A framework for finding out what AI is actually doing in your business (and whether it's worth keeping) before the regulator asks the same question.
The problem
Most SMEs are doing the first without the second.
In a 2024 survey, over 78% of European SMEs reported that employees were using AI tools daily. Fewer than 23% had any governance in place to know which tools, on which processes, producing which outputs. The gap between "we use AI" and "we run AI intelligently" is where most of the money disappears, and where most of the regulatory risk sits.[1]
The 42% of organisations that abandoned most of their AI projects in 2025 (up from just 17% the year prior) didn't quit because AI doesn't work. They quit because they couldn't measure whether it was working, couldn't identify what to fix, and ran out of appetite to keep funding the uncertainty.[2] That's not an AI problem. That's an operations problem.
This guide walks you through the same five-step audit Vectimo runs with paying clients, stripped down for self-execution. You'll surface what AI your business is actually running, score which processes deserve more attention, check your data foundation, identify your EU AI Act obligations, and build a basic ROI picture. The whole thing should take an afternoon.
Orientation
A complete AI operations audit covers process, data, compliance, and cost. In that order.
Most "AI audits" you'll find online are written for machine learning engineers and compliance lawyers. They ask about model architecture, training data bias, and algorithmic explainability. That's important if you're building AI. If you're using AI to run a service business, it's mostly irrelevant. What you actually need to know is: which workflows does AI touch, what quality of data feeds those workflows, what are your legal obligations, and what is this costing versus saving?
Each of the five steps below addresses one of these areas. You don't need a consultant in the room. You need a spreadsheet, an honest conversation with your team, and about half a day.
Which workflows touch AI, which don't, and which should. The foundation of every other decision.
Whether the information feeding your AI systems is clean, accessible, and fit for purpose.
What the EU AI Act already requires of you, what's coming in August 2026, and what it means in practice.
What you're spending on AI tools versus what you're saving. Most companies are surprised by both numbers.
You can't audit what you haven't mapped. Start by listing everything.
The AI inventory is the unglamorous part of this exercise, and the most important. The goal is a single document listing every AI-powered tool, feature, or workflow in your business: who owns it, what it touches, what it costs, and what data runs through it. In our experience running this with clients, the inventory almost always reveals three things: tools nobody's actively using, significant cost duplication, and at least one system that would qualify as high-risk under the EU AI Act.
Start by asking everyone who touches operations to list every tool they use that makes a recommendation, automates a decision, generates content, or processes documents. Include the AI features embedded in tools you already use: the resume-screening widget inside your HR platform, the predictive lead scoring in your CRM, the smart scheduling feature in your field management tool. These embedded features are often the ones that create regulatory exposure, because nobody thought of them as "AI."
Copy this into a spreadsheet. Fill in one row per tool or AI feature. Include embedded AI (the AI features inside tools you already use), not just standalone AI apps.
| Tool / Feature | Business function | Owner | Monthly cost (€) | Data it processes | EU AI Act risk flag | Last reviewed |
|---|---|---|---|---|---|---|
| ChatGPT / Claude | Content drafting, research | Marketing | 23–250 | Internal docs, emails | Minimal | — |
| Microsoft Copilot | Email summarisation, drafts | Multiple | Bundled in M365 | All email + calendar | Minimal | — |
| AI CV screener (in HR tool) | Candidate filtering | HR | Bundled | Personal data, CVs | High-risk | — |
| Predictive lead scoring (CRM) | Sales prioritisation | Sales | Bundled | Customer data | Review needed | — |
| AI scheduling / routing | Field dispatch | Operations | Variable | Job data, locations | Minimal | — |
| Document processing / OCR | Invoice / form extraction | Finance | Variable | Financial documents | Minimal | — |
| AI chatbot (customer-facing) | First-line customer support | CX | Variable | Customer queries, PII | Review needed | — |
When the inventory is complete, tally your total monthly AI spend, including bundled tools where AI is the reason you upgraded. Then ask: for what percentage of these tools does someone in the business actively review outputs, measure accuracy, or own the result? The typical answer we see is under 20%.
Not every task deserves AI. The matrix tells you where to push and where to be careful.
The single most useful question in an AI operations audit is: which processes does AI belong in, and which processes does it not? The answer depends on two variables that apply to nearly every task in a service or trade business: how often it happens (volume), and how much expertise it requires to do correctly (judgment intensity).
