AI Audit for UK Businesses | ISO 27001 | OpenKit

AI audit
for UK businesses.

The business kind, not the SEO kind.

We look at where AI fits across your business, where it does not, and how to roll it out without breaking anything. The audit runs as the front end of our Transformation Block and produces a prioritised opportunities list, a data protection review, a risk register, and a rollout plan you can hand to anyone, including yourself.

Called an AI audit, an AI readiness assessment, AI assessment consulting, or AI roadmap development. Same engagement, four names buyers actually search for.

Book a discovery call Run the AI Readiness Checklist first
QBE Insurance UK, May 2026
75%
of UK firms see AI risk in their suppliers’ AI use.
28%
actually audit it.
QBE Insurance UK report

OpenKit is a UK AI consulting firm that runs AI audits and AI readiness assessments for SMEs and mid-market organisations. OpenKit delivers a structured assessment of where AI fits across your business, where it should not, and the rollout plan that gets it into production safely. OpenKit holds ISO 27001, ISO 9001, and Cyber Essentials certifications and works with UK clients from a base in Cambridge.

What an AI audit actually is

OpenKit is a UK AI consulting firm that runs AI audits and AI readiness assessments for SMEs and mid-market organisations. We map where AI fits across your business, where it should not, and the rollout plan that gets it into production safely.

An audit is most useful when it is independent of whoever builds the system, so the recommendations point at your priorities rather than ours. We hold ISO 27001, ISO 9001, and Cyber Essentials certifications and work with UK clients from a base in Cambridge.

The audit is the front end of
our Transformation Block.

Every OpenKit engagement begins with a Transformation Block. The audit is the discovery work inside it: five steps that take roughly the first half of the block. You can stop after the audit and hand the plan to an internal team, or continue into configuration and training in the second half.

See the full engagement model on How We Work →

01 · WEEK 1
Discovery

Workshops with leadership and the teams whose work is in scope.

02 · WEEK 1
Process & data review

A walkthrough of in-scope functions and the data they touch.

03 · WEEK 2
Data protection review

Review against ISO 27001 controls and any sector-specific obligations.

04 · WEEK 2
Prioritised opportunities

A scored list of where AI fits, with effort, risk, and dependency for each.

05 · WEEK 2
Rollout plan

A sequenced plan you can hand to anyone, including an internal team.

SCOPE5 to 12 in-scope functions
INPUTSWorkshops, documents, data samples
OUTPUTSReport · review · register · plan

What the audit produces.

Five artefacts you can hold in your hand, hand to an internal team, or take to a board meeting. The audit is a finished deliverable on its own, not a sales conversation dressed as a discovery call.

SAMPLE.PDF 04 · ROLLOUT PLAN Sequenced rollout 03 · RISK REGISTER Vendor data egress HIGH Prompt injection MED Stale data refresh LOW Hallucination in client-facing HIGH 02 · DATA PROTECTION ISO 27001 control map 01 · AI AUDIT REPORT A UK boutique law firm prepared by openkit · v.1.0 EXECUTIVE SUMMARY FIG · 5 ARTEFACTS
01

AI Audit Report

A written document covering the current state of AI usage in the business, prioritised opportunities, scored risks, and recommended sequencing.

PDF · 28 to 40 pages · plain English
02

Data protection review

A review of every in-scope data source against ISO 27001 controls and any sector-specific obligations (UK GDPR, SRA, FCA, NHS DSP Toolkit).

Control map · gap list · mitigations
03

Risk register

A scored register of the things that could go wrong as AI gets introduced, with the mitigations we recommend for each.

Likelihood × impact · owner · mitigation
04

Rollout plan

A sequenced plan from low-risk quick wins through to the more involved workflows, with the dependencies for each.

Quarter view · dependencies · owners
05

Sample deliverable, free

A reference example of the audit output so you can see exactly what to expect before commissioning. No form, no email gate.

Download sample audit (PDF)

What is in scope, and what is not.

Stating the constraint up front is more useful than implying we do everything. The audit has a deliberate edge. Knowing where it ends is part of why it works.

In scope

  • Where AI fits across the business and where it does not
  • A walkthrough of in-scope functions and the data they touch
  • A data protection review against ISO 27001 controls and any sector obligations
  • A scored prioritised opportunities list
  • A rollout plan you can take to an internal team or back to us
  • Hands-on training on the recommended tooling for your team

Not in scope

  • A custom AI model trained on your data — that is a Bespoke Build, scoped after the audit
  • A full security penetration test — separate scope, separate vendor often
  • A regulator-grade compliance audit — we can flag gaps but not certify
  • A guarantee that every recommendation gets built — sequencing is your call
  • A six-month consulting engagement — the audit is a fixed deliverable

What it costs.

The audit is a fixed-fee engagement in the low five figures. Combined with the configuration and training half of the Transformation Block, the engagement sits in the high four to mid five figures, depending on scope. Pricing is fixed before kickoff so there are no surprises on the invoice.

A few engagements need a Bespoke Build on top — a custom retrieval system, a regulated-industry tool, a private LLM with audit logging. Those are scoped and quoted after the audit, since the scope depends on what the audit surfaces.

Audit only
Low five figures

Audit Report, data protection review, risk register, rollout plan.

2 weeks
Audit + Transformation Block
High four to mid five figures

Audit plus configured workflows and team training.

4 weeks
Embedded AI Lead
Low four figures per month

Optional retainer after the Transformation Block. See How We Work →

rolling

Audits we have run.

A sample of recent audit engagements. Some clients are named with their permission; others stay anonymised. Outcomes are described without specific dates or internal artefacts.

