You don't have an AI adoption gap. You have an AI sprawl problem.
Walk a 250-person IT services firm and ask each delivery pod how they use AI. The infrastructure team is drafting runbooks with one tool. The app-dev group pastes client tickets into another. An account manager has a personal subscription summarizing call notes that include a client's network diagram. Nobody lied on the survey — they all answered "yes, we're experimenting." That's the actual readiness picture at this size, and it's the opposite of the 100-person firm's problem. A smaller shop is trying to start. You've already started, seven times, in seven directions, and at least two of them are quietly feeding client data into systems your security lead has never approved.
The RSM middle-market AI survey, the San Francisco Fed analysis of AI and small businesses, and the OECD report on AI adoption by small and medium-sized enterprises all converge on the same unglamorous requirement: a workflow with a named owner, an approved data source, and a result you can measure. Notice none of those say "more tools." At 250 heads you have plenty of tools. What you're missing is one place where someone can answer "which AI workflow are we standing behind, on what data, and who owns it."
So the first move isn't a new pilot — it's an inventory. List every AI use already running across pods, what client data each one touches, and who would be accountable if a wrong answer reached a client. That list, not a vendor demo, is your real readiness assessment.
Pick the workflow that crosses teams the same way — and govern that one first
Once you've inventoried the sprawl, resist the urge to bless all of it. Choose one workflow that shows up identically across delivery pods. In IT services that's usually ticket triage and first-draft resolution: every team does it, the volume is enormous, and the failure mode (a confidently wrong answer sent to a client) is the same everywhere. That sameness is the point — fix it once, reuse the controls everywhere.
This is where the NIST AI Risk Management Framework stops being a PDF and becomes an org chart. Map where that triage workflow touches sales, delivery, security, and finance, then assign a control owner at each touchpoint — not a committee, a name. The hard call at 250 people is the one most firms dodge: when a ticket involves a client with a custom contract or a regulated environment, who decides whether the AI may answer at all, and who reviews it before it goes out? On the data side, the CISA AI Data Security Best Practices give you the concrete checklist: which sources are approved, role-based access so the infrastructure pod can't read the app-dev pod's client data, retained logs, and a defined escalation path for client-specific answers.
The readiness gap at this scale is almost never a missing capability. It's that handoff authority is ambiguous, client exceptions are handled differently in every pod, and there's no shared standard for what an AI workflow is even allowed to look at. Use the 90-day AI implementation plan to wire those controls into one pod before you copy the model. And run the structured screen in the SMB AI readiness assessment so source quality, ownership, and governance get scored, not assumed.
Prove it in one pod, then export the playbook — not the chaos
Deloitte's State of AI in the Enterprise 2026 is worth reading at this point precisely because it separates production value from experiment count — and a 250-person firm's dashboard is almost always inflated by the second. Pick one delivery group, govern the triage workflow there, and watch what actually breaks: a pod lead overriding the AI on a client it doesn't know, an escalation that should have fired and didn't, a "time saved" number that evaporates once you count the review step.
Track the metrics that survive scrutiny: backlog aging, QA rework rate, handoff delay between teams, delivery-manager adoption (are they using it or working around it?), and escalation quality. The honest test is whether standardized work actually improved — or whether the AI just created one more queue your managers now have to check. If it's the second, you haven't built leverage; you've added overhead with a chatbot.
The sequence that holds at 250 people is unglamorous on purpose: standardize the work first, automate the part that's now standard, then add a management cadence that lets you reuse the control model across pods. What you export to the next team is the governed playbook — the data rules, the owners, the escalation path — not a second round of unsupervised tinkering. Run the workflow through AI ROI measurement that rejects fake savings before you fund pod number two. If the first one can't survive that, the answer isn't to scale faster.
