Free vs paid AI assessment: when each makes sense
The short answer. A free AI assessment (scorecard, checklist) is the right starting point for most UK businesses. It surfaces the readiness picture, gives you a 30-day action plan, and costs nothing. A paid AI assessment is the right next step when the free instrument shows the readiness gap is too wide to close internally, when independent assurance is required (regulator, customer, board), or when the AI footprint is already substantial. Most businesses do free first, then decide; some go straight to paid because the trigger is external.
What you actually get from a free AI assessment
A free AI assessment — the Arx Certa scorecard is one example — produces: a quantified readiness score (typically 0–100 or band-based), an analysis of the dimensions where gaps are largest, a personalised report tailored to your sector and current state, and a 30-day action plan. It does not produce: independently-validated evidence, regulator-grade documentation, or hands-on remediation. For most UK businesses below mid-market, this is enough to start.
What you get from a paid AI assessment
A paid AI assessment engagement adds: independent review (the assessor is accountable), evidence collection (not just self-report), regulator-grade documentation, remediation planning that goes deeper than a 30-day plan, often hands-on remediation help, and an artefact you can hand to a board, a regulator, or an enterprise customer. Typical pricing ranges from £3,000–£15,000 for SME-scale work to £30,000+ for regulated-firm assessments with full evidence packs.
When the free version is the right answer
Five situations: 1. AI is not yet at scale in the business. 2. Internal leadership disagrees about readiness — the scorecard structures the conversation. 3. You're scoping whether to commission paid work and need a position first. 4. You want to compare scores across leadership team members (the scorecard takes 4 minutes; comparing 3–5 scores is the actual exercise). 5. You're at a small-business scale where paid engagement isn't proportionate.
When paid is the right answer
Five situations: 1. Independent assurance is required — a regulator, an enterprise customer, or your board needs a third-party-signed-off position. 2. AI is already in production-grade use across the business without structured governance. 3. The free-assessment 30-day plan surfaces gaps too wide to close internally (typically: full data classification work, full vendor remediation, multi-system integration). 4. Sector-specific obligations are involved (FCA SS1/23, NHS supplier DSPT renewal). 5. An AI incident has occurred and a structured response is needed.
The economic argument
Free assessments work best when their job is to define scope and produce action. Paid assessments work best when their job is to produce assurance. Almost no UK business in 2026 should be paying for an AI assessment whose only output is a maturity score — that is what free instruments produce. The premium on a paid engagement should be paying for the things the free version explicitly cannot do: independent challenge, evidence collection, regulator-grade artefacts, hands-on closure of gaps.
Two practical paths
Path A — most businesses: take the free scorecard, run it across leadership, execute the 30-day plan internally, reassess at 90 days. Path B — regulated firms or businesses with external triggers: take the free scorecard to define internal position, then commission a paid engagement scoped against the gaps it surfaced. The scorecard is free precisely because it's most useful as a first step, not a destination.
Free AI Readiness Scorecard
Twelve plain-English questions across governance, data, infrastructure, security and use case. Get your 0–100 score, your readiness band, and a personalised 30-day action plan.
Take the scorecard →Frequently asked
Is a free AI assessment really useful or just a lead magnet?
Both can be true. A useful free assessment produces a genuine maturity picture and a genuine action plan; if it doesn't, it's lead-collection in disguise. The Arx Certa scorecard is designed to be genuinely useful first — the 30-day action plan is sector-specific and actionable whether you ever engage Arx Certa for paid work or not. The honest test is: would the recipient be willing to forward the report to their MD or board.
How much does a paid AI assessment cost?
Wide range. Light-touch SME engagements: £3,000–£8,000 for 1–2 weeks of structured work. Mid-market or sector-specific: £8,000–£25,000. Regulated-firm assessments with full evidence packs: £25,000–£60,000+. The single biggest cost variable is scope; the second is whether evidence collection is included.
Will doing a free assessment lock me into a paid engagement?
No — and any assessment provider that suggests otherwise is the wrong provider. The Arx Certa scorecard report is yours to take and act on independently; we follow up if you ask us to, not because you completed the scorecard.
How is the Arx Certa free scorecard different from other free assessments?
Three differences: UK-specific framing (UK regulators, UK GDPR, UK sector context) rather than generic; a working 30-day action plan tailored to your sector and band, not just a score; and an explicit position on when you should NOT engage paid work (the scorecard is designed to tell you when you can solve gaps internally).
If we already have a CISO or compliance lead, do we still need any AI assessment?
Yes — and existing CISOs and compliance leads are typically the first to recognise this. A CISO has the right baseline for security and compliance review, but AI-specific risks (prompt injection, model behaviour drift, vendor sub-processing patterns, AI-specific contractual gaps) are an additive layer. A free assessment surfaces whether the additive layer is in place; a paid engagement builds it where it isn't.
Related Arx Certa services
If the readiness gaps the scorecard surfaces for your business need outside help to close, these are the engagement types we run for UK firms:
- AI services — implementation reviews, AI policy work, vendor due diligence, and pilot scoping for UK businesses adopting AI safely.
- Cybersecurity — the security overlay AI use requires, including UK GDPR, NCSC alignment, vendor risk assessment, and audit-readiness.
- Database — the data foundations work AI projects depend on. Most AI pilots fail because of the data underneath, not the model.
- Infrastructure — cloud, identity, network and integration foundations that need to be in place before production AI deployment.