— 01

House of Hackney

Retail Omnichannel · DTC Named with permission
A cross-functional audit of where AI fits across an omnichannel retail business, plus a written code of responsibility for how the team uses generative AI in customer-facing work and internal operations.
Outcome Audit shipped. Code of responsibility adopted. Team training delivered.
— 02

A UK boutique law firm

Legal services LEAP · M365 Anonymised
Audit of where AI fits across casework, fee earning, and admin in a boutique practice. Integration constraints with the existing case management system and the Microsoft 365 stack were the deciding factor on sequencing.
Outcome Phased rollout. Quick-win workflows shipped first. Larger build deferred to a Bespoke Build after partner sign-off.
— 03

A UK charity in crisis support

Third sector National · 24/7 Anonymised
Audit across admin, comms, CRM, marketing, and compliance for a national crisis-support charity. The data protection review was load-bearing given the sensitivity of beneficiary records.
Outcome Audit delivered. Priority workflows identified. Data protection review accepted by the charity board.

What happens after the audit.

The audit is a finished deliverable on its own. From there you can move into the configuration and training half of the Transformation Block, hand the plan to an internal team and stop, or commission a Bespoke Build for the systems the audit shows are worth building. There is no requirement to continue.

AUDIT DELIVERED · WEEK 2
Three options. No requirement to continue.
OPTION A · MOST COMMON

Continue the Transformation Block.

Configuration of the priority workflows and hands-on training for your team. Adds two more weeks to the engagement.

See phase 1 →
OPTION B · STOP

Hand it to an internal team.

The rollout plan is built to be implementable by an internal team. We’re available on a per-question basis if you need us, but you can take it from here.

No-commitment continuation →
OPTION C · BUILD

Commission a Bespoke Build.

If the audit surfaces a system worth building — a private LLM, a retrieval engine, a regulated tool — we scope and quote after the audit.

See phase 3 →

Questions buyers ask.

What is an AI audit?
An AI audit is a structured review of where AI fits across a business, where it does not, and the rollout plan that gets it into production safely. At OpenKit it produces an AI Audit Report, a data protection review, a risk register, and a sequenced rollout plan. It sits as the discovery half of our Transformation Block.
How long does an AI audit take?
A standalone audit runs two weeks. The combined Transformation Block, which adds configuration and training to the audit, runs four weeks. Bespoke Builds after the audit are scoped per project.
How much does an AI audit cost?
Our audit-only engagement is fixed-fee, in the low five figures. The combined Transformation Block, which includes configuration and training, runs from the high four to mid five figures depending on scope. Pricing is fixed before kickoff so there are no surprises.
What does the audit deliverable look like?
A written AI Audit Report covering the current state, a prioritised opportunities list, a data protection review against ISO 27001 controls and sector obligations, a risk register, and a sequenced rollout plan. A sample deliverable is downloadable on this page so you can see the format before commissioning.
Who runs the audit?
A senior OpenKit engineer leads the audit from discovery through to handover. There is no account manager layer between you and the people doing the work. The same engineer often continues as your Embedded AI Lead if you continue past the audit.
What is the difference between an AI audit and an AI readiness assessment?
In practice they are the same engagement under different names. Some buyers search for an AI audit, others for an AI readiness assessment, others for AI assessment consulting or an AI roadmap. At OpenKit it is one piece of work: a structured review of where AI fits across your business, where it should not, and a sequenced rollout plan. The free AI Readiness Checklist on our site is the short self-serve version; this page covers the commissioned engagement.
Do you also do AI assessment consulting and AI roadmap development?
Yes, same engagement, different names. AI assessment consulting and AI roadmap development describe the discovery and planning work that sits inside our Transformation Block. The audit is the deliverable that comes out of it: a written AI Audit Report plus a sequenced rollout plan you can take to a board or hand to an internal team.
Do you audit AI systems we have already built?
Yes. The audit covers existing AI usage as well as opportunities. If your team has rolled out tools without a structured review, the audit surfaces what is working, what is risky, and what to deprecate. The data protection review covers existing systems as standard.
Is the audit appropriate for a regulated industry?
Yes. We have run audits in legal services, healthcare diagnostics, oil and gas, and education. The data protection review sits on top of our ISO 27001 baseline and works to your sector obligations as standard. Following the Financial Reporting Council’s March 2026 guidance on AI in audits, regulated UK firms now carry explicit accountability for AI-assisted work; we surface gaps and recommend mitigations rather than certifying compliance.
What happens after the audit?
Three options: continue into the configuration and training half of the Transformation Block, hand the rollout plan to an internal team and stop, or commission a Bespoke Build for the systems the audit shows are worth building. There is no requirement to continue with OpenKit.
Can we get an AI audit without committing to OpenKit for the rollout?
Yes. The audit is a finished deliverable on its own and clients regularly hand the rollout plan to an internal team after we are done. The audit fee covers the audit. Continuation is a separate decision and a separate engagement.

Want to see where AI fits, before you commit to building anything?

Two weeks. Fixed fee. Ends with a written AI Audit Report, a data protection review, a risk register, and a sequenced rollout plan you can take anywhere.

Book a discovery call See how we work
OpenKit Logo

OpenKit

Rethinking What's Possible with AI.

Offices

Cambridge Guildhall, Market Square, Cambridge CB2 3QJ

Portland House, Belmont Business Park, Durham DH1 1TW

contact@openkit.co.uk
ISO 27001 ISO 9001 Cyber Essentials

© 2026 OpenKit. All rights reserved. Company Registration No: 13030838

Privacy Terms Cookies Modern Slavery Act

Start Your AI Project

Thank you for your interest. Enter your project details below and our team will get in contact within 24 hours.

About your AI project

0 / 2,000

About you

By submitting this form, you confirm that you have read and agree to our privacy policy. We will only use your information to respond to your inquiry.