Test readiness where service work already has evidence
A 100-person IT services firm does not prove AI readiness by giving every employee a chat license. The better test is whether one service workflow has enough source discipline, ownership, and review rhythm to be safely improved. Good candidates include ticket summarization, escalation packet preparation, project-status cleanup, knowledge retrieval, and implementation QA.
For firms in the SMB and lower mid-market, the operating constraint is usually not enthusiasm. It is whether service desk notes, project records, runbooks, client obligations, and delivery ownership can be assembled without relying on the memory of the most experienced manager. Readiness begins when those inputs can be named and reviewed.
Use the AI use-case scoring model as a readiness screen. A workflow should score well on repeatability, data availability, human review, and business value before it receives production attention.
Score controls that a 100-person firm can actually operate
The NIST AI Risk Management Framework gives an executive team a practical sequence: understand the context, evaluate the risk, and manage controls. In an IT services firm, that means deciding which client data may be retrieved, which tickets are restricted, which outputs require a service manager, and which exceptions go to security or account leadership.
CISA AI Data Security Best Practices should influence the data boundary from day one. Client environments, credentials, incident details, and architecture notes need role-based access, retention rules, and logging before AI search or summary workflows are expanded.
The readiness assessment should produce a 90-day operating plan, not a generic maturity score. Name the first workflow, baseline metric, source owner, reviewer, blocked data types, and escalation route. That is the difference between AI readiness and tool availability.
Measure readiness by service throughput, not tool access
Useful readiness measures include ticket handoff completeness, escalation-prep time, project-status accuracy, missing-source rate, manager review burden, and client-impact exceptions caught before they become account issues. Those are the indicators a 100-person firm can manage every week.
If the first workflow exposes inconsistent ticket categories, undocumented runbooks, or unclear client permissions, treat that as useful diagnostic evidence. The next move may be service-process repair before further automation.
AI ROI measurement without fake savings keeps leadership from counting every summarized ticket as value. The business case should show faster service decisions, cleaner delivery handoffs, and less senior-manager interruption.
