We help SMEs make sound, evidence-led decisions about AI. The work is built on a single methodology, the four-outcome audit, that gives every plausible use case one of four routings: Quick Win, Bigger Build, Fix First, or Not Yet. The recommendation, including the recommendation to do nothing for now, comes with the reasoning written down.
Routed against the work the business actually does, function by function, with the people who do that work. The output is a specific recommendation, not a generic roadmap.
Governance, data protection, the AI register, security posture, alignment to the standards that matter. The output is a written position the leadership team can stand behind.
Most AI advisory work answers the first question. Both questions need answering.
Every candidate function in the audit ends up routed to one of four outcomes. The routes are decisions, not coordinates on a maturity scale. There is no aggregate score, no readiness rating, no benchmark against other organisations. Two consultants reading the same evidence should reach the same routing decision.
A narrow tool for a specific job. Simple workflow, few users, low overhead.
A proper automation project for an existing multi-step process. Staged rollout, with checks and reversibility.
Existing processes need work before AI helps. The audit shows what to sequence, and the AI candidates that open up after.
The conditions for AI aren't in place. The audit details what would need to change, and suggests when to revisit.
The patterns below describe how the four routes typically resolve inside an SME. Each describes the shape of a typical engagement after the workshop and interviews are complete.
A bounded piece of work where the inputs are structured, the format is consistent, and the people doing the work understand it well. A narrowly-scoped tool sits inside the existing workflow without changing the process around it. One function, a small number of users, no downstream dependencies on other parts of the business.
A workflow automation project, owned end-to-end, that takes work currently done by hand or in part by hand and loops it reliably across the systems already in use. Typically the work moves between two or three named systems and depends on daily or weekly updates by one or more people in named roles. A pilot champion is identified before any build begins. Checkpoints are named at the outset: the moments at which the work is reviewed and the decision is made to continue, adjust scope, or stop.
A function where the underlying workflow or manual process isn't yet stable enough for an AI layer to add value. Process work happens first: the handoffs, the source of truth, the decision rights. AI is sequenced after. The recommendation comes with what the fix needs to look like, who owns it, and when the audit would revisit the routing.
A function where the obstacle to useful AI sits outside what an audit or a build can address. Sometimes the underlying systems don't allow programmatic access (no API, no usable export). Sometimes the data needed to make a sensible recommendation doesn't exist yet, or sits with a third party that won't release it. Sometimes the work itself isn't well enough understood to specify. The recommendation comes with a written description of what would need to change for the routing to move, and a suggested revisit point.
The audit is carried out with the leadership team and the owners of the priority business functions. Everything is captured in a single workbook so the consultant and the client are looking at the same document throughout. Nothing happens off-stage.
A 60 to 90-minute conversation with the MD, owner, or senior management team as appropriate. Captures business shape, current AI use, the position the business holds on AI governance, and the identification of a pilot champion. The audit captures the current accountability for AI inside the business honestly. Where the picture is informal or undocumented, that is reflected in the first set of recommendations the report makes.
A working session with the leadership team. Walks every function active in the business and decides per function: is this active, who owns it, who should be interviewed about how it really runs. The session takes as long as it takes, usually under two hours, sometimes longer if the leadership team wants to argue out who genuinely owns what.
Up to eight one-to-one interviews, typically 60 to 90 minutes each, with the people closest to the work. Common areas of conversation include role context, task inventory, process detail, tools and data movement, friction, decision-making, current AI usage, and where the respondent themselves sees opportunity. The structure is consistent across interviews; the conversation is allowed to breathe.
The consultant takes the populated workbook away and assesses what's there. Routing each function involves more than applying a decision tree: it means looking at the data the function depends on, the systems it sits across, whether those systems can be reached programmatically, and whether the working knowledge exists in a form the audit can build on. The report is then written bespoke per engagement, with each routed function getting a structured deep-dive page: what it is, why we route it where we do, the build approach we recommend if relevant, the risks, the fallback. A transparency appendix at the back of every report shows the underlying interview answers behind each routing decision, so the function owner can disagree with a specific finding rather than the recommendation as a whole.
Most SMEs already have AI in use, informally, on individual accounts. The governance question is rarely whether to start. It is whether the use that is already happening sits inside a documented position held on record by the business.
The audit captures the current state honestly: which tools are in use, by whom, on what data, under which accounts, with what oversight. Where the answer reveals a gap, the report outlines the options for closing it. Often the answer is a short written position covering which categories of data must not be entered into which tools, who decides if there is doubt, and when the position will be reviewed. Where appropriate, we will also draft a starter AI register and a starter acceptable-use policy as a byproduct of the audit, without an additional fee.
The work draws on the literacy of ISO 42001 (AI management), the ISO 27000 series (information security), and the ICO's published guidance on automated decision-making under the UK Data Use and Access Act. The audit is not a compliance audit. It is the foundation on which a business can build a defensible AI governance position.
A common SME experience with consultancy is a strong recommendation followed by silence. Panthera doesn't operate that way. Where the audit produces a Quick Win or a Bigger Build routing, the same engagement can extend to delivery, under a single contract with us. Where additional technical capacity is needed, we bring it in directly. We are the single point of contact throughout; the responsibility is ours. We do not pass implementation to a third-party vendor, and we do not take referral fees for recommending one.
Where tools are named in our reports, they are examples of the relevant category, not endorsements. The category is the recommendation; the choice within it is yours.
A numerical readiness rating is often used as a gimmick to push the conversation toward implementation regardless of evidence. Most are oversimplified and generic. The point of a diligent audit is a qualitative assessment that helps the leadership team understand the business's actual position, not an abstract number that doesn't survive contact with how the business really runs.
Every business is unique, at any size and in any sector. A benchmark is data pulled out of the air; the percentages it cites come from generic surveys, not from inside your business. It doesn't tell you anything about the specific gaps you would need to close, or the resources you would need to commit, to use AI well in your own work.
Where the report describes what is structurally at stake, it does so in terms of what the work takes off the plate of the people under pressure and what constraint on the business it removes. Numerical projections about the future require a crystal ball. We do not put pretend numbers against work we haven't done.
A conversation costs nothing and commits you to nothing. Thirty to sixty minutes, on the phone or by video, to discuss whether the audit is the right thing for your business and what scope and cost might look like.
