AboutBlogBusiness First AIFounder FreedomBook a conversation

Which AI setup fits a 20-person firm and its real constraints

May 23, 2026
Two people seated at a small office table in discussion, papers and a laptop in front of them
TL;DR

For a 20-person owner-managed business, choosing an AI setup is an operating and compliance decision as much as a product choice. SaaS AI with enterprise admin controls is the practical starting point when client data can be managed by policy; a more controlled or private stack is worth the overhead only when client contracts or regulated sector obligations specifically require it. Either way, the ICO expects UK GDPR compliance from day one.

Key takeaways

- For a 20-person owner-managed business, the AI setup decision is an operating and governance question before it is a product question. - SaaS AI with admin controls fits when core use cases are drafting, summarising, and internal knowledge work, and client data can be kept out by policy or redaction. - A private or on-premises stack is justified only when client contracts require data residency or non-training commitments, or regulated sector obligations demand it. - The ICO, NCSC, and FCA all expect firms using AI with client or employee data to meet UK data protection, cyber security, and governance obligations, regardless of which tool they choose. - The lower-risk path is a 60 to 90-day pilot with one or two use cases before committing to a full rollout or a more complex infrastructure build.

A founder running a 20-person professional services firm asked a direct question: which AI setup should we actually use? What followed was a longer conversation about what the firm does, who handles its data, what clients expect, and whether anyone would own the ongoing governance. The answer depended almost entirely on those follow-up questions, not on the AI product features.

The choice facing a firm at this scale is less about which AI model performs best and more about which operating setup the firm can actually sustain, govern, and defend to a client or regulator if needed. Two realistic options exist. Here is how to think through which one fits yours.

What is the decision you are actually facing?

For a 20-person owner-managed business, the AI setup question reduces to two operating models: SaaS AI with enterprise-grade admin controls, or a more controlled arrangement involving private tenants, restricted data classes, or local infrastructure. The right call depends on three things: what data the tool will process, what your clients expect by way of data handling, and whether someone in the firm can own ongoing policy and access governance.

Both options can be made to work. The mistake many firms make is choosing on capability alone, then discovering six months later that the tool handles data in ways that create compliance exposure, or that it does not connect to the systems the team actually uses. UK-facing buying guidance consistently points to use-case definition first, tool selection second. Before looking at a vendor, it is worth being specific about which one or two workflows you are trying to improve.

When SaaS AI with admin controls is the right call

SaaS AI is the right starting point when the firm’s core use cases are drafting, summarising, searching, and internal knowledge work, and when client data can be kept out of the tool either by policy or by redaction before anything is submitted. For an owner-managed business without a dedicated IT function, the lower deployment overhead and predictable per-seat pricing make this the practical entry point.

Enterprise tiers of the main AI platforms typically cost in the range of £30 to £50 per user per month, which for a 20-person firm works out to roughly £7,200 to £12,000 annually before any implementation or training costs. That pricing includes data processing agreements, admin controls, user management, and, in most cases, opt-out from training use. Those contractual protections are not available on consumer tiers, and the difference matters for ICO compliance.

The conditions under which SaaS works well include firms that need quick adoption without building infrastructure, teams where the primary AI use cases are knowledge work and document processing rather than handling of highly sensitive client data, and situations where admin controls, data loss prevention settings, and retention policies can be enforced from a central console. If your firm fits that description, a controlled SaaS deployment with a clear acceptable-use policy is the sensible place to start.

When a controlled stack is worth the overhead

A private or on-premises AI stack earns its complexity when client contracts require data residency or explicit commitments that data will not be used for model training, or when the firm operates in a regulated sector where the ICO or FCA will want documented evidence of data governance. The trade-off is real: local AI models capable of handling mid-size workloads require 32GB to 64GB of VRAM, hardware costs that no SaaS subscription carries.

Beyond the hardware, a private stack needs someone who can operate it, keep it patched, and manage account security. At 20 people, that overhead typically means a part-time technical resource or a managed service provider who understands AI deployment. If neither exists in the firm today, the setup does not become safer just because the infrastructure is on your premises.

There are legitimate cases for this path. Some professional services firms, particularly in legal, financial, or healthcare contexts, have client contracts or sector guidance that effectively mandates data isolation. In those circumstances, the controlled stack is not complexity for its own sake; it is a direct response to a real contractual or regulatory constraint. The NCSC’s AI security guidance notes that any AI system can expand an organisation’s attack surface through insecure integrations and third-party dependence, so the question is always whether the controls on a given deployment match the actual sensitivity of the data flowing through it.

What it costs to get the call wrong

Getting the setup wrong rarely arrives as a single visible failure. It shows up as tool adoption that flatlines in month two, staff time spent double-checking outputs the tool was supposed to replace, and integration rework when the AI does not connect to the systems the firm uses. If client data ends up in the wrong service and is used for model training, the regulatory exposure goes well beyond wasted licence fees.

The ICO has been explicit that feeding data into an AI model is itself a processing decision with privacy consequences. Firms using generative AI tools need to know what data is being submitted, where it goes, whether it is retained, and whether it can be deleted on request. These are not technical questions that belong only with an IT team; they are operational questions that the firm’s leadership needs to be able to answer. The ICO’s generative AI guidance sets out the obligations under UK GDPR and the Data Protection Act 2018, and they apply regardless of which vendor’s tool is in use.

Beyond the regulatory side, a wrong setup also creates commercial drag. Duplicate licence costs accumulate when teams work around a tool they do not find useful. Consultant fees follow when integration work was not scoped before signing. The DraftWise implementation guidance for professional services firms recommends piloting with a small user group across 60 to 90 days and measuring actual output improvement before committing to a wider rollout. That window exists precisely because the cost of course-correcting early is far lower than the cost of unwinding a poorly scoped deployment.

What to ask before you decide

Before signing anything, a firm of this size needs clear answers to a short set of questions, and the most important ones are not about features. They concern what the vendor does with data after submission, whether the firm can enforce its own retention and deletion policy, and whether the vendor can demonstrate UK GDPR compliance as a contractual commitment rather than a privacy policy claim.

A practical shortlist for the evaluation stage: What exact workflow are we trying to improve, and what does success look like after 60 days? What data will the tool access, process, or store? Can the vendor provide a data processing agreement, and does it include a training opt-out? Does the tool connect to our email, CRM, and document systems, or will it sit outside the flow people actually work in? Who in the firm owns acceptable-use policy and monitors for compliance? What happens to our data if we cancel the contract?

Two questions are worth adding if the firm is in a regulated sector or has large enterprise clients: Can we demonstrate lawful basis and data residency to an auditor, insurer, or regulator? And does the tool’s data handling comply with any EU obligations, given that the EU AI Act has extraterritorial reach for firms whose clients or supply chain includes EU counterparties?

The firms that get this right are not necessarily the ones with the most sophisticated AI. They are the ones that started with one or two clearly scoped use cases, ran a short pilot, measured the result honestly, and made a governance call before scaling. At 20 people, that is well within reach. If you want to think through which setup fits your situation, book a conversation.

Sources

- Information Commissioner's Office (2023). Generative AI: how it works, the key risks, and how data protection law applies. The primary UK regulatory guidance on lawful basis, data minimisation, retention, and security when using generative AI tools. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/generative-ai/ - National Cyber Security Centre (2024). Secure AI system design. NCSC guidance on cyber risks specific to AI adoption, including prompt injection, data leakage, model manipulation, and third-party dependence. https://www.ncsc.gov.uk/guidance/secure-ai-system-design - National Cyber Security Centre (2024). AI security collection. Practical guidance for organisations managing AI security risks across deployment and operational phases. https://www.ncsc.gov.uk/collection/ai-security - Financial Conduct Authority (2025). Artificial intelligence in financial services. FCA expectations on governance, accountability, and third-party oversight where regulated firms use AI. https://www.fca.org.uk/firms/artificial-intelligence - European Parliament (2024). Regulation (EU) 2024/1689 (EU AI Act). Risk-tiered obligations and extraterritorial effects relevant to UK firms serving EU markets or using EU-regulated AI providers. https://eur-lex.europa.eu/eli/reg/2024/1689/oj - HM Government (2023). AI regulation: a pro-innovation approach. Sets out the UK's sector-regulator approach to AI governance, distinct from the EU single-statute model. https://www.gov.uk/government/publications/ai-regulation-a-pro-innovation-approach/white-paper - McKinsey & Company (2025). Superagency in the workplace: enabling people to unlock AI's full potential at work. Research on AI adoption outcomes, noting that material gains require workflow redesign and governance alongside tool deployment. https://www.mckinsey.com/capabilities/people-and-organizational-performance/our-insights/superagency-in-the-workplace-empowering-people-to-unlock-ais-full-potential-at-work - DraftWise (2024). Navigating the legal AI landscape: a comprehensive guide for mid-sized firms. Practical buying and implementation guidance including pilot scoping, 60–90 day measurement windows, and vendor evaluation criteria. https://www.draftwise.com/blog/navigating-the-legal-ai-landscape-a-comprehensive-guide-for-mid-sized-firms - iFeelTech (2026). Local AI server guide for small business. Hardware requirements and economics of local AI deployment, including VRAM benchmarks and total cost of ownership considerations. https://ifeeltech.com/blog/local-ai-server-small-business-guide - Keystone Corp (2024). How to choose the right AI tool for your business. Practical vendor selection guidance on integration fit, use-case scoping, and security requirements before deployment. https://keystonecorp.com/blog/how-to-choose-the-right-ai-tool-for-your-business/

Frequently asked questions

Can I use a consumer AI tool like ChatGPT for client work in a 20-person firm?

You can, but you need to understand the data handling implications first. Consumer tiers of AI tools typically retain inputs and may use them for model improvement, on infrastructure outside your control. For client work, the ICO expects you to have a lawful basis for processing and to know where that data goes. Enterprise tiers with data processing agreements and training opt-outs are a materially different proposition.

What does UK GDPR require when a firm uses AI tools with client data?

The ICO's generative AI guidance is clear: you need a lawful basis for processing, transparency obligations, data minimisation, accuracy controls, defined retention periods, and appropriate security. You also need to know whether the vendor is acting as a data processor on your behalf, whether a data processing agreement is in place, and whether the vendor can demonstrate compliance with deletion and non-training commitments.

Is a local AI server worth considering for a 20-person firm?

Rarely, unless client contracts specifically require it or the firm handles highly sensitive regulated data. Local models capable of running mid-size workloads need 32GB to 64GB of VRAM, significant hardware costs, and ongoing maintenance. For an owner-managed business at this scale, a SaaS AI with strong admin controls, DLP settings, and a solid data processing agreement covers the compliance need at a fraction of the operational overhead.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

Business owner at a desk reviewing options on a laptop in a small office with natural light

How to choose the right AI setup for a 20-person business

Choosing between a lean SaaS AI stack and a custom build is the first real AI decision a 20-person owner-managed business faces, and the three questions that settle it.

A person reviewing data on a laptop at a workbench in a manufacturing workshop with machinery in the background

Choosing AI for small and mid-sized manufacturers: a decision guide

A practical guide for owner-managed manufacturers on choosing between off-the-shelf and bespoke AI, the key questions to ask, and what it costs to get the decision wrong.

Accountant reviewing documents at a desk with a laptop open and papers arranged nearby

Choosing AI for accountancy firms and practices

For UK accountancy practices choosing AI: which type fits your situation, what each one costs to get wrong, and what to ask any vendor before you sign.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd