Practical AI and SaaS for Business

Is Your Business Ready for AI? A Readiness Self-Assessment

Use this practical AI readiness assessment to identify whether your business is prepared for a pilot, a limited rollout, or wider adoption, with checks covering goals, data, staff, governance, security and incident response.

Last verified: 14 July 2026. References checked against current legislation.

Editorial Perspective

You own a 12-person bookkeeping firm and are deciding whether to introduce AI tools across the whole team. The pressure is not just choosing software, it is avoiding client-data mistakes, inconsistent work and a rollout nobody owns. This assessment shows which foundations are already in place, which gaps need attention and whether a pilot is safer than a full launch. No technical background is needed. Work through it in plain English.

This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.

If AI sounds useful but you are unsure whether your business is organised enough to use it safely, that is a normal place to start. Readiness is not about having technical specialists or buying an expensive platform. This guide helps you assess the business foundations that should come first, identify the gaps that matter most and choose a sensible next step.

In short: your business is ready to explore AI when it has a clear use case, an accountable owner, suitable data-handling rules, staff guidance, human review and a way to respond when something goes wrong. A low score does not mean you should avoid AI. It usually means you should begin with a controlled pilot rather than a firm-wide rollout.

What AI readiness actually means

AI readiness is the ability to use an AI system for a defined business purpose without creating unmanaged operational, privacy, security or customer risks. It combines ordinary management disciplines such as clear ownership, approved processes, staff training and incident planning. The software matters, but it is only one part of the decision.

A business can be digitally capable and still be unready for AI. For example, it may use cloud accounting, online document storage and automated workflows, yet have no rule covering what staff may paste into a public chatbot. It may also lack a person responsible for checking output quality or handling a client complaint caused by an inaccurate AI-generated response.

A practical example: why a pilot can be the right answer

Alex owns a 12-person bookkeeping firm and initially assumes the main decision is which AI tool to buy. The proposed use case is simple: help staff turn internal meeting notes into draft task lists and first-draft client follow-up emails. Alex plans to switch the feature on for everyone after a short product demonstration.

Working through the assessment changes that plan. The firm has a useful task, capable staff and secure business accounts, but nobody owns AI governance and there is no process for reporting an accidental disclosure or a seriously wrong output. Alex delays the full rollout by one month, appoints an owner, writes basic usage rules and runs a pilot with two staff using non-sensitive information. The result is progress without pretending the missing controls do not matter.

How to score this assessment

Score each statement from 0 to 2. Use 0 when the statement is not true, 1 when it is partly true or informal, and 2 when it is documented, understood and used in practice. There are 24 statements across eight readiness dimensions, giving a maximum score of 48.

Do not inflate the score because a policy is planned or because one knowledgeable employee understands the issue. Readiness depends on what the business can repeat consistently. Record evidence beside each answer, such as a policy link, assigned owner, training record, approved tool list or incident procedure.

💡

Scoring guide: 0 means absent, 1 means partial or informal, and 2 means established. Any zero in data handling, security, human review or incident response should be treated as a rollout blocker for sensitive or customer-facing work, regardless of the total score.

1. Business purpose and expected value

Readiness begins with a specific business problem, not a general instruction to find uses for AI. Score the following statements:

  1. We can name one task or workflow where AI may save time, improve consistency or reduce a known bottleneck.
  2. We know who performs the task now, how often it occurs and what a satisfactory result looks like.
  3. We have defined a pilot measure, such as minutes saved, rework reduced, response time improved or draft quality accepted by a reviewer.

A vague goal such as making the business more efficient is not enough to judge success. A better goal is reducing the time spent turning weekly meeting notes into assigned actions from 30 minutes to 10 minutes, while keeping a manager responsible for approval.

2. Process stability and human review

AI is easier to introduce when the underlying process is already understood and somebody remains accountable for the outcome. Score these statements:

  1. The current process is documented well enough that staff agree on the normal steps and expected output.
  2. A named person can review AI-assisted work before it affects a customer, employee, payment, contract or regulated decision.
  3. We know which decisions will remain human decisions and will not be delegated to an AI system.

Automating a confused process usually produces confused results faster. Human review also needs to be real, not a rubber stamp. The reviewer should know what to check, have enough time to check it and have authority to reject the output.

