AI & Software Consulting β Field Reference
A living reference for AICCB2B: a consultancy helping small & medium businesses decide where AI, LLMs, or plain software actually improve their operations β and where they don't. It spans both sides of the practice: the business/operations view and the technical view.
Suggested order: start with the implementation ladder as the map, then work through the AI rungs in depth (prompting β RAG β agentic β fine-tuning) and the non-AI options (RPA β iPaaS β the software stack). ROI modeling is the highest-value skill; data/security and change management are cross-cutting β absorb them alongside. The buy-vs-build tree and sample engagement make it all concrete.
β οΈ Browser find-in-page (Ctrl/β-F) only sees expanded text β hit Expand all first, or just use the search box above.
Two strategic decisions to settle early
Two choices shape both the learning path and the sales motion. Worth aligning on both early β ideally at the founding conversation.
1. Advise only, or also implement?
This is the single biggest fork in the operating model.
| Model | What's sold | What it demands | Economics |
|---|---|---|---|
| Advisory only | Assessment, roadmap, ROI model, vendor shortlist | Breadth. Know the whole menu; no delivery risk | Project fees; lower margin ceiling but low overhead, fast to start |
| Advise + implement | The above plus building/integrating the solution | Depth in a chosen stack + a repeatable delivery method | Higher contract value & stickiness; but delivery + maintenance risk is carried in-house |
2. Niche down, or stay horizontal?
Targeting SMBs across industries is a size-niche, not a domain-niche.
- The bet: most first-movers chase Fortune-500 contracts, leaving the SMB mid-market underserved. That gap is real and defensible.
- The cost of staying horizontal: generalist "AI for SMBs" is crowded and commoditizing. Every engagement means re-learning a new industry's processes, software, and regulations from scratch β slower delivery, harder sales.
- A hedge: stay horizontal to start, but notice which 2β3 verticals keep winning (professional services, light manufacturing, regional healthcare are common SMB sweet spots) and let a niche emerge from evidence. Vertical depth makes sales far easier β being able to say "we've solved exactly this for a firm like yours."
Positioning the practice
Working draft β subject to change.
Positioning = who it's for + what you do differently + why you. The raw ingredients are strong: SMB mid-market focus, an honest anti-hype stance, deep technical judgment paired with a seasoned business partner, and end-to-end delivery (strategy β build β operate). One constraint shapes it: staying horizontal (no vertical specialization) means you can't position on domain expertise β so position on approach.
Three angles
| Angle | The line | Note |
|---|---|---|
| The honest guide | "We tell SMBs where AI actually helps β and where it doesn't." | Trust-first; but honesty alone isn't a moat β everyone claims it. |
| Outcomes, not tech | "We find and deliver the highest-ROI improvements in your operations β AI or not." | Speaks the way SMB owners actually think (results, not technology). |
| Fractional AI & automation team β | "The outsourced AI/automation function for growing 50β400-person companies β we find what pays off, build it, and run it." | Names the underserved mid-market and justifies the delivery + revenue model. |
Pricing & recurring revenue
Working draft β subject to change.
Fixed-project fees + monthly recurring revenue (MRR) is the right shape. The key insight: recurring revenue is worth far more than project revenue β it's predictable, compounding, and it dramatically raises the value of the business itself. Capturing MRR from every client isn't just nice cash flow; it's the core of the model.
Protecting the fixed-project side
The recurring-revenue menu (ordered by margin & stickiness)
| Stream | What it is | Why it ranks here |
|---|---|---|
| Fractional advisory retainer β | A monthly fee to be the outsourced "head of AI/automation" for SMBs too small for a CTO/data team | Highest margin, lowest delivery risk, stickiest β and it keeps you in the room to spot the next build |
| Support / maintenance | The LLMOps/ops line: monitoring, index refresh, "wrong answer" handling, re-testing when a vendor changes the model | Tier by SLA; the maintenance-cost themes already in this reference pre-sell it |
| Audits / tune-ups | Periodic re-assessment and optimization; new-opportunity identification | Naturally a recurring quarterly review |
| Hosting their solution | Hosting/running what you built β RAG app, index, integrations, model access | Real, but the most ops-heavy and thinnest-margin if priced cost-plus β price it as a managed service and offer selectively (esp. data-egress cases) |
Delivery is what unlocks the recurring revenue
Advise β implement β operate. You can't sell ops, hosting, or maintenance MRR if you didn't build the thing β so advise + implement is what makes the recurring model possible. Name the "operate" stage explicitly; it's where the MRR lives. Offer the assessment/roadmap as a standalone product too β clients who self-implement still pay for it, and many come back to hand you the build.
The AI/LLM implementation ladder (buy β wire β build)
The common (and correct) instinct is that custom LLMs are rarely worth it. The valuable skill isn't building models β it's fluency in the full ladder of options below custom training, and pricing each rung honestly. Climb only as high as the problem requires.
| Rung | What it is | When it's the answer |
|---|---|---|
| Prompting & workflow design | Off-the-shelf model + a well-designed prompt/workflow | Surprisingly often. First thing to try. |
| RAG (retrieval-augmented) | Fetch relevant company data at query time, feed it to the model | The real answer when a client says "an AI trained on our data." See the RAG section. |
| Agentic / tool-calling | Model takes actions via tools/APIs, multi-step | Increasingly where real automation value lives β model does, not just answers. |
| Fine-tuning | Adjust model weights on curated examples | Narrow, high-volume, repetitive tasks with stable requirements & a consistent format/voice. Rarely first. |
| Custom training | Train a model from scratch / heavy pretraining | ~Never for an SMB. If it looks like the answer, question the answer. |
The consulting value is knowing the whole menu and quoting each rung's real cost β not reaching for the most sophisticated rung.
Prompt engineering & workflow design
The lowest, cheapest rung β and the one most often skipped in the rush to "build AI." A well-designed prompt plus a bit of workflow structure on an off-the-shelf model solves a surprising share of SMB problems at near-zero build cost. Fluency here is what lets you credibly say "we don't need to build anything" β the single most trust-building sentence in the business.
The mental model
Treat the model as a sharp but context-blind contractor: it only knows what's in front of it (the prompt) plus its training. Good prompt engineering = giving clear instructions, context, examples, and constraints. Good workflow design = decomposing a business task into a sequence of model calls and non-model steps, rather than expecting one giant magic prompt to do everything.
The levers that matter
- Roles & instruction clarity. System prompt sets role, tone, and rules; be explicit about the exact output format you want.
- Few-shot examples. Showing 2β5 inputβoutput examples dramatically improves consistency. This is the key insight: much of what clients think requires fine-tuning is actually solved by few-shot prompting β cheaper, faster, no training.
- Structured output. Force JSON/schema output (or use tool/function calling) so results plug straight into downstream systems. This is the bridge to automation.
- Decomposition / chaining. Break a complex task into steps (extract β classify β draft β check). Each step is far more reliable than one mega-prompt. This is "workflow design."
- Grounding & guardrails. "Answer only from the provided context; if it's not there, say so" measurably cuts hallucination. Add validation/self-check steps for anything consequential.
- Model routing. Match model to step β a cheap/fast model for classification, a stronger model for reasoning. Routing by complexity is a major cost lever at volume.
- Determinism. Lower temperature for extraction/consistency; higher for creative drafting.
When it fits β and when it plateaus
Fits: classification, extraction, summarization, drafting, routing, and text transformation β high-volume text tasks with clear right answers.
Plateaus β climb the ladder: needs private/company knowledge β RAG; needs to take actions β agentic/tool-calling; needs a guaranteed format at massive scale where prompting can't quite hold it β fine-tuning.
Cost shape
Per-token inference only (cheap for short tasks; scales with volume and prompt size). Near-zero build cost. The real "cost" is the engineering time to design and evaluate prompts, plus ongoing tweaks as models change underneath you.
RAG in depth (retrieval-augmented generation)
At its core, RAG makes an LLM answer using specific information it wasn't trained on β without retraining. Instead of baking knowledge into the weights (fine-tuning), relevant information is fetched at query time and placed in the prompt; the model answers from that context.
The mental model
Open-book vs. closed-book exam. Fine-tuning = making the model study until it memorizes the material. RAG = handing it the textbook and telling it which pages to read before answering. For most business cases (answer questions about our policies/products/documents), open-book wins β the "textbook" changes constantly and re-studying every time is wasteful.
The pipeline, end to end
Two phases: ingestion happens once (or continuously as data changes); retrieval+generation happens on every query.
Ingestion / indexing (offline)
- Load β pull in source documents (PDFs, Confluence, support tickets, DB records, Slack exports).
- Chunk β split documents into smaller pieces. Deceptively important (below).
- Embed β run each chunk through an embedding model β a vector (numbers representing meaning). Similar text β nearby vectors.
- Store β put vectors in a vector database, indexed for fast similarity search.
Retrieval / generation (per query)
- Embed the query β same embedding model turns the question into a vector.
- Retrieve β find the chunks whose vectors are most similar (top-k, e.g. the 5 closest).
- Augment β insert those chunks into the prompt as context.
- Generate β the LLM answers using that context, ideally citing which chunks it used.
Where RAG projects actually succeed or fail
Worth internalizing β it separates a demo that wows a client from a system that survives real users. The failures are almost never the LLM; they're in retrieval.
- Chunking strategy. Too big β dilutes relevance, wastes context budget. Too small β severs the context needed to make sense of a passage. Naive fixed-size chunking (every 500 tokens) breaks tables, splits sentences, separates a heading from its content. Better: respect document structure β split on sections, keep semantic units together, overlap chunks at boundaries. For messy PDFs full of tables, this alone can make or break the project.
- Retrieval quality. Only as good as its ability to surface the right chunks. Two big levers:
- Hybrid search β pure vector similarity misses exact-match terms (product codes, names, acronyms). Combine semantic search with keyword search (BM25). Most serious RAG systems are hybrid.
- Reranking β retrieve a broad set (top 25), then use a more expensive, more accurate reranker to reorder and keep the best 5. Meaningfully improves what reaches the LLM.
- Embedding model choice. Determines retrieval quality. Domain matters β general embeddings underperform on legal/medical/technical jargon. Evaluate options (OpenAI, Cohere, Voyage, open-source like the BGE family) on quality and on whether data may leave the client's environment.
- Metadata & filtering. Chunks should carry metadata (source, date, department, access level). Lets the system filter β "only HR docs," "only current-year policies" β before/during search. Critically, it's how access control is enforced: sales shouldn't retrieve confidential finance chunks. For SMB clients this is a real requirement, not an afterthought.
- Evaluation. Hardest to sell, most important to deliver. Knowing whether answers are good requires a test set of representative questions with known-good answers; measure retrieval (were the right chunks fetched?) and generation (correct & grounded?). Tools like Ragas exist for this. Without eval it's flying blind β and impossible to defend the system when a client says "it got this wrong."
When RAG is the right call β and when it isn't
Good fit: Q&A over a corpus, internal knowledge bases, support over documentation, policy/compliance lookup β where knowledge is large, changes over time, and needs citing.
Poor fit or needs additions:
- The task is a behavior/format, not a lookup ("always respond in our brand voice and structure") β fine-tuning or good prompting, not RAG.
- The answer requires reasoning across the whole corpus ("summarize every complaint last quarter") β naive top-k fails; needs aggregation, structured queries, or GraphRAG.
- Highly structured data in a database β sometimes the right answer is text-to-SQL, not vectors.
- Real-time / transactional data (live inventory, account balances) β a static index won't reflect it; wire in tool-calling to live systems.
The build landscape (for pricing & recommendation)
- Buy β many SaaS tools have RAG baked in (Copilot over SharePoint/M365, Glean, Notion AI, vendor "chat with your docs"). Often the right call is use the tool already paid for. The first question every time.
- Frameworks β LangChain, LlamaIndex for orchestration when building. LlamaIndex is particularly RAG-focused.
- Vector databases β Pinecone (managed, easy), Weaviate, Qdrant, Chroma (lightweight), or pgvector (a Postgres extension β often the pragmatic choice for an SMB already running Postgres that doesn't want another vendor).
- Managed end-to-end β Azure AI Search, AWS Bedrock Knowledge Bases, Vertex AI Search handle much of the pipeline. Often the SMB sweet spot: less to maintain, defensible security story, predictable cost.
Cost shape
Model these components: embedding (one-time-ish, cheap, scales with corpus size + re-indexing frequency), vector DB (hosting/subscription), per-query LLM inference (the recurring cost, scales with usage + context size), and the big hidden one β maintenance (keeping the index fresh, monitoring quality, handling wrong-answer tickets). That maintenance line is what clients forget and what should be surfaced early.
Agentic workflows & tool-calling
Where automation is heading β the model doesn't just answer, it does: calls tools, queries systems, takes multi-step actions. Increasingly where real, differentiated value lives. It's also where reliability, cost, and security risk all spike at once, so knowing the failure modes matters as much as knowing the capability.
The mental model
Tool-calling = giving the model a set of functions (APIs) it can invoke, and letting it decide when to call them and with what arguments; your code executes the call and feeds the result back. An agent = a loop where the model reasons, picks a tool, observes the result, and repeats until the task is done (the "ReAct" pattern). If prompting/RAG is the model as an advisor that talks, agentic is the model as a junior employee that operates the tools β sends the email, updates the CRM, queries the database.
The components to know
- Tools/functions. Well-defined functions with schemas (name, params, description). The quality of tool descriptions strongly affects reliability β it's prompt engineering for tools.
- The agent loop. Reason β act β observe β repeat, with a stopping condition.
- The autonomy spectrum. From constrained workflows (fixed steps, model fills the gaps β predictable) to open agents (model chooses the whole path β flexible but far less predictable). For SMB production, lean hard toward constrained workflows.
- Guardrails. Least-privilege tools, human approval for irreversible/consequential actions, spend and step limits, sandboxing.
- Error handling. Tools fail and models loop or hallucinate β timeouts, max-steps, retries, output validation are mandatory.
- Grounding in live systems. Tool-calls to real-time data (inventory, balances, CRM) β this is how you handle the transactional data RAG's static index can't.
- Observability. Log every step, tool call, and decision β essential for debugging and for client trust.
Security β a genuinely new risk surface
When it fits β and when it doesn't
Fits: multi-step tasks that genuinely combine reasoning with actions across systems (triage a ticket β look up the account β draft a reply β update the CRM), where the tool set can be constrained and approvals added.
Doesn't (yet): a deterministic RPA/iPaaS flow already does it (prefer that β cheaper, more reliable); high-stakes irreversible actions without oversight; open-ended long-horizon autonomy where reliability collapses.
The build landscape & cost shape
Frameworks (LangGraph, LlamaIndex, CrewAI, native tool-use in Claude/GPT) and low-code agent builders (Copilot Studio, etc.); vertical SaaS is increasingly embedding agents too. Cost is per-step inference (multiplies with loop length β the big variable), plus tool/API costs, orchestration hosting, and heavy monitoring. Agents are the least predictable and most support-intensive rung β plus the risk cost of a wrong action.
Fine-tuning economics β when it actually pays
The rung clients most often request by the wrong name: "train it on our data." The valuable skill here is knowing the narrow cases where the economics genuinely work β and confidently redirecting the other ~90% to prompting or RAG, with the math to back it up.
The mental model β and the crucial distinction
Fine-tuning adjusts the model's weights by training on many inputβoutput examples, teaching a consistent behavior, format, or style. It is not a way to add knowledge β that's RAG. Prompting = giving instructions; RAG = handing over the textbook; fine-tuning = sending the employee on a training course until one specific task becomes second nature.
| What fine-tuning buys | What it does not buy |
|---|---|
|
|
When the economics pay off (all should be true)
- Narrow, well-defined task β not general Q&A.
- High volume β enough calls that the per-call savings (smaller model, shorter prompts) outweigh the one-time training + data-prep cost.
- Stable requirements β the task/format doesn't change often, or you'll re-train repeatedly (the hidden recurring cost).
- Quality labeled examples exist β hundreds to thousands of clean inputβoutput pairs. Data prep is usually the dominant cost, not the training compute.
- Prompting/RAG already tried and plateaued β fine-tuning is an optimization, never the starting point.
Cost shape & the break-even
One-time: data collection + cleaning + labeling (the big line), training compute (relatively cheap now), evaluation. Recurring: re-training as data/requirements drift, hosting the fine-tuned model (sometimes pricier than a shared API), drift monitoring. The break-even in one line:
(per-call saving Γ volume) β (training + maintenance) > 0 AND the quality bar can't be hit more cheaply by prompting or RAG. There's also a data-egress implication: the training data goes to the provider β a privacy/compliance question.When it's the wrong call
Low volume (never recoups the cost), unstable requirements (constant re-training), a knowledge-freshness need (use RAG), or no quality training data (garbage in). Reach first for few-shot prompting (handles many "consistency" needs) or RAG (handles knowledge) β or a combination (RAG for knowledge + light fine-tuning for format).
Classic ML & predictive analytics (non-LLM AI)
"AI" is not a synonym for "LLM." A large share of real SMB value comes from classic machine learning on structured/tabular data β forecasting, churn, anomaly detection, recommendations. It's often cheaper, more accurate, more explainable, and more defensible than an LLM for these tasks. Recognizing when the honest answer is a boring predictive model β or even a spreadsheet regression β is a major differentiator in a market where everyone reaches for a chatbot.
The mental model
LLMs are for language and unstructured content. Classic ML is for finding patterns in structured, historical data to predict a number or a category. If the question is "what will happen / which category / how much," and there's historical structured data to learn from, that's classic ML (or plain statistics) β not an LLM.
The SMB use-case menu
| Use case | Predicts | Where it lives |
|---|---|---|
| Demand / sales forecasting | Future volume | Inventory, staffing, ERP planning |
| Churn / attrition | Who will leave | Customers or employees |
| Lead scoring / propensity | Who will convert | CRM (sales/marketing) |
| Anomaly / fraud detection | What's unusual | Transactions, quality defects |
| Recommendation | What to offer next | Cross-sell / upsell |
| Predictive maintenance | When it will fail | Manufacturing, equipment |
What separates good advice
- Data is the gate. Classic ML needs clean, historical, labeled structured data β often a higher bar than an LLM demo. Ties straight to data readiness.
- Simplest model that works. For tabular SMB data, logistic/linear regression or gradient boosting (XGBoost/LightGBM) β sometimes just rules β usually beats deep learning. Don't over-engineer.
- Feature engineering > model choice for tabular problems.
- Evaluate against a naive baseline ("predict last month") and use the right metric β precision/recall and the business cost of false positives vs. negatives, not raw accuracy.
- Explainability is a selling point. Trees/linear models explain why β often required by SMBs and regulators, and something LLMs/deep nets struggle to do.
- Drift & maintenance. Models degrade as the world changes β monitoring + retraining cadence. The recurring cost.
LLM, classic ML, or neither?
- Classic ML: predict a number/category from structured history.
- LLM: generate or understand language/unstructured content.
- Hybrid: LLM to structure messy text β classic ML to predict; or classic ML to predict β LLM to explain it in plain language.
- Neither: sometimes it's a BI dashboard, a SQL query, or a simple threshold. Don't ML a rule.
Build vs. buy & cost shape
Many tools already include predictive features β CRM lead scoring, BI/analytics forecasting, ERP demand planning. Enable what they own first. Cloud AutoML (Vertex, Azure ML, SageMaker Canvas, DataRobot) lowers the build bar; bespoke builds are a last resort. Cost: data prep (dominant one-time), model dev (moderate), inference (cheap β far below LLM tokens), and retraining/monitoring (recurring). Generally cheaper to run than an LLM.
Computer vision
The missing modality in the AI menu. You cover language (LLMs), tabular (classic ML), and documents (IDP); computer vision handles images and video β a real capability for manufacturing, retail, logistics, and physical-operations SMBs. Know when it's the answer, when it's overkill, and that it's now largely a "buy/assemble" via cloud APIs and multimodal models.
The mental model
Computer vision = software that interprets images/video β detect, classify, count, locate, measure, or read. Historically deep learning (CNNs); increasingly multimodal vision-language models generalize with far less training data. Like IDP for documents, modern CV needs much less custom training than it used to.
The use-case menu
- Quality inspection / defect detection β manufacturing QA (scratches, misalignment). A high-ROI SMB manufacturing use case.
- Object detection & counting β locate/count items, parts, people, vehicles; shelf/inventory monitoring (retail).
- Image classification β what is this? (product category, defect/no-defect).
- Safety / PPE compliance β is the gear on? (privacy-sensitive).
- Video analytics β retail foot-traffic/behavior, safety monitoring, process observation.
- OCR β reading text from images (overlaps IDP).
What to know
- Data & labeling β needs labeled images; annotation is the effort/cost, and harder to collect than text.
- Off-the-shelf first β cloud vision APIs (Google Vision, Azure AI Vision, AWS Rekognition) do common tasks with zero training; multimodal LLMs (GPT-4V-class) now do many visual tasks zero-shot. Custom-trained models only for specific defects/objects.
- Edge vs. cloud β real-time on-site (a factory line camera) often needs edge inference for latency/bandwidth; batch can be cloud. Hardware (cameras, edge devices) matters β ties to IoT.
- Environment is everything β lighting, angle, occlusion, and variation wreck accuracy; controlled setups (fixed camera on a line) work best. Confidence thresholds + human review for edge cases (like IDP).
- Privacy/ethics β facial recognition and person tracking are legally/ethically sensitive (ties to governance/security).
When it fits / doesn't Β· cost shape
Fits: repetitive visual tasks, high volume, controlled environment, clear visual signal. Doesn't: highly variable/uncontrolled scenes, low volume (labeling not worth it), or where a simpler sensor would do (don't CV what a barcode or scale solves). Cost: data collection + labeling (dominant one-time), model dev, inference (edge hardware or cloud per-image), plus camera/hardware + retraining. Hardware + integration make CV heavier than a pure-software LLM project.
Intelligent document processing (IDP & OCR)
One of the most common, concrete, high-ROI SMB use cases: turning documents β invoices, purchase orders, forms, contracts, receipts, claims β into structured data automatically. Every SMB drowns in manual document data-entry, so this is tangible, measurable, and fast-payback. A great foot-in-the-door engagement.
The mental model & pipeline
IDP is a pipeline: ingest documents β read them (OCR for scans/images) β understand and extract the fields you care about β validate β push structured data into the system of record. Modern IDP combines OCR, layout understanding, and LLMs/vision models.
- Capture / ingest β scan, email, upload, or API.
- OCR β convert image/scan to text (printed, increasingly handwriting).
- Classification β what type of document is this?
- Extraction β pull the fields (invoice #, line items, totals, dates). Where LLMs/layout models now shine β handling variable layouts that rule-based extraction couldn't.
- Validation β business rules & confidence thresholds (do line items sum to the total? valid date format? match a known vendor?).
- Human-in-the-loop review β low-confidence items routed to a person.
- Integration β structured output into ERP/accounting/CRM.
What separates good advice
- Document type drives difficulty. Structured (fixed forms) β easy; semi-structured (invoices β same fields, different layouts per vendor) β the sweet spot and the real challenge; unstructured (contracts) β hardest.
- Why LLMs changed the game. Old IDP needed a template per vendor; LLM/vision models generalize across layouts, slashing setup β a big deal for SMBs with many vendors.
- Confidence & straight-through processing. Extraction is never 100%. Design confidence thresholds and route exceptions to humans. The straight-through-processing rate (% needing no human touch) is the key ROI metric β and it climbs over time.
- Validation is where reliability lives β sum checks, format checks, lookups against master data.
- Hard cases: handwriting, poor scans, complex tables.
- Compliance: documents often carry PII/PHI β see data/security.
Build vs. buy & cost shape
Strong buy/assemble category. Mature products (Rossum, ABBYY, Docsumo, Nanonets), cloud document-AI (Azure Document Intelligence, AWS Textract, Google Document AI), and AP-automation SaaS with it baked in (Bill.com, Ramp). Cloud document-AI + a little LLM extraction is the pragmatic assemble; build custom only for unusual documents. Cost: implementation (integration + validation rules + tuning), per-page/per-document processing (recurring), and human-review labor for exceptions (recurring, shrinks as accuracy rises). Payback is often fast β it directly replaces data-entry hours.
Conversational AI & voice
The most visible face of "AI," and where much SMB demand originates β customer-facing chatbots, internal assistants, and increasingly voice (call answering, call-center agents, transcription). High visibility means high reputational risk: a bad bot is worse than no bot. The value you add is knowing the design that makes it work β and when not to build one.
The mental model
A conversational system is mostly a composition of the earlier rungs wrapped in a chat/voice UX: interface + understanding + a backend (RAG for knowledge, tool-calling for actions) + graceful escalation to humans. Voice adds speech-to-text (STT) in front and text-to-speech (TTS) at the end of an otherwise text pipeline. It's packaging more than a new capability β which is why it's usually a "buy," rarely a bespoke build.
Channels & use cases
- Customer support chatbot β deflect tier-1 questions, RAG over docs.
- Internal employee assistant β HR/IT self-service.
- Voice β automated phone answering / IVR replacement, and agent assist (real-time suggestions to human agents).
- Transcription & meeting AI β summaries and action items. An easy, low-risk starter win.
- Website lead-qualification bots.
What separates good advice
- Deflect + escalate, don't "handle everything." The goal is to handle the easy stuff well and hand off gracefully. Escalation design β when/how to pass to a human, with full context β is make-or-break.
- Grounding is mandatory. Customer-facing bots must answer from approved content (RAG) with guardrails and an honest "I don't know β let me connect you." A hallucinated answer at scale is a brand and legal risk.
- Scope control. Narrow, well-defined bots succeed; open-ended "ask me anything" bots disappoint.
- Voice is materially harder than chat β STT accuracy (accents, noise), low latency for natural turn-taking, TTS quality, and interruption handling. Respect the difficulty.
- Measure: containment/deflection rate, escalation rate, resolution accuracy, CSAT.
Build vs. buy & cost shape
Heavy buy territory: CX platforms (Intercom Fin, Zendesk AI, Salesforce/Einstein, Ada), voice platforms, and meeting AI (Otter, Fireflies, or built into Zoom/Teams/Meet). Many CRMs/helpdesks bundle it. Assemble/build only for differentiated needs. Cost: platform pricing per-resolution or per-minute for voice (recurring, scales with volume), implementation (content prep, integration, conversation design), and ongoing tuning + monitoring. Voice costs more than chat.
Choosing models & providers
A cross-cutting decision under every LLM recommendation: which model, from whom, hosted how. Clients ask "OpenAI, or something else?" β and the value is a vendor-neutral, constraint-driven answer, plus the humility that this landscape shifts monthly.
The mental model
Don't pick a model β pick for a set of constraints, and design so the model is swappable (abstract it behind an interface), because the leader will change. The "best" model is task- and constraint-dependent.
The decision axes
- Capability / quality β reasoning-heavy work needs frontier models; simple classification/extraction runs fine on small, cheap ones (ties to model routing).
- Cost β per-token pricing varies enormously across tiers; at volume it dominates the bill.
- Latency β user-facing and voice need speed; batch jobs can tolerate slow.
- Context window β how much you can feed in (long docs, large RAG context).
- Data egress / privacy β can data go to a third party, with enterprise/zero-retention terms? Or must it stay in-VPC/on-prem β self-hosted open model. Often the deciding constraint (ties to security).
- Ecosystem fit β client on Azure β Azure OpenAI; on AWS β Bedrock; on Google β Vertex. Buying through the cloud they already use simplifies security, procurement, and billing.
- Modality β text vs. vision vs. audio needs.
The landscape (early 2026 β verify; it moves fast)
| Provider | Known for |
|---|---|
| Anthropic (Claude) | Strong reasoning, coding, long context, tool use; enterprise-friendly |
| OpenAI (GPT) | Broad capability, large ecosystem |
| Google (Gemini) | Strong multimodal, long context, Workspace/Vertex integration |
| Open-weight (Llama, Mistral, Qwenβ¦) | Self-hostable for data-sovereignty / cost-at-scale; more ops burden |
Access routes: direct API vs. via the client's cloud (Azure OpenAI, AWS Bedrock β multi-model, Google Vertex). Cloud routes give the security/procurement story SMBs want.
Hosted vs. self-hosted
- Hosted API (managed) β the SMB default: no infra, always current, pay-per-use.
- Self-hosted open model β only when data can't leave, extreme scale makes per-token uneconomical, or full control is required. Real ops cost β usually not worth it for an SMB.
Practical guidance
- Start with a capable hosted model via the client's existing cloud; optimize later.
- Abstract the model behind your code so it's swappable β avoid lock-in.
- Don't over-optimize model choice early; prompt/RAG quality matters more than which frontier model.
- Re-evaluate periodically β prices fall and models improve; a cheaper/smaller model may now suffice.
- Benchmark on the client's actual task and data, not public leaderboards.
Evaluating & measuring AI systems
The discipline that separates a demo from a defensible system β currently scattered across RAG (Ragas), prompting (eval sets), and classic ML. It's worth understanding on its own, because "how do you know it works?" is the question every serious client, and your own ROI model, depends on. Without evaluation you're flying blind and can't defend the system when someone says "it got this wrong."
The mental model
You can't improve or trust what you can't measure. Evaluation = define "good," build a representative test set, measure against it, and monitor in production. It's both a technical practice and a trust/sales instrument.
The layers
- Offline eval (pre-launch) β a curated test set of representative inputs with known-good outputs; measure before deploying. The foundation.
- Online eval (in production) β real usage: A/B tests, user feedback (thumbs up/down), quality tracked over time (ties to LLMOps).
- Human vs. automated β humans judge quality (gold standard, expensive); automated metrics and "LLM-as-judge" scale it (cheaper, imperfect). Blend them.
What to measure, by system type
| System | Key metrics |
|---|---|
| Classic ML | Accuracy, precision/recall, F1, AUC β plus the business cost of each error type; baseline vs. naive |
| RAG | Retrieval quality (right chunks?) and generation quality (correct, grounded, faithful) β Ragas |
| LLM tasks | Correctness, format adherence, tone, safety β task-specific rubrics |
| Agentic | Task-completion rate, steps, tool-call correctness, cost per task |
| Business | Does it move the KPI? Deflection rate, hours saved, error reduction, conversion β ties to ROI |
What to know
- Build a golden test set from real, representative cases (with edge cases) β the single most valuable eval asset. Collect the client's example inputs + known-good answers early (ties to discovery).
- Regression testing β re-run evals when you change a prompt/model/index, or when the vendor updates the model, to catch silent degradation.
- Guardrail/safety eval β test for harmful, biased, or injection-triggered outputs (ties to governance/security).
- Tools β Ragas (RAG), LangSmith / Langfuse / Braintrust (LLM eval & observability), standard ML metrics, or just a spreadsheet for small SMB cases. Don't over-tool.
AI in production: LLMOps & MLOps
The "day 2" reality that makes or breaks AI value β and the source of the maintenance cost line cited throughout this reference. Building a demo is easy; running an AI system reliably in production for years is the hard, unglamorous part. If you implement (not just advise), you must understand this; even as pure advisory, you must scope and price it honestly.
The mental model
An AI system isn't a project you finish β it's a service you operate. Like any software it needs deployment, monitoring, updates, and incident handling, plus AI-specific concerns: models drift, prompts regress, vendors change models under you, and quality is probabilistic, not binary. "Ops" is where the recurring cost and the reliability live.
MLOps (classic ML)
- Lifecycle as a loop: train β validate β deploy β monitor β retrain.
- Data/model drift monitoring β performance decays as the world changes; detect and retrain. The core recurring task.
- Versioning (data, model, code) and reproducibility; batch vs. real-time serving; automated retraining pipelines.
LLMOps β what's different
- Prompt/version management β prompts are assets; changes regress silently β version + eval.
- The vendor changes the model under you β a provider updates or deprecates a model and behavior shifts; you must monitor and re-test. A real operational risk unique to hosted LLMs.
- Evaluation in production β quality is subjective/probabilistic; ongoing eval, not one-time (see the evaluation section).
- Guardrail & output monitoring β catch hallucinations, unsafe outputs, injection attempts.
- Cost & latency monitoring β token cost and latency at production volume (ties to the ROI token-blowup warning); caching and routing to control it.
- RAG ops β keep the index fresh (re-ingestion) and monitor retrieval quality.
Cross-cutting production concerns
- Observability β log inputs, outputs, decisions, tool calls (ties to agentic) for debugging and audit.
- Incident response β rollback, kill-switch, and human escalation when the AI produces something wrong or harmful at scale.
- Feedback loops β review queues and thumbs-up/down that feed continuous improvement.
- Reliability β fallbacks for when the model API is slow or down.
Responsible AI & governance
As clients adopt AI, they β and their customers and regulators β increasingly need to use it responsibly: managing bias, transparency, accountability, and legal risk. For SMBs the goal is pragmatic governance, not a Fortune-500 ethics bureaucracy. You're the advisor who helps them adopt AI confidently by managing the risks β governance isn't a blocker, it's what lets a cautious client say yes.
The mental model
Governance = the lightweight policies, processes, and controls that keep AI use safe, fair, compliant, and accountable. Right-size it to risk: a marketing-copy assistant needs almost none; an AI that influences hiring, lending, or medical decisions needs real oversight.
The dimensions to know
- Bias & fairness. Models can encode and amplify bias. In regulated decisions (hiring, lending, insurance) this is legal exposure β disparate impact under EEOC / fair-lending rules. Test for it, keep a human on consequential decisions, and be cautious wherever AI touches protected classes.
- Transparency & explainability. Can you explain why the AI produced an output? It matters for trust, disputes, and regulation (ties to classic-ML explainability). Disclose AI use to customers where appropriate or required ("you're chatting with a bot").
- Accountability & human oversight. Who owns an AI decision or error? Design human-in-the-loop for anything consequential and assign clear ownership β "the AI did it" is not a defense.
- Accuracy & hallucination management. Grounding, guardrails, and review (ties to RAG/prompting) β a wrong answer at scale is a real liability.
- Privacy & security. The data-handling and egress questions from data/security are part of governance.
The AI acceptable-use policy (AUP) β the concrete SMB deliverable
The single most practical governance artifact for an SMB: a short internal policy covering what employees may and may not do with AI tools.
- Which tools are approved; which are banned.
- What data may never be pasted in (client PII/PHI, secrets, source code) β especially into consumer-tier tools.
- When human review is required before an AI output is used or sent.
- Disclosure rules, ownership, and escalation.
Regulatory & framework landscape (moving fast β verify)
- EU AI Act β risk-tiered obligations (unacceptable / high / limited / minimal); affects anyone serving the EU.
- Emerging US state laws and sector rules (e.g. on automated hiring/lending decisions).
- Frameworks to structure a program: NIST AI Risk Management Framework, ISO 42001.
Right-sizing for SMBs
Not a bureaucracy β a lightweight AUP, human oversight on consequential uses, vendor-terms diligence (ties to model choice & data/security), basic monitoring, and awareness of the regs that touch the client's industry. Match governance weight to actual risk.
RPA & workflow automation (non-AI)
The unglamorous workhorse. A huge share of "we need AI" is really "we do the same clicks and copy-paste 500 times a week." Automation delivers fast, cheap, reliable wins β and those wins build the trust that earns the bigger engagements. Being the advisor who says "you don't need AI here, you need this repeated task automated" separates a practice from hype-sellers.
The mental model
Automation = encoding a rule-based, repetitive process so software does it. Two distinct flavors that get conflated:
- Integration / trigger-based β "when X happens in app A, do Y in app B," through APIs. Zapier, Make. Clean and durable.
- RPA (robotic process automation) β software "robots" that mimic human UI actions (clicks, typing, screen-scraping) for systems that lack APIs. UiPath, Power Automate desktop. Powerful but brittle.
Which tool, when
| Tool | Sweet spot | Watch-outs |
|---|---|---|
| Zapier | Simplest, most connectors; SaaS-to-SaaS glue, lowβmedium volume | Cost climbs with task volume; limited complex logic |
| Make | Visual, strong branching/logic, cheaper at volume | Steeper learning curve than Zapier |
| Power Automate | M365 shops; both cloud (API) flows and desktop RPA; good price/value | Best value only inside the Microsoft ecosystem |
| UiPath (& peers) | Heavy, high-volume, legacy/no-API enterprise RPA | Cost & complexity β usually overkill for small SMBs |
What separates good automation advice
- Process selection. Automate work that is high-volume, rule-based, stable, and has structured input. Avoid low-volume tasks (won't repay the build) and volatile ones (constant rework).
- Don't automate a broken process. Fix or simplify it first β otherwise you just make the mess run faster.
- Attended vs. unattended. Attended runs at a person's desk on demand; unattended runs on a schedule/server. Affects licensing and design.
- Error handling & monitoring. What happens when a step fails? Notifications, logging, retries, fallback. This is the operational reality clients forget.
- Sprawl / shadow IT. No-code automations proliferate and then break silently with no owner. Recommend an inventory, clear ownership, and documentation.
When it fits β and when it doesn't
Fits: data entry, notifications, file moving, report generation, cross-app sync, form processing β repetitive rule-based work.
Doesn't: judgment-heavy tasks (need AI or a human), unstable processes, low-volume one-offs, brittle UI-scraping at scale.
Cost shape
Implementation is usually low (daysβweeks). Licensing is per-task / per-flow / per-bot and can add up at volume. Maintenance (flows break when the connected apps change) is the recurring line. Payback is often very fast β weeks to a few months β because you're directly replacing labor hours. This is where the easiest, most defensible ROI wins live.
iPaaS & integration
The deepest, most durable SMB pain β data trapped in disconnected systems β and the least glamorous to fix. Most "our reporting is a nightmare" and even "we need AI" problems trace back to systems that don't talk. Integration is frequently the prerequisite that makes any later AI project feasible at all: the data has to be reachable and clean first.
The mental model
iPaaS (integration platform as a service) is a cloud platform that connects applications and moves, transforms, and syncs data between them β centrally managed, monitored, and governed. Contrast with point-to-point connections (a pile of one-off Zaps): fine for a few, but at fifteen it becomes undocumented spaghetti that breaks silently. iPaaS is the durable layer for many integrations at scale.
What to actually know
- Integration patterns. Real-time/event-driven (webhooks) vs. batch (scheduled sync); one-way vs. bidirectional sync. Bidirectional sync with conflict resolution ("both systems changed the same record β which wins?") is the classic hard problem; call it out early.
- Data mapping & transformation. Fields rarely match 1:1 across systems. Mapping, transforming, and normalizing data is the real work β most of the effort and the estimate.
- Master data / source of truth. Define the authoritative system per data domain (customer, product, invoice) so you don't end up with conflicting records everywhere.
- APIs & their limits. Rate limits, OAuth, versioning; legacy systems with poor or no APIs (may force middleware or RPA).
- Reliability. Error handling, retries, idempotency (running the same sync twice mustn't create duplicates), and monitoring. This is the operational reality.
- Data quality at the boundary. Integration surfaces dirty data β dedup and validation belong in the pipeline.
- Security. Data in transit, credential storage, PII crossing system boundaries (ties to the data-security section).
The vendor tiers (for pricing & fit)
| Tier | Tools | SMB fit |
|---|---|---|
| Light task automation | Zapier, Make | Small #s of simple integrations |
| Mid-market iPaaS | Workato, Boomi, Celigo | The usual SMB sweet spot for governed, multi-system integration |
| Enterprise | MuleSoft | Heavy & expensive β usually overkill for a 60β400-person shop |
| Native connectors | Salesforce/HubSpot/ERP built-ins | Often the cheapest path β check first |
When it fits β and what's hard
Fits: killing manual re-entry, unified reporting, keeping CRM/ERP/finance in sync, and enabling analytics or AI on top.
Hard: bidirectional sync with conflicting edits, legacy no-API systems, poor underlying data quality, and under-scoping the mapping + maintenance effort.
Cost shape
Platform subscription (scales with connectors/tasks/volume), implementation (the mapping + testing is the big one-time line), and maintenance (APIs change, syncs break, data drifts β a real recurring cost). Often the highest-ROI foundational work you can recommend.
The core business software stack
You can't recommend improvements to a business you can't map. Fluency in the core software categories β what each does, where data lives, where the seams (integration gaps) are, and what AI they already include β is the literacy underneath every engagement. It's also how you spot the single most valuable observation: "you already own a tool that does this."
The mental model
Every business runs on a stack of systems of record, each owning a slice of the company's data and processes. The job in discovery is to map the client's stack, trace the data flows and gaps between systems, and know each system's native capabilities β including AI features they're already paying for.
The categories to know cold
| Category | What it owns | Leaders (SMB-relevant) |
|---|---|---|
| ERP | Finance/accounting, inventory, supply chain, procurement β the money & operations backbone | NetSuite, Dynamics 365, SAP Business One, Sage, Acumatica |
| CRM | Sales, marketing, customer data, pipeline, support | Salesforce (Einstein), HubSpot, Dynamics, Zoho |
| Vertical / industry | Industry-specific core ops (practice mgmt, MES/PLM, POS, loan originationβ¦) | Depends on industry β where deep vertical value & messy data live |
| Accounting | Books for smaller SMBs (below full ERP) | QuickBooks, Xero |
| HRIS / payroll | People, payroll, benefits | Workday, BambooHR, Gusto |
| Productivity (+ embedded AI) | Docs, email, collaboration β and bundled AI | M365 (Copilot), Google Workspace (Gemini) |
| Ticketing / BI / commerce | Support, analytics, online sales | Zendesk, ServiceNow Β· Power BI, Tableau Β· Shopify |
What to assess per system
- Data model for the entities you'll touch (customer, order, product) β determines integration and AI-readiness.
- Native capabilities & AI features already paid for (Einstein, Copilot, HubSpot AI) β recommending what they own beats a build. This is the buy-vs-build reflex in practice.
- Integration points & the manual-re-entry gaps β where your automation/integration recommendations live.
- Customization vs. configuration ceiling β Salesforce is highly customizable; some vertical tools are rigid. Sets what's feasible.
- Licensing & TCO (seats, modules, hidden costs) β feeds the ROI model.
- Lock-in / failure traps β over-customized Salesforce orgs, botched ERP rollouts, vertical tools with no API. Learn to recognize them.
Cybersecurity & IT foundations (SMB)
The biggest real technology risk for an SMB isn't a lack of AI β it's weak security and fragile IT. Ransomware, phishing, and untested backups sink small companies outright. You'll constantly encounter (and should flag) these gaps, and often the highest-value recommendation is "fix these foundations before anything else." Every AI/automation you add also expands the attack surface, so you must speak this. Know enough to assess and prioritize; partner with specialists/MSSPs for deep work β stay in the advisory lane.
The mental model
Security is risk management, not a product you buy β reduce the likelihood and impact of incidents across people, process, and technology. For SMBs, a handful of fundamentals ("cyber hygiene") close ~80% of the risk, because most breaches exploit basic gaps (no MFA, unpatched systems, phishing, weak passwords), not exotic attacks.
The SMB fundamentals β the checklist that closes most risk
- MFA everywhere β the single highest-ROI control; prefer phishing-resistant MFA.
- Identity & access β SSO, least privilege, disciplined offboarding (revoke access), no shared accounts, control privileged accounts.
- Patch & update β unpatched software is a top entry vector.
- Endpoint protection (EDR) and device management (MDM) on all devices.
- Email security & phishing defense β filtering plus user awareness; phishing is the #1 way in.
- Backups (3-2-1), offline/immutable, and tested restores β the ransomware insurance. An untested backup is not a backup.
- Network basics β firewall, segmentation, secure Wi-Fi, VPN / zero-trust for remote.
- Encryption at rest and in transit (including laptops) and security-awareness training β humans are the weakest link.
Frameworks & standards (to structure an assessment & sound credible)
- NIST Cybersecurity Framework β Identify Β· Protect Β· Detect Β· Respond Β· Recover. The go-to structure.
- CIS Controls β prioritized and SMB-friendly (start with Implementation Group 1).
- ISO 27001 / SOC 2 β for clients who must prove security to their own customers.
- Cyber-insurance requirements β increasingly dictate a baseline (MFA, tested backups, EDR); a useful forcing function.
Beyond hygiene
- IAM depth: SSO (Entra ID / Okta / Google), conditional access, privileged-access management (PAM).
- Backup vs. DR vs. business continuity: backup = data; disaster recovery = restoring systems (RTO/RPO targets); business continuity = keeping the whole business running. Have a plan and tabletop-test it.
- Incident response plan β who does what when breached; most SMBs have none.
- Third-party / supply-chain risk β your SaaS vendors' security is your risk.
- Zero-trust β "never trust, always verify," increasingly the model.
Cost shape
Many fundamentals are cheap or already owned (MFA/SSO in M365/Google, EDR bundles) β very high ROI. DR/BC and advanced controls cost more. Frame the value as risk reduction / avoided loss, not productivity. Cyber insurance is a recurring cost that also forces good baseline controls.
Business intelligence & the data stack
Most SMBs are data-rich but insight-poor: numbers trapped in systems, decisions made on gut or fragile spreadsheets. Frequently the highest-value no-AI recommendation is "let's give you a dashboard that shows what's actually happening." BI and the data stack beneath it are also the foundation that makes analytics and AI possible β you usually build this before ML/AI, and it delivers value on its own.
The mental model β a layered stack
Raw data lives in source systems (CRM/ERP/etc.). To analyze across them you (1) move it into a central store, (2) clean and model it into consistent shape, (3) visualize it for decisions. BI is the top visualization layer; the "data stack" is the plumbing beneath.
| Layer | What it does | Typical tools |
|---|---|---|
| Sources | The business systems holding data | CRM, ERP, apps (see the stack section) |
| Ingestion (ETL/ELT) | Move data into the warehouse | Fivetran, Airbyte, or your iPaaS |
| Data warehouse | Central analytical store | Snowflake, BigQuery, Redshift; even Postgres for SMB |
| Transformation / modeling | Clean, join, define metrics once | dbt |
| BI / visualization | Dashboards & reports | Power BI, Tableau, Looker, Metabase |
What to know
- Descriptive first. "What happened" (dashboards, KPIs, reports) is the SMB bread-and-butter β distinct from predictive (classic ML) and prescriptive analytics.
- Semantic layer / single source of truth. The classic problem: "why do sales say $2.0M and finance say $1.8M?" Define each metric once so reports agree.
- Data governance & quality. A dashboard on bad data misleads confidently (ties to data readiness) β garbage in, pretty garbage out.
- Self-service vs. curated. Balance letting users build their own reports against a governed source of truth.
- KPI design. Pick metrics that drive decisions, not vanity numbers (overlaps the business side).
- Spreadsheets β BI. Many SMBs run critical operations on fragile, error-prone Excel; migrating the important ones to a real system is a common, high-value fix.
Right-size it β don't over-engineer
- Small SMB: a BI tool (Power BI / Metabase) pointed straight at one or two sources β or even Sheets + Looker Studio. No warehouse needed.
- Growing / multi-system: the full stack (warehouse + ELT + dbt + BI).
- Check first: many business apps already have built-in dashboards β use them before building anything.
When it fits / what's hard Β· cost shape
Fits: cross-system reporting, KPI visibility, replacing manual Excel reports, operational dashboards. Hard: poor source-data quality, no integration yet (need the plumbing first), and metric-definition disagreements (political, not technical). Cost: BI licensing (per-seat), warehouse (usage-based compute/storage β can surprise), ELT tooling, and the big lines β implementation (modeling + metric definition) and maintenance (pipelines break, metrics evolve).
Custom software, build-vs-buy & low-code
A recurring decision whenever a business need isn't met by existing tools: configure what they have, buy more SaaS, wire tools together, build with low-code, or commission custom software? Getting this right β and steering clients away from expensive bespoke builds β is core judgment. It's the software analog of the AI buy-vs-build ladder.
The mental model β a spectrum of custom
From least to most custom: configure an existing tool β buy point SaaS β integrate/wire (iPaaS) β low-code/no-code build β custom development. Climb only as far as the need requires. Custom software is the most powerful and the most expensive β not to build, but to maintain forever.
The build-vs-buy call
- Buy when the need is common and non-differentiating (accounting, CRM, HR) β a vendor sells a better, maintained product than you'd build.
- Build when the need is core-differentiating (the client's competitive edge), no adequate product exists, or the workflow is genuinely unique. Rare for SMBs, but real.
- The hidden cost of build isn't the initial project β it's perpetual maintenance, security, updates, and key-person risk. Buying externalizes all of that.
- The hidden cost of buy is per-seat cost at scale, lock-in, and gaps that force workarounds.
Low-code / no-code β the SMB game-changer
- What it is: build apps/workflows visually with little or no code. Internal-tools builders (Retool, Budibase), app builders (Power Apps, Bubble, Glide), database-apps (Airtable, Notion), workflow (Power Automate/Zapier β overlaps automation).
- Sweet spot: internal tools, forms, simple CRUD and workflow apps, dashboards β built in days, not months, without a dev team.
- Watch-outs: governance/sprawl (shadow IT again), complexity ceilings, platform lock-in, scaling limits, and "who maintains it?" Great for the 80%; the last 20% may force real code.
- The angle: low-code is often the right middle path between "buy something ill-fitting" and "commission an expensive custom build."
Adjacent skills
- SaaS selection / procurement: structured vendor evaluation β requirements β shortlist β demos β TCO β references β contract & exit terms. Don't buy by hype.
- Legacy modernization / migration: when to replace aging systems; data migration is the hard, risky part.
- Requirements first: never pick a solution before defining the actual need (see discovery).
- Technical debt: corners cut now cost more later β flag it.
Cost shape
Buy = subscription (recurring, scales with seats). Low-code = platform subscription + low build effort + medium maintenance. Custom = high upfront + high perpetual maintenance + team/contractor + key-person risk. Model TCO over ~3 years (ties to ROI).
Cloud & infrastructure
The foundation everything runs on. SMBs face decisions about where systems live (on-prem vs. cloud), which cloud, and how to control spiraling costs. You don't need to be a cloud architect, but you must understand the models, trade-offs, and cost levers to advise credibly and to right-size any AI/data infrastructure you recommend.
The mental model
"The cloud" = renting computing (servers, storage, databases, services) on demand instead of owning hardware. Three service models by how much the provider manages:
- IaaS (infrastructure) β rent raw VMs/storage, manage the rest. Most control, most work.
- PaaS (platform) β provider runs the infra; you deploy apps/data.
- SaaS (software) β a fully managed application (most SMB software). Least work.
For SMBs, prefer managed (SaaS/PaaS) β less to run, matching the "low maintenance, few vendors" preference.
What to know
- The big three: AWS, Azure, Google Cloud. Choose by ecosystem fit (Microsoft shop β Azure), specific services, and existing footprint β the same "meet them where they are" logic as model choice.
- On-prem vs. cloud vs. hybrid: cloud wins on flexibility/scaling/no-capex for most SMBs; on-prem/hybrid for data-sovereignty, latency, or legacy constraints (ties to data egress).
- Migration: "lift-and-shift" vs. re-architecting; migrations are risky and often costlier than expected β data migration is the hard part.
- Shared-responsibility model: the provider secures the cloud; you secure what's in it β misconfiguration is the top cause of cloud breaches.
- Databases & storage: relational (Postgres/MySQL/SQL Server) vs. NoSQL; when a business needs a real database instead of spreadsheets; managed DB services.
- Serverless / containers β awareness level: managed compute, less infra to run.
Cost shape
Cloud is opex (pay-per-use), not capex β a benefit, but also the runaway-cost risk. Managed services cost more per unit but far less to operate (usually the right SMB trade). Migration is a big one-time project cost; AI/data workloads add compute + warehouse hosting.
Unified communications, VoIP & contact center
The communications backbone β phones, messaging, meetings, and customer contact. Many SMBs still run legacy on-prem phone systems ripe for cloud modernization, and contact-center upgrades are a common, tangible engagement. It's also the substrate that voice AI plugs into: you can't recommend a voice agent without understanding the phone system behind it.
The mental model
Communications has moved from hardware (desk phones, on-prem PBX) to cloud software, pay-per-seat, integrated with the rest of the stack. Two layers: internal collaboration (calls/chat/video/meetings) and customer contact (inbound/outbound, routing, queues).
The "as-a-service" landscape
| Category | What it is | Players |
|---|---|---|
| VoIP / cloud telephony | Voice over internet, replacing legacy PBX/landlines | RingCentral, 8x8, Dialpad, Zoom Phone, Teams Phone |
| UCaaS | Unified calls + video + chat + presence | Teams, Zoom, RingCentral (often already owned) |
| CCaaS | Contact center: routing (IVR/ACD), queues, omnichannel, agent tools, analytics | Genesys, Five9, Talkdesk, Amazon Connect, Zendesk |
| CPaaS | APIs to embed SMS/voice into apps (notifications, verification) | Twilio, Vonage |
What to know
- Leverage what they own β many SMBs already have UCaaS (Teams/Zoom); build on it rather than adding a vendor.
- CRM integration β screen-pops, call logging, click-to-dial: comms β CRM is a real productivity win (ties to stack/iPaaS).
- Reliability & quality β internet dependency, QoS, redundancy, number porting.
- Compliance β call-recording consent and outbound rules (e.g. TCPA) β get this right.
- Where AI plugs in β voice agents / IVR replacement, agent assist, real-time transcription, call analytics & QA, sentiment (ties to conversational AI) β after the underlying platform is solid.
When it fits Β· build vs. buy Β· cost
Fits: legacy PBX modernization, remote/hybrid enablement, contact-center efficiency, high call volume, or as the foundation before voice AI. Entirely buy/configure β mature SaaS, chosen by size, features (simple phone vs. contact center), ecosystem (Teams shop β Teams Phone), and integration needs. Cost: per-seat subscription (recurring, usually cheaper than legacy), one-time setup/porting, plus usage (minutes/SMS); contact center adds per-agent + usage.
Customer-facing tech: web, e-commerce & martech
Almost everything else here is internal efficiency and cost. But the mission also includes "reach more customers" β the top line. For many SMBs the biggest opportunity isn't cutting internal cost, it's a weak digital presence and disconnected marketing leaving revenue on the table. Be conversant here even if you partner out execution (web/marketing agencies) β a consultant who sees both cost and growth is far more valuable.
The mental model β the funnel
Map the customer journey: awareness β acquisition β conversion β retention. Technology supports each stage; find the weakest, highest-leverage stage and fix that. Efficiency plays save cost; growth plays can dwarf them.
The stack to know
- Website / digital presence β the foundation. CMS platforms: WordPress (SMB default), Webflow, Squarespace/Wix (simple). Many SMBs have neglected, slow, non-mobile sites β a fast, high-impact fix. Performance, mobile, and accessibility are table stakes.
- E-commerce β Shopify (SMB default), WooCommerce, BigCommerce; payments, catalog, and fulfillment integration (ties to ERP/inventory); conversion-rate optimization (CRO).
- SEO / discoverability β technical SEO, content, and local SEO (Google Business Profile β huge for local SMBs). Note the emerging "AI search / answer-engine" visibility as LLMs start citing sources.
- Paid advertising β Google Ads, Meta, retargeting (awareness level; often outsourced, but you advise on stack & measurement).
- Marketing automation / martech β email (Mailchimp, Klaviyo for e-comm), marketing automation (HubSpot β ties to the CRM you know), lead capture, nurture campaigns, landing pages.
- Analytics & attribution β GA4, conversion tracking, channel attribution (which channels drive revenue). SMBs often fly blind on marketing ROI (ties to BI).
Where AI plugs in (but fundamentals first)
Content generation (LLM), personalization/recommendations (classic ML), lead-qualification chatbots (conversational), creative image generation. But the biggest wins are usually fixing the fundamentals and connecting the systems β not adding AI.
Build vs. buy & cost shape
Overwhelmingly buy/configure β Shopify, HubSpot, WordPress dominate; rarely custom. Often partner with a web/marketing agency for execution while you own strategy, stack selection, integration, and measurement. Cost: platform subscriptions (recurring), design/implementation (one-time), ad spend (separate recurring). ROI is top-line (leads, conversion, revenue) β model revenue impact, but caveat that attribution is fuzzy.
Process mapping, BPM & process mining
The foundational discipline: you can't improve or automate a process you haven't mapped. Every good recommendation β AI or not β starts from understanding how work actually flows today, where the waste is, and what "good" looks like. This is where your world and the business partner's meet: they bring process expertise, you bring the technical mapping and the tools that make it rigorous.
The mental model β process before technology
Map the current state (as-is) β find the pain (delays, rework, manual handoffs, bottlenecks) β design the future state (to-be) β then pick the technology. Solution-first thinking ("let's add AI here") without process understanding is how projects fail.
The discipline
- Process mapping: flowcharts, swimlanes, and BPMN (the standard notation) β capture steps, actors, systems, handoffs, decision points, and timing.
- Opportunity spotting β the lens that connects to the whole knowledge base:
- Redundant data entry β integration / iPaaS
- Rule-based manual steps β RPA / automation
- Judgment or language steps β AI (LLM/ML)
- A missing app β low-code / build
- Bottlenecks/wait time β sometimes just process change, no tech
- Lean / Six Sigma (borrow lightly): eliminate the wastes, value-stream mapping, reduce variation. No black belt needed β the vocabulary and mindset help (and overlap the business side).
- BPM (business process management): the broader practice of continuously modeling, automating, and monitoring processes; BPM suites support it.
- Process mining π β a modern, technical, high-value technique: software (e.g. Celonis) reconstructs the actual process from event logs in the client's systems, showing how work really runs (not how people think it does) and quantifying bottlenecks, deviations, and automation ROI with data. A differentiating discovery tool for larger, high-volume processes.
- Don't automate a broken process β map, then fix or simplify, before applying tech.
When it fits Β· cost/effort
Essentially every engagement should start here at some level; go deeper (process mining) for complex, high-volume, multi-system processes worth the effort. Cost is mostly your time (discovery, interviews, mapping); process-mining tools add licensing but deliver data-driven insight. Low tech cost, high judgment value.
Discovery, opportunity assessment & delivery
The repeatable methodology for running an engagement end to end β from "walk in the door" to "solution delivered and adopted." The sample RAG engagement is one instance; this is the general playbook that works whether the answer turns out to be AI, automation, integration, or just better process. It's what makes you a consultant, not just a technologist.
The engagement lifecycle
- Discovery & assessment β understand the business, map processes, assess data/systems/security readiness, surface pain points and goals. Deliverable: a current-state assessment.
- Opportunity identification & prioritization β score candidate improvements on value (ROI), effort/cost, risk, and feasibility; produce a prioritized roadmap (quick wins vs. strategic bets). The core value: a defensible menu of what to do, in what order.
- Solution design β for each prioritized opportunity, pick the right lever (the whole knowledge base) and design the solution.
- Business case β ROI model, alternatives, recommendation (see ROI).
- Implementation / delivery β build or oversee the build; manage vendors; phased rollout.
- Adoption & change management β the make-or-break (see change).
- Measure & iterate β did it deliver the projected value? Adjust, then find the next opportunity.
The skills inside it
- Requirements gathering: elicit the real need, not the stated solution β interviews, workshops, "5 whys," separating must-have from nice-to-have. The classic trap: a client asks for "an AI chatbot" when the need is "cut support response time."
- Prioritization: a value-vs-effort matrix (quick wins / big bets / fill-ins / money pits), weighted by strategic fit and risk. Lead with quick wins to build trust.
- Solution design & vendor selection: choose and combine levers; evaluate and manage the tools/partners you recommend (ties to build-vs-buy).
- Implementation & project management: scope, phase, pilot-first, manage delivery risk.
- Stakeholder management throughout (ties to change management).
Opening scoping questions (any engagement)
- Where does work bog down β the biggest pain points?
- What are the business goals: grow, cut cost, scale, improve quality?
- What does a typical day/week look like for the teams involved?
- What systems and data exist, and how do they connect?
- What's been tried before β what failed, and why?
- What's the appetite for change, the budget, and the timeline?
ROI modeling & cost estimation β highest-value skill
For a technically strong practice, this is often the largest genuine gap β and it's what clients are actually paying for. The business side frames the case; the numbers behind "this saves $X over 18 months" must come from the technical side and survive scrutiny. A simple, honest, defensible model beats a sophisticated fragile one.
The one formula to anchor on
SMB decision-makers think in payback, not NPV. A payback under ~12 months is an easy "yes"; 12β24 months needs a strong strategic story; beyond that, reconsider.
Cost side β the two buckets clients always conflate
| One-time (implementation) | Recurring (ongoing) |
|---|---|
|
|
Benefit side β quantify, then discount for honesty
Benefit categories: labor hours saved (hours Γ fully-loaded cost), error/rework reduction, faster cycle time, revenue captured (more leads/tickets handled), and hires avoided. Then apply three honesty adjustments most rosy models skip:
- Adoption ramp β benefits don't hit 100% on day one; model a 2β4 month ramp.
- Accuracy/rework discount β an AI that's right 90% of the time still needs human review; net savings < gross.
- Risk buffer β pad implementation cost/timeline; discount benefits. Under-promise.
Worked example β support assistant (RAG) for a 180-person company
12 support agents, fully-loaded cost ~$70k each ($840k/yr team). A managed RAG assistant drafts replies from the company's docs + past tickets.
| Line | Amount | Basis / assumption |
|---|---|---|
| Gross productivity gain | 25% | Faster drafting & lookup on tier-1 tickets |
| Net gain after ramp & QA | 15% | Honesty discount β review, adoption ramp |
| Annual gross benefit | $126,000 | 15% Γ $840k (β1.8 FTE freed / hires avoided) |
| Implementation (one-time) | $45,000 | Managed platform + integration + data prep + training |
| Ongoing β LLM API | $18,000/yr | ~$1.5k/mo at projected query volume |
| Ongoing β hosting (search/vector) | $4,800/yr | ~$400/mo managed |
| Ongoing β maintenance | $30,000/yr | ~0.2 FTE / retainer for index freshness + monitoring |
| Total ongoing | $52,800/yr | |
| Net annual benefit (yr 2+) | $73,200 | $126k β $52.8k |
| Payback | β 7β8 mo | $45k Γ· ($73.2k/12) |
Always model against the alternatives β never against zero
The right comparison is never "this project vs. nothing." It's "this project vs. the realistic options":
- Do-nothing baseline. What does the current manual process actually cost per year? That's the number the project has to beat, and it's the honest denominator.
- Buy off-the-shelf. Often the cheapest path β compare it explicitly (ties to the buy-vs-build tree).
- Build-vs-buy TCO over time. Buy = low upfront, higher per-seat recurring; build = high upfront, lower marginal cost. Plot both over 2β3 years and find the crossover at the client's scale. A 40-seat SMB and a 400-seat one land on opposite sides of that line.
Hard vs. soft benefits β present them separately
- Hard (defensible in dollars): labor hours saved Γ fully-loaded cost, license/tool savings, hires avoided. Lead with these.
- Soft / strategic: faster cycle time, higher quality/fewer errors, added capacity, risk reduction, revenue captured. Real, but softer β present them separately and conservatively, never blended into the hard number to inflate it. Clients trust a model that says "here's the solid $X, plus these strategic upsides we haven't priced."
