---
name: private-ai-readiness-assessor
description: Assess whether an SMB has the infrastructure, data governance, use cases, and skills to run private AI (self-hosted LLMs) — producing a readiness score, shortlist of viable first use cases, and gap-closure plan.
version: 1.0.0
author: VantagePoint Networks
author_url: https://www.vpnetworks.co.uk
audience: IT Managers, CTOs, Technical Founders, DPOs, MSP Consultants evaluating private-AI for a client
output_format: Formatted Markdown assessment with readiness score across 6 dimensions, shortlisted first use cases, infrastructure sizing, gap register, and phased delivery roadmap.
license: MIT
last-reviewed: 2026-04
---

# Private AI Readiness Assessor

A Claude Code skill for SMBs and their advisors evaluating whether private AI (self-hosted LLMs, local inference, on-premises data pipelines) is a realistic option — before buying GPUs, committing to a pilot, or writing a business case.

## How to use this skill

1. Download this `SKILL.md` file.
2. Place it in `~/.claude/commands/` (macOS/Linux) or `%USERPROFILE%\.claude\commands\` (Windows).
3. In Claude Code, run `/private-ai-readiness-assessor`. Describe the organisation. Answer the clarifying questions. Receive the assessment.

## When to use this

- A client or leadership team is asking "should we run AI locally instead of in the cloud?" and you need a rigorous answer.
- You're a law firm, accountancy, or finance SMB where putting client data into commercial AI services is contractually or ethically off the table.
- Copilot costs or compliance constraints are pushing you to evaluate a self-hosted alternative.
- A board is about to approve a GPU budget and you want a sanity check on whether the rest of the stack is ready.
- You want a baseline readiness score you can improve against quarterly.

## What you'll get

A single Markdown document containing:

- A **readiness score** across 6 dimensions: infrastructure, data, use cases, skills, security, governance
- **First use-case shortlist** (3-5 realistic candidates, ranked by value/risk/feasibility)
- **Infrastructure sizing** for the shortlisted use cases (GPU vs CPU, model class, RAM, storage, network)
- **Data readiness audit** (what needs to be ingested, how it's prepared, what's too messy)
- **Skills gap** (internal vs external delivery model)
- **Security & governance gaps** with remediation
- **Phased roadmap** (Discovery → PoC → Pilot → Production)
- **Alternative-path comparison** (private AI vs Copilot vs enterprise ChatGPT) with honest trade-offs
- A **board-ready summary**

## Clarifying questions I will ask you

1. **Organisation sector and size?**
2. **Primary driver for considering private AI?** (regulator, contract, cost, sovereignty, client demand, curiosity)
3. **What data types are involved?** (client files, contracts, case notes, financial records, code, emails, tickets)
4. **Approximate document / token corpus size?** (rough volume)
5. **On-prem, cloud, or hybrid today?**
6. **Existing compute position?** (no servers / a few VMs / a small data centre / cloud-first)
7. **Existing AI use?** (Copilot licensed, ChatGPT Enterprise, nothing, shadow)
8. **Budget range for exploration?** (€/£5k, £25k, £100k)
9. **Who would own this internally?** (CTO, IT Manager, DPO, nobody yet)
10. **Sensitive-data handling today?** (labels, DLP, encryption, classified folders)
11. **Target first use case in mind?** (document Q&A, summarisation, drafting, search, classification, coding)
12. **Tolerance for open-source tooling?** (high — we're technical / medium / low — we want turnkey)