3. Data quality, permission and privacy

Your business should know what information an AI tool will receive, whether that information is suitable for the task and whether you are permitted to use it that way. Score these statements:

  1. We can identify the data the use case needs and separate it from information that is unnecessary or overly sensitive.
  2. We understand whether the selected service stores prompts, files and outputs, where processing occurs and whether submitted content may be used to improve models.
  3. Our privacy notices, customer commitments, contracts and professional duties have been considered before client, employee or confidential data is used.

For a first pilot, use synthetic, public or properly de-identified material wherever possible. Vendor settings can reduce exposure, but settings do not replace a decision about whether the information should be entered at all. Where the answer depends on local law, a contract or professional duty, confirm the position with the relevant authority or adviser.

4. Security and vendor controls

An approved business account with controlled access is safer than staff creating their own accounts with unknown settings. Score these statements:

  1. AI access uses business-managed accounts, strong authentication and permissions that can be removed when a person leaves or changes role.
  2. Someone has reviewed the vendor's security, privacy, retention, deletion and subcontractor information at a level proportionate to the planned use.
  3. We have an approved-tool list and a rule preventing confidential work from being moved into unapproved personal accounts.

The US Federal Trade Commission's business security guidance recommends knowing what personal information the business holds, keeping only what is needed, protecting it and planning ahead for incidents. Those principles are directly useful when reviewing an AI workflow. See the FTC guide for business.

5. Ownership and governance

Every AI use case needs a business owner who can approve it, pause it and answer for its operation. Score these statements:

  1. A named person owns the pilot and is responsible for the use case, vendor, staff instructions and review schedule.
  2. We maintain a simple register of approved AI uses, tools, data types, owners and known risks.
  3. There is a clear approval path for new AI uses, material changes and higher-risk applications.

Governance does not require a large committee. In a small business it may be one accountable manager, a second reviewer and a short monthly review. What matters is that decisions are recorded and do not disappear between IT, operations, legal advisers and individual staff.

6. Staff capability and acceptable use

Staff need practical guidance on permitted uses, prohibited information and the limits of AI output. Score these statements:

  1. Staff receive role-relevant training before access, including examples of acceptable and unacceptable use.
  2. Our written guidance explains that AI output may be inaccurate, incomplete, biased or unsuitable and must be checked.
  3. Staff know how to disclose AI assistance where customer, contractual, professional or internal rules call for transparency.

The European Commission's AI literacy guidance explains that the level of knowledge should reflect people's experience, the context in which an AI system is used and the people affected by it. This is a useful planning principle even for businesses outside the European Union. Review the European Commission AI literacy guidance and confirm any regional requirements that apply to your organisation.

7. Testing, monitoring and evidence

A useful pilot tests the system against realistic examples and records both gains and failures. Score these statements:

  1. We have a test set that includes normal cases, difficult cases and examples the system should refuse or escalate.
  2. We will record errors, corrections, staff feedback, time saved and any negative effect on quality or customers.
  3. We have defined a review date and clear criteria for expanding, changing, pausing or stopping the use case.

The US National Institute of Standards and Technology organises its voluntary AI Risk Management Framework around four functions: Govern, Map, Measure and Manage. The framework is not a pass-fail checklist, but it provides a useful structure for identifying context, assessing risk and responding over time. See the NIST AI Risk Management Framework.

8. Incident response and exit planning

Readiness includes knowing what happens when the tool produces a harmful result, exposes information or becomes unavailable. Score these statements:

  1. Staff know how to report an AI-related error, suspected data disclosure, inappropriate output or customer complaint.
  2. A named person can suspend access, preserve relevant records, contact the vendor and coordinate the business response.
  3. We know how to export or delete business data, revoke access and continue the underlying process without the tool.

An incident plan can be brief, but it should be usable. It should state who receives the report, what information to capture, when the tool should be paused and who decides whether customers, insurers, advisers or authorities need to be contacted.

