in marketing may not be appropriate for operations or finance, where different data types, client relationships, and regulatory obligations apply.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

A founder and adult child reviewing documents across a desk in a small office.

Practical examples of family business succession: done well and badly

How UK family businesses get succession right, what goes wrong, and the practical steps that protect value and relationships across generations.

A business owner sits at a kitchen table with an open notebook and laptop, looking away from the screen in thought

How to scale without burning out as the founder

Founder burnout during scaling is a structural problem with structural fixes. Here is the sequence that works for owner-managed services firms.

Two colleagues seated across a small table in a meeting room, one speaking and one listening in a focused conversation

How to give senior leaders feedback without sounding confrontational

The structured approach to raising concerns upwards in an owner-managed business, without triggering defensiveness or damaging the relationship.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd