A professional services firm with eighteen staff added Microsoft Copilot to their Microsoft 365 subscription last year, mostly because it came included in the price. Within a few weeks, one of the account managers was using it to summarise client call notes before drafting follow-up emails. Nobody had checked whether the tool’s data handling was covered by the firm’s privacy notice. Nobody had told the team what was safe to share, and what wasn’t. The question of readiness arrived after the tool did.
That’s a common situation. The technology moves faster than the governance, and owners find themselves having conversations about policy, risk, and legal exposure on the back foot. AI readiness is the idea that you answer those questions before the tools go live.
What is AI readiness?
AI readiness asks whether your business is practically set up to use AI tools safely and get real value from them. For an owner-managed firm with five to fifty staff, it comes down to five things: knowing which problems you want AI to solve, having data in decent shape, having basic security in place, having clear rules for your team, and meeting your legal duties under UK GDPR.
Large consultancies describe AI readiness using frameworks with six pillars: strategy and vision, data foundation, organisation and culture, technical infrastructure, governance and compliance, and model management. RSM’s AI readiness assessment uses exactly this structure. For a firm of twenty people, that’s more useful as a checklist than as a programme. You don’t need a board committee and a maturity model; you need honest answers to whether your current setup can handle the tools you’re about to use.
The critical distinction for a smaller firm is that you’ll adopt AI through vendors, not by building your own systems. Your job is to choose the right tools and use them safely, not to train machine learning models. Harvard Business School Online frames AI readiness as having the right strategy, data, technology, and culture to adopt AI responsibly. At the owner-managed level, that means ten people and a CRM, not a data science team with a GPU cluster.
Why does it matter for your business?
Your staff are probably already using AI tools, whether or not you’ve approved them. A 2023 Salesforce survey found 61% of workers globally use or plan to use generative AI, but only 28% say their employer has guidelines in place. In a ten-person firm, there’s a reasonable chance at least one person is pasting client information into ChatGPT or using an AI writing assistant without a policy to guide them.
The legal exposure is real. The Information Commissioner’s Office has published specific guidance on AI and data protection, and its risk toolkit is designed for organisations of all sizes, not just large enterprises. If your firm uses AI in ways that process personal data, you are expected to demonstrate that the processing is lawful, fair, and transparent. A data breach or regulatory complaint involving AI tools will quickly surface the question of whether you had a policy in the first place.
The professional risk is equally direct. In 2023, a US law firm was sanctioned after a lawyer submitted a brief containing fake case citations generated by ChatGPT. The court imposed a $5,000 fine. The reputational damage was harder to quantify but considerably larger. Smaller firms are not insulated from this kind of exposure simply by being smaller. If AI-generated work goes to a client without being checked, the professional and contractual consequences land on the business regardless of headcount.
Where will you actually meet it?
Three situations bring AI readiness into focus for a typical owner-managed firm. The first is when a team member starts using ChatGPT or Microsoft Copilot with real client data. The second is when a software provider switches on AI features inside a tool you already pay for, often without much fanfare. The third is when a regulator, an enterprise client, or a prospective acquirer asks how you manage AI risk.
Of those three, the second is the one firms are least prepared for. Google Workspace AI, Microsoft 365 Copilot, and the AI assistants embedded in CRM platforms and accounting software are already active inside many businesses. Each creates data handling questions that your current data processing agreements and privacy notices may not cover. A vendor adding AI to its platform changes what it does with your data, and you’re responsible for understanding that change, and for telling your clients if it affects how their information is handled.
For firms in regulated sectors, the third situation carries particular weight. The FCA named AI as a key priority in its 2024/25 Business Plan, with explicit focus on how firms manage AI-driven operational and conduct risk. If you use AI to screen clients, draft advice, or automate any decision with significant effects on individuals, you need to be able to show regulators you have governance around it. “We didn’t know it was doing that” is not a position that holds.
When to ask about readiness, and when to put it aside
Ask about AI readiness when you handle personal data, use cloud-based tools for client work, or operate in a regulated sector. Put it aside if you genuinely don’t process personal data beyond basic contact details and use AI only on non-sensitive content like internal brainstorming. That lower-risk profile exists, but it covers fewer businesses than founders tend to assume.
The NCSC advises organisations to get Cyber Essentials basics in place before adding AI to their systems. That means strong passwords, multi-factor authentication, secure device configuration, software patching, and backups. If those aren’t in place, AI creates a larger attack surface on top of an already weak foundation. The NCSC’s guidance on AI security covers this plainly and is free to access.
A practical readiness plan for an owner-managed firm typically covers four areas. First, decide where AI is and isn’t allowed, with a one-page policy that names the approved tools and requires human review of all outputs before they reach clients. Second, confirm your key data is stored in a small number of secure, access-controlled systems rather than scattered across personal laptops. Third, check your Cyber Essentials foundations. Fourth, run a short team session on what AI tools can get wrong, particularly the tendency to produce convincing but inaccurate output.
Related concepts worth knowing
Three terms come up regularly alongside AI readiness, and it helps to know what each means. A Data Protection Impact Assessment is a mandatory review under UK GDPR when AI use is likely to result in high risk to individuals, such as automated hiring decisions or large-scale customer profiling. Cyber Essentials is the NCSC’s baseline security standard. The EU AI Act adds compliance obligations for UK firms whose AI-enabled services reach EU clients.
DPIAs are practical documents. The ICO publishes templates and guidance to help organisations of all sizes work through them. If you use AI to shortlist job applicants, profile customers, or make automated decisions with significant effects on individuals, a DPIA is the record that shows you thought it through before you switched the process on.
On Cyber Essentials: meeting this standard doesn’t require a specialist or a large budget. The NCSC provides guidance on five technical controls. Many owner-managers find they’re already close to the baseline; a half-day review typically reveals what’s in place and what still needs attention.
The EU AI Act is primarily aimed at providers and deployers of high-risk AI systems. If you use AI tools built by vendors operating in the EU, or if your AI-enabled services reach EU individuals, ask your vendors whether they can demonstrate compliance. For owner-managed service firms, the Act is typically a vendor question rather than a direct obligation, unless you’re building or selling AI systems yourself.
