Why 250 people is the awkward middle
At 40 people, one ops lead can hold the whole company in their head and AI is mostly a personal-productivity story. At 1,000+, there's a transformation office, a data team, and a budget line for this. A 250-person business sits in the gap: enough volume that manual reporting, intake, ticket triage, and proposal drafting genuinely cost real hours every week, but no one whose actual job is to wire AI into those flows. So it shows up as eleven disconnected pilots that someone's nephew set up, none of which anyone measures.
That's the trap to avoid in month one. The first 30 days is not a vendor tour and not a "let's try Copilot" memo. It's an inventory of recurring work, written down by frequency and hours: monthly board reporting, customer intake, account research before renewals, support ticket triage, proposal and SOW drafting, collections follow-up, and "where is that document" knowledge retrieval. McKinsey's State of AI work is blunt on why this matters: the companies seeing real value redesigned the workflow, not just bolted a chatbot onto the old one. IBM's Institute for Business Value frames the same point as a capability question — value depends on the data behind the workflow, the operating model around it, whether people adopt it, and whether anyone measures the result. At 250 people, all four of those are usually shaky, which is exactly why you inventory before you install.
The permissions problem nobody flags until it's live
Here's the failure mode specific to your size. A 250-person company has accreted a knowledge estate over years — SharePoint sites, OneDrive folders, Teams channels, email, CRM exports, and finance workbooks — and the access controls on all of it were set casually, by whoever happened to share a folder. Nobody audited them because nobody had to. Then you turn on a company-wide assistant, and an AI that can search everything a user can technically reach surfaces the comp spreadsheet, the layoff planning doc, or the unredacted client contract to someone who was never supposed to see it. The AI didn't break a rule. It enforced the sloppy permissions you already had, at machine speed.
Microsoft's own documentation on Copilot's data protection architecture is explicit that the assistant inherits existing access rights — which means the oversharing audit is a prerequisite, not a follow-up task. So month two is the unglamorous part: review who can reach what, tighten the sensitive folders, and only then widen assistant access beyond the pilot group. Pair that with a lightweight risk pass using the NIST AI Risk Management Framework — for each candidate workflow, name the failure modes (what's the cost of a wrong answer in collections vs. a wrong answer in a board deck?), and assign a human owner who signs off. Bain's research on agentic AI reinforces why the order matters: the more autonomous the system, the more the foundation work — clean permissions, defined ownership, measurable scope — determines whether it's an asset or a liability. You cannot govern your way out of this after it's company-wide.
What day 90 should look like — and what to do Monday
The deliverable at the end of 90 days is deliberately small: a ranked backlog of the workflows you inventoried, two (maybe three) pilots actually running on the highest-value and lowest-risk candidates, a baseline number for each so you can tell if it worked, a named owner accountable for both the benefit and the risk of each one, and a written decision on what scales, what gets fixed, and what gets killed. Two real pilots that you can measure beats nine that you can't. If a leadership team can't manage the roadmap on one page, it's too big.
Monday, do the cheapest version of step one: open a doc and list the five recurring workflows that eat the most hours in your company, then put a rough number of weekly hours next to each. That list — not a product demo — is the start of the roadmap. If you want a structured way to turn it into a prioritized investment case, run the AI Opportunity Score and the AI ROI Calculator, or see how our AI transformation work sequences the inventory, the governance pass, and the first pilots.