## Output template

```markdown
# Private AI Readiness Assessment — <organisation>

**Date:** <date> · **Prepared for:** <role> · **Prepared by:** <author>

## 1. Executive Summary
<Half-page. Readiness score overall. Top 3 candidate use cases. Estimated investment for first pilot. Honest verdict: "pursue now / pursue after closing gaps / consider alternatives".>

## 2. Readiness Score (0-5 per dimension)
| Dimension | Score | Notes |
|---|---|---|
| Infrastructure | <0-5> | <summary> |
| Data | <0-5> | |
| Use cases | <0-5> | |
| Skills & delivery | <0-5> | |
| Security | <0-5> | |
| Governance | <0-5> | |
| **Overall** | **<0-5>** | |

- **0-2** = not ready; close foundational gaps before exploring
- **3** = pilot-capable with external support
- **4** = pilot-capable in-house
- **5** = production-ready; select use case and scale

## 3. Shortlisted First Use Cases
| # | Use case | Value | Risk | Feasibility | Why it's first |
|---|---|---|---|---|---|
| UC1 | <e.g. Answer "what do our precedent contracts say about X"> | High | Low | High | Closed domain, authoritative sources, measurable time-saved |
| UC2 | <e.g. Summarise meeting notes against prior files> | Medium | Low | High | Low-regret use case |
| UC3 | <e.g. Draft-first-pass client emails grounded in file> | High | Medium | Medium | Requires careful prompt + review |

## 4. Infrastructure Sizing
Based on the shortlisted use cases:

| Component | Recommendation | Reasoning |
|---|---|---|
| Model class | <e.g. 7B-14B open-weight instruct, quantised> | Fits most SMB hardware, strong enough for the use cases |
| Runtime | <e.g. Ollama / vLLM / llama.cpp> | Match team skills |
| Inference hardware | <e.g. 1× A6000 48GB, or 2× L4 24GB> | Single-host, GPU-backed |
| RAM | <64-128 GB> | Context window, concurrency |
| Storage | <1-4 TB NVMe> | Vector DB, document store, model weights |
| Network | <10 GbE local> | Ingest + retrieval |
| Vector DB | <e.g. Qdrant / pgvector / Chroma> | Match team skills, on-prem |
| Orchestration | <e.g. LangChain / LlamaIndex / bespoke> | Maintainability |
| Monitoring | <Prometheus + Grafana, plus LLM-specific> | Observability + quality |
| Estimated capex | £<N> | One-off hardware / software |
| Estimated opex | £<N>/yr | Power, licences, maintenance |

## 5. Data Readiness Audit
| Source | Volume | Format | Quality | Needs before ingest |
|---|---|---|---|---|
| <SharePoint site> | <>GB | Docx/PDF | <good/poor> | Dedupe, OCR older PDFs, label sensitivity |
| <CRM> | <> records | Structured | Good | Export schema, redact where needed |
| <File server / NAS> | <> | Mixed | Mixed | Inventory, classify, cull |

**Data-governance prerequisites:**
- Sensitivity labels defined and applied on ingested data
- DLP policies aware of the vector store as a data-location
- Retention rules applied to embeddings
- Right-to-erasure process designed for vectorised content

## 6. Skills Gap
| Capability | Current | Needed | Gap | Close via |
|---|---|---|---|---|
| Linux/container ops | | | | |
| Python / Python packaging | | | | |
| ML ops / LLM ops | | | | |
| Prompt engineering | | | | |
| Vector-DB / retrieval | | | | |
| Security hardening for ML stack | | | | |

**Delivery model options:**
1. Fully internal (team upskill + recruitment)
2. Hybrid (consultancy-led PoC, internal operates)
3. Managed (external partner owns stack, internal owns use cases)

## 7. Security & Governance Gaps
| Gap | Severity | Remediation |
|---|---|---|
| No classification of source documents | High | Sensitivity labels, pre-ingest classification |
| No audit log of AI queries / outputs | High | Log every query + response + user + timestamp |
| No output review mechanism | Medium | Human-in-the-loop for client-facing outputs |
| Model-drift / hallucination monitoring | Medium | Periodic evaluation against curated benchmark |
| Access control weaker than source documents | High | Retrieval must inherit source-doc permissions |
| No prompt-injection defence strategy | Medium | Layered approach — input validation, system prompt hardening, output filtering |
| No data-subject-rights handling | High | Process for erasure from embeddings and caches |

## 8. Phased Roadmap
| Phase | Weeks | Focus | Gate to next phase |
|---|---|---|---|
| 0. Foundations | 1-4 | Close the highest-severity gaps | Governance basics in place |
| 1. Discovery | 5-8 | Validate UC1 feasibility on a small dataset | Prototype answers 80% of UC1 queries acceptably |
| 2. PoC | 9-14 | Build on target hardware, 10-user cohort | Pilot accepted by business sponsor |
| 3. Pilot | 15-22 | Wider cohort, formal metrics, adjacent UC2 | Measured time saved; no incidents |
| 4. Production | 23+ | Lifecycle operations, expand use cases | — |

## 9. Alternative Paths — Honest Comparison
| Option | Pros | Cons | Fit for this org |
|---|---|---|---|
| Private AI (this path) | Full data sovereignty, cost predictable, customisable | Requires skills, capex, lifecycle work | <Y/N + why> |
| Microsoft Copilot | Fast to deploy, integrated with M365, EU Data Boundary option | Per-seat cost, limited customisation, data governance still needed | <Y/N + why> |
| ChatGPT Enterprise | Strong models, fast | Data goes off-prem, contract review needed, no grounding on your data by default | <Y/N + why> |
| Claude for Work | Strong models, privacy-forward posture | Same off-prem consideration | <Y/N + why> |
| Wait-and-see | No risk | Competitor advantage, staff already shadow-using | <Y/N + why> |

## 10. Board-Ready Summary
> **Private AI at <firm> — <date>**
>
> **Readiness:** <N>/5. <One sentence on what that means.>
> **Recommended first use case:** <UC1> — estimated time saved <N>h/user/week.
> **Investment to reach pilot:** £<N> (capex + services).
> **Timeline to pilot go-live:** <N> weeks.
> **Top 3 gaps to close first:** (1) <>, (2) <>, (3) <>.
> **Recommendation:** Proceed to Phase 0 / Hold for 6 months / Pursue an alternative.
```

## Example invocation

**User:** "35-person London law firm. Partner insists we cannot use cloud AI with client files — it's a hard line. We want document Q&A across 15 years of matter files. Currently M365, no internal infra to speak of, no Linux engineers. Budget £40k for first year."

**What the skill will do:**
1. Ask 12 questions, pressing on: what matter-management system holds the files (it's the real data source), volume of files (determines model size + vector DB), who would operate it day-to-day.
2. Produce the assessment scoring ~2/5 infrastructure (no on-prem), ~4/5 use cases (document Q&A over matter files is ideal private-AI territory), ~1/5 skills, ~3/5 data (files exist but aren't classified), ~2/5 security (needs label rollout).
3. Recommend a managed / hybrid delivery model given the £40k budget and skills gap — consultancy-led PoC, external partner operates the stack, firm owns use cases.
4. Size infrastructure at a single-GPU host (A6000 48GB) with Qdrant + a 13B quantised model as the pilot platform.
5. Flag honestly that £40k/year covers the pilot but not a production managed service; the Phase 4 production opex will be closer to £50-80k/year. Better to know that now than at month 10.
6. Compare to Copilot and note that "the partner's hard line" may be relaxable with EU Data Boundary + restricted-SharePoint-search — worth presenting as Option B.

## Notes for the requester

- **The answer is often "not yet".** That's a success outcome, not a failure. Spending £40k on a PoC that uncovers "we need to classify data first" is better than spending £40k on one that fails because data wasn't classified.
- **Start with a closed-domain use case** — query against a known, curated set of documents. Open-ended chatbots are where private AI pilots die.
- **Skills gap is the #1 predictor** of whether a private-AI pilot survives year one. If there's no internal owner, plan for managed-service opex from day one.
- **Don't let "private" become an excuse to skip governance.** Private AI still needs data-classification, access control, audit logs, and right-to-erasure processes. Often MORE than cloud AI, because you own the lifecycle.
- **Good looks like:** 12 months from start, you have one production use case delivering measurable time savings, no security or data incidents, and a clear decision on whether use-case #2 is worth adding.

---
*VantagePoint Networks · <https://www.vpnetworks.co.uk> · Authored by Hak · Free under the MIT licence*