High-volume, low-judgment work is where AI pays back fastest. A field service company processing 400 invoices a month, all with the same data structure, is leaving significant money on the table by processing them manually. A boutique consultancy writing one bespoke proposal per week, where the proposal quality is the competitive differentiator, should not be automating that proposal. The matrix makes this visible.
Score every significant repeating task in your business on two axes: volume (how many times per week?) and judgment intensity (does doing it well require expertise, relationships, or context that's hard to capture in writing?).
Rare, complex tasks where mistakes are expensive. AI adds risk, not efficiency. Examples: contract negotiation, client escalations, pricing strategy.
AI can draft, summarise, or retrieve, but a human decides. Examples: quotation, customer email triage, performance reviews, sales follow-up.
The time savings are real but small. Worth automating once higher-priority items are done. Examples: meeting notes, internal status updates.
This is where AI pays off fastest. Repetitive, structured, high-frequency tasks with clear right answers. Examples: invoice extraction, job scheduling, document classification, data entry, standard customer queries.
Once you've placed your processes on this matrix, score each "Automate first" candidate against three additional criteria to prioritise your implementation roadmap:
| Criterion | Score 1 (low) | Score 3 (medium) | Score 5 (high) |
|---|---|---|---|
| Time cost: how many staff-hours per week? | <2 hrs/week | 2–10 hrs/week | >10 hrs/week |
| Data availability: is the input data structured and accessible? | Scattered, unstructured | Partially organised | Structured, accessible |
| Error cost: what happens when it goes wrong? | Easily caught and fixed | Noticeable but recoverable | Costly or client-visible |
Process automation ranked as the top reported benefit among SMEs already using AI, cited by 53% of respondents in the OECD's 2025 SME AI adoption study.[4] The sector-specific numbers are concrete: in logistics and transportation, automated invoice auditing recovers 1–3% of total freight spend; AI-assisted load optimisation typically cuts operational costs 10–20% within six months.[6] These aren't projections. They're the midpoint of what companies report after implementation.
AI is only as good as the data it runs on. Five questions that tell you where you actually stand.
The majority of AI project failures at SME level have nothing to do with the AI itself. They fail because the data feeding the system is inconsistent, inaccessible, or doesn't actually capture what the business thinks it captures. The Cisco AI Readiness Index 2025 found that 66% of EU organisations struggle to centralise data. Without centralised, structured data, most AI automation either produces poor outputs or requires so much manual cleaning that the time savings disappear.[3]
These five questions are the minimum data readiness check before you commit budget to any AI implementation. They don't require a data engineer to answer. They require honest conversations with the people who own the processes.
Answer each question for the specific process you're planning to automate. "Yes" = ready. "Partial" = fixable. "No" = stop and fix before spending on AI.
Two obligations already apply to you. A third is three months away. Here's what matters for an SME.
The EU AI Act became law in August 2024. For most SMEs, the practical question isn't "does this apply to me?" It does, if you're using AI to make or support decisions. The question is which obligations apply, when, and what the concrete steps are. The following is not legal advice. It's an operator's reading of what the Act requires of a service or trade business using off-the-shelf AI tools.
Article 4: AI Literacy. Every organisation deploying AI systems must take measures to ensure adequate AI literacy of their staff. This doesn't mean a formal certification programme. It does mean that if a member of staff uses an AI tool to support a decision, they need sufficient understanding of what the tool does and where it can fail. You should be documenting what training you've provided.
National enforcement framework goes live. Member states must have their national market surveillance authorities operational. From this date, providers and deployers of AI systems may face civil liability if AI systems are operated by staff who haven't received adequate training and harm results.[7]
High-risk AI obligations become enforceable. If you deploy any system that qualifies as high-risk under Annex III, you must have conformity assessments, technical documentation, risk management systems, and human oversight mechanisms in place. Fines: up to €15 million or 3% of global annual turnover, whichever is higher.[8]
The Act's Annex III lists eight categories of high-risk AI. For a typical service or trade SME, three categories are most likely to be relevant:
If anything in your AI inventory could qualify as high-risk, these are the steps:
The ROI calculation is simpler than you think. The inputs are harder to get honest about.
