If your answer to any of these is “not sure,” you are not alone — and there is a cheap way to find out.

Most SME leaders I talk to are somewhere between “we should probably do something with AI” and “we already are, quietly, through tools we did not procure.” Both of those are starting points, not destinations. The gap between them is usually not a gap of ambition or budget — it is a gap of visibility. Nobody has sat down and asked five honest questions about what is actually happening inside the business. So here are the five I ask at the start of every readiness conversation. Take a minute on each one. If you can answer all five clearly, you are further along than you think. If you cannot, that is useful information too.

1. Do you know what AI your team is already using?

Not the AI you have bought. The AI your team is already using. ChatGPT Plus on personal accounts, Copilot inside Office 365, the embedded AI features in Notion and Slack and Zoom, the browser extension somebody installed last Tuesday. Shadow AI is the term for this, and most organisations underestimate it by an order of magnitude. The point of the question is not to catch anyone out — it is to establish a factual baseline. Until you know what is in the building, every other governance conversation is hypothetical. Ask the question in a no-blame framing. The answers will surprise you.

2. Do you have a one-page policy that covers AI use?

One page. Not twenty. A short document that says: which tools are OK, what kinds of data must never go into any AI tool, who to ask if you are unsure, and what to do if something goes wrong. This is acceptable use, data classification, and vendor evaluation compressed into something a team can actually read on a Tuesday morning. If the answer is “no,” the answer is also “the first deliverable is obvious.” If the answer is “yes but nobody has read it,” that is the same answer with extra steps. The SAFE-AI Stage 3 - Secure activities are the operational home for this — the policy is not the destination, it is the on-ramp.

3. Do you know where your data goes when your team uses AI tools?

Every prompt is data leaving the organisation. That is the plain version. The longer version is that some AI vendors use inputs to train or fine-tune their models by default, some offer opt-out, some offer opt-in, and some change their terms quietly. Data residency matters — where is processing actually happening, and does that match what your customer contracts promise? And for any AI vendor that processes personal data on your behalf, UK data protection law expects a written data processing agreement under Article 28. If you cannot name the DPA for the three AI tools your team uses most, that is a gap worth closing before it matters.

4. Can you name one specific business outcome you want AI to produce in the next 90 days?

This one is the quiet killer. Most AI conversations start at the tool and never reach the outcome. “We want to use AI for sales” is not an outcome. “We want to cut the time it takes to draft a first proposal from four hours to forty minutes, starting with the three biggest proposal categories” is an outcome. If the answer is vague, the first deliverable is not a tool rollout — it is a 90-day plan that names one outcome, one team, and one success metric. That is a writable document, not a transformation programme. It is also the cheapest thing on this list and the one most often skipped.

5. Who inside your organisation owns “AI” as a responsibility?

Not a committee. A named person. The question is not whether they have the technical background — it is whether the answer to “who is accountable when something goes wrong” is a name rather than a shrug. UK policy thinking in this area is organised around five principles from DSIT, and one of them is accountability and governance: clear lines of oversight across the AI life cycle. See UK Regulatory Overlay for the detail. In practice, for an SME, this means one person who owns the policy, reviews the tool list quarterly, and is the first call if something breaks. If nobody owns it, everybody owns it, which is the same as nobody owning it.

What to do with this

If you have worked through the five questions and you have at least two “not sure” answers, you have two cheap options. The first is the free AI Readiness Scorecard — a 25-question self-assessment that produces a tiered result and a short summary of where your attention should go first. Takes about five minutes. AI Readiness Scorecard. The second, if you want to walk through it properly with someone who has done it before, is the AI Readiness Assessment — a two-to-three day structured engagement that produces a written readiness report, a prioritised action list, and a 90-day plan. It is designed specifically for SMEs in the 5-to-500 employee range and is priced accordingly.

Neither of those is a commitment to anything larger. They are both diagnostic tools. The point of a diagnostic is to tell you where you are, not to sell you the journey.