The 200-person trap: too big to wing it, too small to absorb a bad scope
Picture a 200-person business. Eight or nine departments. A CRM somebody half-migrated two years ago, a finance shared drive only three people fully understand, and a SharePoint that has accreted every dead project since the company was 60 people. Now a vendor walks in with a proposal that says "AI implementation" on one line and a number next to it. That number is fiction — not because it's too high, but because nobody has priced the swamp the AI has to drink from.
This is the specific problem at 200 people. You're past the size where a 40-person shop can drop in one tool and call it a day, but you're nowhere near the enterprise that has a data governance team on payroll. McKinsey's State of AI 2025 keeps landing on the same finding: value shows up when companies redesign the actual workflow, not when they bolt a model onto an unchanged process. So the first question to a consultant isn't "what's your rate?" It's "which workflow, whose data, and how will I see the number move?"
IBM's Institute for Business Value frames the same thing as a capability stack — data, operating model, adoption, measurement. Translated to a line-item estimate, that means a credible proposal breaks the spend into distinct lanes: diagnostic, data cleanup, workflow integration, security review, training, and benefits tracking. If all six are hiding under one "implementation" label, you're not looking at a budget. You're looking at a blank check with a logo on it.
The line item that ambushes a company your size: access
Here's where 200-person engagements actually overrun. An AI assistant inherits whatever permissions your environment already grants. Microsoft's own Copilot data-protection architecture spells it out: the assistant can surface anything a user could already reach. At 60 people, "anything a user could reach" is contained. At 200, after years of "just give them access so the project isn't blocked," it's a minefield — the finance folder a sales rep can technically open, the HR exports sitting in a Teams channel, the old CRM dump nobody locked back down.
So when a consultant quotes the build but skips the access audit, they haven't given you a lower price. They've handed you the risk and kept the discount. The honest version of the estimate prices the controls before the build. NIST's AI Risk Management Framework gives the sequence in plain terms: map the context, measure the failure modes, manage the controls, and name an owner for each. That's not an end-of-project compliance review you can defer — it's load-bearing scope that determines whether the thing is safe to turn on.
And it can't live only in a policy PDF. PwC's 2025 Responsible AI survey makes the point that the controls have to reach the people actually building and rolling out the workflow. Practically, for a company your size: name four owners up front — one for the business outcome, one for data and access, one for risk, one for adoption. If a proposal can't tell you who holds each of those four, the spend isn't scoped. It's just optimistic.
What the first check should actually buy: one workflow, proven
Resist the instinct to fund a "transformation." At 200 people the right first engagement is small and ruthless: a ranked backlog of use cases, exactly one workflow built and governed end-to-end, a baseline metric captured before you start, and a stop-or-scale decision at roughly 90 days. Bain's research on agentic AI transformation is blunt about why: the ambitious agentic stuff only works once the foundation — clean data access, defined process, named owners — is real. Skip the foundation and you're paying consulting rates to learn that lesson the slow way.
Think of it as buying proof, not buying tools. Three gates before you spend on implementation: is the workflow worth automating, is the data accessible and clean enough, and does someone own adoption after the consultant leaves? Then 90 days to prove a single governed workflow before anyone signs off on broader funding. That's a number finance, operations, and IT can all stand behind — because each of them can inspect their own piece of it.
If you want to pressure-test a vendor estimate against that standard, start with the AI Opportunity Score to rank where the value actually sits, run the candidate workflow through the AI ROI Calculator to set a baseline you can defend, and bring both to Human Renaissance AI transformation services so the spend turns into an operating case instead of a leap of faith.