The standard failure mode in AI ROI analysis is counting the theoretical time savings and ignoring the actual costs. The implementation time, the training time, the ongoing supervision time, the tool subscriptions, the prompt engineering, the edge cases that still require a human. These add up. The accurate picture, on both the cost and savings side, is what makes the difference between a project that delivers and one that gets cancelled after six months.
The formula below is intentionally simple. It's designed to fit in a conversation with your CFO or operations lead, not to replace a financial model. Use it to pressure-test your AI inventory against real numbers before you spend further on implementation.
Run this calculation for every tool in your inventory. You'll typically find: two or three tools that show strong positive returns and should get more investment; several tools that are roughly break-even and need either improvement or consolidation; and at least one that's losing money on its current usage pattern.
| Sector / function | Benchmark outcome | Source |
|---|---|---|
| B2B: cross-sector, France | Median ROI +159.8% over 24 months; 8-month payback | [5] |
| Logistics: invoice auditing | Recovers 1–3% of total freight spend | [6] |
| Logistics: load optimisation | 10–20% cost reduction in 3–6 months | [6] |
| Field service: scheduling AI | 2–3x shipment volume with same team size | [6] |
| HR: onboarding automation | 2–3 hours saved per new hire for HR and management | [10] |
| Professional services: document processing | 60–90% reduction in manual extraction time | [6] |
Interpretation
Five worksheets complete. Here's what healthy looks like, and what should concern you.
When you've run all five steps, you should have: a complete AI inventory with cost and risk flags, a process scoring matrix with a prioritised automation roadmap, a data readiness assessment per process, a clear picture of your EU AI Act obligations, and at least a rough ROI calculation for your current tools. The table below maps common outcomes to recommended actions.
| What you found | Status | What to do |
|---|---|---|
| Clear inventory, positive ROI on 2+ tools, no high-risk flags | Good shape | Run this audit quarterly. Your next step is prioritising the next tier of automation from your process matrix. |
| Clear inventory, 1–2 high-risk AI tools identified | Action needed | Contact vendors immediately for documentation. Assign oversight owners. Do this before August 2025. |
| Significant cost duplication or break-even tools | Consolidate | Cancel or consolidate overlapping subscriptions. Re-evaluate in 90 days with clearer usage data. |
| Data readiness below 3/5 on "Automate first" candidates | Fix data first | Don't spend on AI implementation until the data foundation is in place. The ROI projections won't hold. |
| No ownership, no AI literacy training documented, EU exposure unclear | Urgent | Stop adding AI tools. Fix governance before August 2025. If you're uncertain about your regulatory exposure, get a proper assessment. |
| Negative or uncalculable ROI on majority of tools | Reset needed | Something is structurally wrong: process selection, data quality, or implementation. A DIY audit has taken you as far as it can. |
This guide gives you the framework. What it can't give you is the interpretation of edge cases, the experience of knowing which vendor documentation is credible versus boilerplate, or the ROI modelling that accounts for your specific cost structure and growth trajectory. If you've run the five steps and find yourself in any of the following situations, the next investment is a professional audit, not more self-assessment:
You have an AI system that touches employment, credit, or safety decisions, and you're not certain of your compliance status. The fines for non-compliance are real. Get a documented assessment.
Your tools show negative ROI but teams are resistant to stopping them, or you can't determine why a tool isn't delivering. An external view cuts through internal politics.
You have too many automation candidates and limited implementation capacity. Prioritisation at this level requires ROI modelling against your specific cost structure, not benchmarks.
Your data readiness check revealed problems that aren't one team's responsibility to fix. That requires an architectural view and change management support.
The paid audit is two weeks, one deliverable: a prioritised AI Opportunity Roadmap with ROI modelling, vendor assessments, and an EU AI Act compliance status report specific to your business. Flat fee, no retainer required.
Book a call, €2,500 See what's includedWhat you get
How it works
Who runs it
Felix Steinhauser, ex-Director of AI Strategy & Delivery at SIXT SE. No vendor affiliations. No upsell on tools. Just the honest answer.
Sources
New practical guides for European SMEs adopting AI, delivered when they drop. No spam, unsubscribe anytime.
Want this done for you, not just explained? Vectimo runs the AI adoption end to end.
Work with Vectimo →