What your score means

AI readiness score and recommended next step

ScoreInterpretationRecommended action
0 to 16 Foundations missingA rollout would depend on individual judgement and unmanaged workarounds.Do not launch sensitive or customer-facing uses. Choose one low-risk use case and build basic ownership, data and incident controls first.
17 to 31 Pilot readinessSeveral foundations exist, but they are incomplete or informal.Run a small, time-limited pilot with approved users, low-risk data, human review and documented success and stop criteria.
32 to 41 Controlled rollout readinessThe business has workable controls, although some areas still need strengthening.Expand gradually by use case. Review evidence, training and incidents before adding more people, data or customer impact.
42 to 48 Strong readinessGovernance and operational controls are established across the assessed areas.Proceed with a governed rollout, while continuing monitoring, periodic vendor review and regional legal checks.

The total score is a guide, not a compliance certificate. A high score cannot make an unsuitable use case safe, and a low score does not prevent all experimentation. The decision should also consider the sensitivity of the data, the people affected, the reversibility of an error and whether the system influences employment, credit, health, education, legal services or other consequential outcomes.

What regulators and standards bodies say

Current governance frameworks share a common theme: organisations should understand the use, assign responsibility, assess risk, support competent users and monitor results. They do not create one universal readiness score for every business, but they provide useful reference points for building a proportionate process.

The European Union's AI Act uses a risk-based approach, with different rules depending on the system and use. Its requirements and implementation dates vary, so businesses operating in or affecting the EU should review the European Commission's AI Act overview and obtain advice for specific applications rather than assuming a general business checklist resolves the question.

In the United States, the FTC has repeatedly focused on deceptive claims, privacy promises and data-security practices involving AI. Its guidance is particularly relevant when a business markets AI capabilities, handles consumer information or relies on vendor statements. The FTC artificial intelligence resource page brings together current actions and guidance.

ISO/IEC 42001 provides requirements for an artificial intelligence management system, including leadership, policy, objectives, risk management and continual improvement. Certification may be unnecessary for many small businesses, but the structure can help a growing organisation formalise governance. See the official ISO/IEC 42001 overview.

A sensible 30-day readiness plan

Most small businesses can improve readiness without building a large programme. Use the following sequence:

  1. Week 1: select one narrow use case, name its owner and document the current process and expected result.
  2. Week 2: identify the data involved, review the vendor's business terms and settings, and define prohibited information.
  3. Week 3: write a one-page usage rule, train the pilot users and prepare realistic tests, including failure cases.
  4. Week 4: run the pilot, record quality and time outcomes, test incident reporting and decide whether to expand, revise or stop.

Keep the first pilot reversible. Avoid high-impact decisions, confidential data and direct customer publication until the business has evidence that its controls work. A successful pilot is not merely one that saves time, it is one that produces a result the business can review, explain and repeat.

Planning note: this assessment helps organise a business decision. It does not determine whether a particular AI use complies with every law, contract, professional obligation or sector rule. Confirm specific requirements with the relevant regulator, professional body or qualified adviser.

Frequently asked questions

Methodology (Real-World, Verified)

We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.

Related reading: our AI governance by region.

Try our free AI Tool Selector to get a personalised AI tool recommendation for your business.

Does a small business need an AI strategy before using AI?

No. A small business can begin with one defined use case, one accountable owner and a short set of rules. A broader strategy becomes useful when several teams, tools or higher-impact uses need to be coordinated.

What is the biggest sign that a business is not ready for AI?

The clearest warning is that nobody owns the outcome. If staff can introduce tools, enter business data and publish output without approval, review or incident reporting, the business should establish those controls before expanding use.

Can we start with free AI tools?

Yes, for low-risk experiments using public, synthetic or properly de-identified information. Free consumer accounts may provide fewer administrative, privacy, retention and access controls, so they are usually a poor starting point for confidential or customer-related work.

How long should an AI pilot run?

Run it long enough to cover a representative number of real tasks, often two to six weeks for a frequent office workflow. Set the review date before starting and define the evidence needed to expand, revise or stop.

Is a written AI policy enough to make a business ready?

No. A policy is useful only when it is supported by approved tools, training, human review, ownership and a working incident process. The assessment should score what happens in practice, not merely whether a document exists.

Find official guidance for your region

Requirements vary by jurisdiction. This article provides general information only. Consult your regional authority or a qualified professional for advice specific to your situation.

The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.

AI use often starts before a formal rollout. Learn how shadow AI develops and what it can reveal about your business's readiness gaps.

Read the Shadow AI Guide