Most blog posts that answer the question "is my business ready for AI?" do so with a list of seven things you might consider doing — three of which require buying their consulting service. This is not one of those posts. The Arx Certa scorecard at the bottom of this page does the actual diagnostic in four minutes; everything above it is just the framework.
The five things that decide AI readiness
Across the assessments Arx Certa has run with UK businesses through 2025 and 2026, five factors decide whether AI adoption lands or stalls. They are not technology factors. They are organisational factors with technology consequences.
Governance. Has the business decided who is accountable for AI usage, what tools are approved, what data may flow into them, and how that gets reviewed? Or is AI adoption happening in the gaps of policies written before AI existed?
Data. Does the business actually know where the data that AI tooling would use lives, how clean it is, how it is permissioned, and how it would be exposed to AI tooling? Or is the data layer mostly hope?
Infrastructure. Does the business have the foundational cloud, identity, security, and integration capability for AI tooling to plug into safely? Or does AI deployment require six months of pre-work the business hasn't planned for?
Security. Has the security baseline been updated for the AI threat surface — MFA on every account, logging that covers AI tool usage, vendor security evidence, exception processes for sensitive content? Or is the AI security posture still implicit?
Use case. Has the business chosen the two or three AI use cases it will pursue this year, with named owners and measurable outcomes? Or is the conversation still oscillating between "we should be doing more with AI" and "we need to be careful"?
A business that can answer all five with a confident "yes" is ready. A business that can answer some but not others is partially ready, with a specific set of foundations to build. A business that cannot answer most of them is not ready, but is also not unusual; this is where most businesses still are in 2026.
The most common pattern: enthusiasm without foundations
The pattern Arx Certa sees most often: leadership has decided AI matters. Budget is loosely available. A handful of staff are already using AI tools — some properly, some not. Nobody is accountable. No policy exists. No DPIA has been done. No vendor due diligence has happened. The data layer has not been audited. The infrastructure question has not been asked.
The business is "doing AI" in the same sense that a teenager with a learner permit is "driving" — actions are taken, motion happens, but the operating model that makes those actions safe is missing.
This is the population the scorecard exists for. It is also the population where six weeks of sequenced foundations work creates more value than six months of vendor evaluation.
What "ready" looks like, vs. what "not ready" looks like
A ready business operates AI inside the same governance perimeter as every other consequential business activity. It has a policy. It has a tool inventory. It has training records. It has audit logs. It has a named accountable owner. It has a use-case shortlist. It runs reviews on a cadence. When a regulator, a board member, or a major client asks, "tell us about your AI usage", the business answers in five minutes from existing documents.
A not-ready business hopes nobody asks. It has individual staff members using AI capably, but no view of the whole. It has Copilot or ChatGPT enterprise licenses, but no operating discipline around them. It has a DPIA somewhere on the legal team's drive. It would not survive a structured audit, and increasingly, it would not survive a sophisticated client doing AI vendor due diligence.
The gap between these states is rarely about money. It is about explicit operating decisions and the consistent execution to back them.
Three common readiness profiles
Most UK businesses fall into one of three profiles:
The Enthusiast. Adopting AI ahead of governance. Top decile on use case. Bottom quartile on governance and security. Risk: a major incident lands before the foundations catch up.
The Sceptic. Slow to adopt, strong on governance because everything is treated as a future audit. Top quartile on governance. Bottom decile on use case. Risk: competitors capture AI productivity gains over the next 18 months while this business is still deliberating.
The Operator. Sequenced adoption — foundations first, then targeted use cases. Mid-range on every dimension, balanced. The boring profile. Also the highest-performing profile over a 12-month horizon, because everything compounds.
The four-minute scorecard tells you which profile your business currently fits and where the next investment should land.
Frequently asked
What does it mean for a business to be 'ready for AI'?
Five things, in this order: governance (a named owner, a policy, an approval process), data (knowing where it lives, how clean it is, how it's permissioned), infrastructure (foundational cloud and integration capability), security (the baseline updated for the AI threat surface), and use case (the 2–3 things AI will be deployed against this year, with named owners and measurable outcomes). A business that can confidently say yes to all five is ready.
What are the five factors that decide AI readiness?
Governance, data, infrastructure, security, and use case. Each is weighted differently for different sectors (governance heavier in legal and financial services, data heavier in logistics, security heavier in healthcare suppliers) — but all five matter for every business. The scorecard checks each dimension with two to three diagnostic questions.
How long does the readiness assessment take?
Four minutes for an individual. We recommend taking it as a leadership group (CEO, CTO/IT lead, COO, head of compliance where applicable). The conversation it surfaces is the actual value — the score is a way of structuring that conversation.
What if our score is low — what's the action plan?
The personalised report includes a 30-day action plan tailored to the dimensions that scored lowest. For most businesses in the "Early" or "Emerging" bands, the right next 30 days are foundations work (policy, data audit, governance setup) rather than tool selection. The plan is written to be actionable inside an existing leadership cadence.
Can leadership teams take this together?
Yes — and we recommend it. The most useful version of the scorecard is when three to five members of a leadership team each take it independently and then compare scores. Where the scores agree, you have consensus on the readiness picture. Where they disagree, you have surfaced an internal conversation that needed to happen anyway.
Related Arx Certa services
If the readiness gaps the scorecard surfaces for your business need outside help to close, these are the engagement types we run for UK firms:
- AI services — implementation reviews, AI policy work, vendor due diligence, and pilot scoping for UK businesses adopting AI safely.
- Cybersecurity — the security overlay AI use requires, including UK GDPR, NCSC alignment, vendor risk assessment, and audit-readiness.
- Database — the data foundations work AI projects depend on. Most AI pilots fail because of the data underneath, not the model.
- Infrastructure — cloud, identity, network and integration foundations that need to be in place before production AI deployment.
Take the 4-minute Arx Certa AI Readiness Scorecard
Twelve plain-English questions, five dimensions, one quantified score. Personalised 30-day action plan tailored to whichever readiness profile your answers describe.
Get your AI readiness score →