Is your business actually ready for AI?

Most blog posts that answer the question "is my business ready for AI?" do so with a list of seven things you might consider doing — three of which require buying their consulting service. This is not one of those posts. The Arx Certa scorecard at the bottom of this page does the actual diagnostic in four minutes; everything above it is just the framework.

The five things that decide AI readiness

Across the assessments Arx Certa has run with UK businesses through 2025 and 2026, five factors decide whether AI adoption lands or stalls. They are not technology factors. They are organisational factors with technology consequences.

Governance. Has the business decided who is accountable for AI usage, what tools are approved, what data may flow into them, and how that gets reviewed? Or is AI adoption happening in the gaps of policies written before AI existed?

Data. Does the business actually know where the data that AI tooling would use lives, how clean it is, how it is permissioned, and how it would be exposed to AI tooling? Or is the data layer mostly hope?

Infrastructure. Does the business have the foundational cloud, identity, security, and integration capability for AI tooling to plug into safely? Or does AI deployment require six months of pre-work the business hasn't planned for?

Security. Has the security baseline been updated for the AI threat surface — MFA on every account, logging that covers AI tool usage, vendor security evidence, exception processes for sensitive content? Or is the AI security posture still implicit?

Use case. Has the business chosen the two or three AI use cases it will pursue this year, with named owners and measurable outcomes? Or is the conversation still oscillating between "we should be doing more with AI" and "we need to be careful"?

A business that can answer all five with a confident "yes" is ready. A business that can answer some but not others is partially ready, with a specific set of foundations to build. A business that cannot answer most of them is not ready, but is also not unusual; this is where most businesses still are in 2026.

The most common pattern: enthusiasm without foundations

The pattern Arx Certa sees most often: leadership has decided AI matters. Budget is loosely available. A handful of staff are already using AI tools — some properly, some not. Nobody is accountable. No policy exists. No DPIA has been done. No vendor due diligence has happened. The data layer has not been audited. The infrastructure question has not been asked.

The business is "doing AI" in the same sense that a teenager with a learner permit is "driving" — actions are taken, motion happens, but the operating model that makes those actions safe is missing.

This is the population the scorecard exists for. It is also the population where six weeks of sequenced foundations work creates more value than six months of vendor evaluation.

What "ready" looks like, vs. what "not ready" looks like

A ready business operates AI inside the same governance perimeter as every other consequential business activity. It has a policy. It has a tool inventory. It has training records. It has audit logs. It has a named accountable owner. It has a use-case shortlist. It runs reviews on a cadence. When a regulator, a board member, or a major client asks, "tell us about your AI usage", the business answers in five minutes from existing documents.

A not-ready business hopes nobody asks. It has individual staff members using AI capably, but no view of the whole. It has Copilot or ChatGPT enterprise licenses, but no operating discipline around them. It has a DPIA somewhere on the legal team's drive. It would not survive a structured audit, and increasingly, it would not survive a sophisticated client doing AI vendor due diligence.

The gap between these states is rarely about money. It is about explicit operating decisions and the consistent execution to back them.

Three common readiness profiles

Most UK businesses fall into one of three profiles:

The Enthusiast. Adopting AI ahead of governance. Top decile on use case. Bottom quartile on governance and security. Risk: a major incident lands before the foundations catch up.

The Sceptic. Slow to adopt, strong on governance because everything is treated as a future audit. Top quartile on governance. Bottom decile on use case. Risk: competitors capture AI productivity gains over the next 18 months while this business is still deliberating.

The Operator. Sequenced adoption — foundations first, then targeted use cases. Mid-range on every dimension, balanced. The boring profile. Also the highest-performing profile over a 12-month horizon, because everything compounds.

The four-minute scorecard tells you which profile your business currently fits and where the next investment should land.