Do you need an AI readiness assessment? What the $15,000 question actually tells you.

By May 2026, 68 percent of small businesses were using AI regularly. Seventy-seven percent had no formal policy. Somewhere between those two numbers sits the question: should we assess our readiness before we go further?

AI readiness assessments have become a small industry unto themselves. Consultants charge $8,000 to $25,000 for the service. SaaS vendors offer free tools that funnel into their own products. IT providers bundle them with managed services. And small business owners are left wondering whether they need one, what it actually measures, and whether the answer is worth the invoice.

What an assessment actually measures

An AI readiness assessment is not a technical audit. It is a structured review of whether your business has the conditions in place for AI tools to work without creating new problems.

Most assessments measure five areas:

• Data organization. Where your files live, who can access them, whether sensitive information is labeled or just sitting in shared folders alongside everything else.
• Access controls. Whether permissions reflect current roles, whether multi-factor authentication is enforced, whether dormant accounts from former employees still have admin access.
• Infrastructure. Can your current systems support AI tools without rearchitecting everything? Do you have APIs exposed? Can data move between platforms?
• Skills and ownership. Does anyone on your team understand what AI tools can and cannot do? Is one person accountable for adoption decisions?
• Governance. Do you have a written policy covering what data employees can share with AI tools? Do you have a process for approving new tools?

Data readiness is the single most important factor. If your files are spread across SharePoint, OneDrive, shared mailboxes, and legacy file shares with permissions inherited rather than intentional, AI will treat everything equally. An employee asking an AI assistant to summarize recent documents may receive confidential client contracts that were never meant to be broadly accessible.

When you need one (and when you don't)

You do not need a formal assessment if you have fewer than ten employees, use three or fewer SaaS tools, and are experimenting with ChatGPT for drafting emails. The overhead exceeds the risk.

You do need one if:

• You are about to roll out AI tools (like Microsoft Copilot or Salesforce Einstein) across your organization.
• You handle regulated data (healthcare records, financial information, legal files) and AI tools will touch that data.
• You have already deployed AI in one department and are seeing inconsistent results or unexpected outputs.
• Your team is using AI tools on their own, and you have no visibility into what is being shared.

The assessment is not about permission to use AI. It is about identifying where AI will expose problems you already have but have not been forced to confront. Bad permissions structures. Unlabeled sensitive files. No written policy on what constitutes confidential information.

Most companies discover they are not starting from zero. They are starting from messy.

The DIY option

If paying $15,000 for a consultant to tell you your file permissions are a disaster does not appeal, you can run a lightweight version yourself.

Start with three questions:

1. Can you list every place your business data lives? Not just the platforms, but the specific folders, shared drives, mailboxes, and external storage accounts. If the answer is no, that is your first gap.
2. If you picked a random employee and pulled up their access permissions, would you be surprised? Log into your admin console and check. Look at what a mid-level employee can see. If the answer includes things they should not have access to, you have a permissions problem.
3. Do you have a written document that says what employees can and cannot share with AI tools? It does not need to be 40 pages. A simple tier system works: never share (customer data, financials, passwords), share only with approved tools (anonymized data, public content), free to use (brainstorming, formatting, general questions).

If you can answer all three confidently, you are probably ready to expand AI use without a formal assessment. If any of them surfaced uncertainty, you have found where to focus next.

What happens after the assessment

The output of a readiness assessment is not a score. It is a list of gaps and a priority order for fixing them.

Common findings include:

• Overpermissioned accounts (former employees or contractors still have admin access).
• Sensitive files sitting in broadly accessible folders with no sensitivity labels.
• Inconsistent multi-factor authentication (enforced for some roles, skipped for others).
• No AI usage policy, so employees are using personal accounts for work tasks.

The work that follows is called enablement. You address the gaps the assessment surfaced. You clean up permissions. You classify data. You write the five-page policy. You configure tenant settings to support AI tools safely. Then you roll out AI to a small group first, measure what happens, and expand from there.

Enablement is where the actual cost lives. The assessment is just the map.

The question worth asking

The real question is not whether you need a readiness assessment. It is whether you are prepared to act on what it tells you.

If the answer is that you will keep using AI tools regardless of what the assessment says, skip it. You will spend money to generate a document no one follows.

If the answer is that you are ready to fix permissions, classify data, and write policy before rolling out AI more broadly, the assessment becomes useful. It gives you a structured starting point and prevents you from solving the wrong problems first.

Most small businesses in 2026 are past the point of choosing whether to use AI. They are at the point of choosing whether to use it well.

Related: AI for small business: a realistic 90-day plan • AI vendor lock-in is real. Here's what it costs to switch.