Rigor that makes the model defensible
- Scenario analysis β show base / best / worst cases; name the swing variable and prove it with a measured pilot before quoting hard savings.
- Ranges, not point numbers β with assumptions written down next to them.
- Risk-adjust β weight benefits by realistic probability of success and adoption, not the demo-day best case.
- Price your own services in β your fees are part of the client's cost side; leaving them out isn't honest modeling.
Common estimation traps
Data readiness & security
Most AI projects don't die at the model β they die at the data. And a compliance or data-egress constraint can dictate the entire architecture, so surface it before design, not after. Assessing both is a billable service in itself.
Data-readiness assessment framework
Run every candidate project through these dimensions β it doubles as a repeatable discovery deliverable:
- Availability & accessibility β does the data exist, and can you actually reach it (API, export, permissions)?
- Quality β the six dimensions: accuracy, completeness, consistency, timeliness, uniqueness, validity. Garbage in, confident garbage out.
- Structure β structured (DB) vs. semi-structured vs. unstructured (PDFs of scanned tables, tribal knowledge in people's heads).
- Volume & freshness β how much, and how often it changes (drives re-indexing and maintenance cost).
- Ownership & governance β who owns it, who approves its use, what policies apply.
Privacy & compliance β know when each applies
| Regime | Applies to | Key hook |
|---|---|---|
| GDPR / UK GDPR | EU/UK personal data | Data-subject rights, DPA, data residency |
| CCPA / CPRA | California consumers | Disclosure & opt-out rights |
| HIPAA | US healthcare (PHI) | Requires a signed BAA with every vendor touching PHI |
| SOC 2 (Type I/II) | B2B SaaS & their vendors | Clients' own customers may demand it of you |
| PCI-DSS | Card payment data | Keep cardholder data out of models entirely |
| Sector rules | FINRA (finance), FERPA (education), β¦ | Vertical-specific handling |
Data egress & deployment β the architecture-deciding question
- Read the model vendor's terms cold: is data used for training? What's the retention? Sub-processors? Is there a zero-retention / enterprise tier and regional processing? Consumer and enterprise tiers differ sharply here.
- Deployment by sensitivity β public API β VPC / private endpoint β on-prem / self-hosted open model. The egress answer drives this choice, and the choice drives cost.
- Minimize before sending β redact, anonymize, or pseudonymize PII/PHI before it ever reaches a model; send the least data that does the job.
- Data residency / sovereignty β some clients must keep data in-region, which can rule out vendors outright.
The two data constraints clients raise β and how to answer each
Clients conflate these, but they have very different answers at very different cost. Separating them is a key consulting move:
| Client says⦠| What it really means | How you solve it |
|---|---|---|
| "Our data can't be used by third parties β for training or otherwise" | A contractual / usage constraint: data may go to a vendor, but must not be trained on or retained | Usually solved without on-prem β use an enterprise / commercial API tier (Anthropic, OpenAI, Google) that contractually guarantees no-training + zero/limited retention, backed by a signed DPA (and BAA for health data). Far cheaper than self-hosting. |
| "Our data can't leave our servers / environment at all" | A deployment / residency constraint: data physically must not exit their boundary | Requires architecture β run models in the client's own cloud tenant/VPC (Azure OpenAI, AWS Bedrock, Google Vertex β data stays in their account & region) or self-host an open-weight model (Llama/Mistral/Qwen) on-prem or in their VPC. |
Access control, AI-specific risk & contracts
- Access control: RBAC and least privilege; the RAG retrieval-permission problem (retrieval must respect who's allowed to see what); audit logging.
- New AI risks: prompt injection and data exfiltration via agents (see the agentic section); models leaking training data or emitting hallucinated PII.
- Secrets management for every integration you recommend β how credentials are stored and rotated.
- Contracts: DPAs and BAAs where required, and β increasingly β who is liable when the AI is wrong. Do a basic vendor-risk assessment.
The human & change-management layer
The technical solution is maybe 30% of success; adoption is the other 70%. Engagements succeed or fail here, and it's where referrals are born. Even where the business side leads this work, the technical recommendation must be designed for adoption β fit the real workflow, minimize disruption, build in trust.
Why adoption fails (recognize these early)
Fear of job loss Β· distrust of AI output Β· workflow disruption Β· no training Β· "not invented here" Β· no executive sponsor Β· the tool doesn't fit how people actually work. Most failures are one of these β not a technical defect.
Frameworks worth borrowing (use lightly)
- ADKAR β Awareness, Desire, Knowledge, Ability, Reinforcement. A checklist for what each person needs in order to actually change behavior.
- Kotter's 8 steps β urgency β guiding coalition β early wins β anchor it in the culture.
The practical playbook
- Stakeholder mapping. Identify sponsors, champions, end-users, and skeptics. Secure an executive sponsor and empower on-the-ground champions β adoption spreads through peers, not mandates.
- Co-design with users early. Involving the affected team in scoping cuts resistance and produces a tool that fits the real workflow.
- Honest workforce framing. "Augment vs. replace," matched to reality; address fear directly; handle offshoring / redeployment / reskilling candidly. "Redeploy freed capacity to higher-value work" and "cut headcount" are very different conversations β match the framing to the client's actual intent.
- Role-based training & ongoing enablement. Not a one-time session β docs, a support channel, and reinforcement over time.
- Trust calibration. Teach users when to verify vs. trust AI output; both over-trust and under-trust cause failure. Design human-in-the-loop for anything consequential.
- Phased rollout. Pilot β champions β wider rollout, on realistic timelines β the same adoption ramp that belongs in the ROI model.
- Adoption metrics & feedback loops. Measure real usage, gather feedback, iterate. Define success as adopted and delivering value, not "technically works."
- Governance. An acceptable-use policy, clear ownership of the tool after launch, and reinforcement to prevent quiet regression to the old way.
Emerging tech: when it's not the answer
Clients will ask about buzzwords β blockchain, IoT, AR/VR, quantum, the metaverse. The valuable, trust-building skill is the same as "custom LLMs are rarely worth it": knowing enough to say honestly "here's what this actually does, and it's not what you need" β or, occasionally, "actually, this fits." Being the informed hype filter is a differentiator.
The mental model
For each emerging tech, know (1) what it genuinely does well, (2) the narrow cases where it fits an SMB, and (3) the far more common case where it's a solution in search of a problem. Default to skepticism β but informed skepticism.
The buzzwords, honestly
- Blockchain / crypto / Web3 β genuinely useful for trustless, multi-party, tamper-evident records where no trusted intermediary exists. For ~95% of SMBs a normal database does everything they need, cheaper and simpler. Real niche fits exist (some supply-chain provenance); mostly, not the answer β say so.
- IoT / sensors / edge β the real one of this list for many SMBs. Sensors feeding monitoring, predictive maintenance (ties to classic ML), asset tracking, smart facilities, Industry 4.0, logistics. Fits physical-operations businesses. Gotchas: connectivity, security (IoT devices are a breach vector), data volume, integration, and hardware/maintenance cost. Often pairs with CV and predictive ML.
- AR/VR / spatial β niche but real: training/simulation, field-service "see what I see" support, product visualization (furniture/real estate), some retail. Hardware and content costs keep it niche for SMBs. Occasionally the answer, usually not yet.
- Digital twins β a virtual replica of a physical system/process; genuine, growing use in manufacturing/facilities (ties to IoT + process). Take seriously where physical operations are complex.
- Quantum computing β not relevant to SMB operations for the foreseeable future; if asked, the honest answer is "not applicable to your business." (One real future note: post-quantum cryptography is a coming security consideration β ties to security/IT β but not an SMB action item now.)
The consulting stance
- Diagnose the need, not the buzzword. A client asking for "blockchain" usually has an underlying need (trust, traceability, security) solvable more simply β dig for it (ties to requirements/discovery).
- Be credible, not dismissive β explain why it fits or doesn't.
- Watch for the real ones β IoT and digital twins are the emerging techs most likely to genuinely fit an SMB.
The buy-vs-build-vs-wire decision tree
A repeatable path to walk through with a client for any proposed capability. Stop at the first "yes" β don't climb higher than the problem needs.
- Does a tool the client already owns do this? M365/Copilot, Google Workspace/Gemini, HubSpot AI, Salesforce Einstein. β Use it. Zero build, zero new vendor. Almost always check first.
- Is there a point/vertical SaaS that does exactly this? A purpose-built tool for the industry or function. β Buy it. Cheaper & better-maintained than a build for a standard need.
- Is it mostly moving/transforming data between systems? β Wire it with iPaaS/RPA/Zapier β no AI needed. The most common real answer.
- Custom data/logic, but a standard capability (like Q&A over docs)? β Assemble on a managed platform (Bedrock KB, Azure AI Search, Vertex, or pgvector). The SMB sweet spot.
- Differentiated capability, unacceptable data egress, or scale where per-seat SaaS costs more than build+run? β Build bespoke. Rare for SMBs; justify it explicitly.
- Only after RAG/prompting proved insufficient on a narrow, high-volume, stable task β consider fine-tuning. Custom-from-scratch training is essentially never the SMB answer.
| Signal in the room | Likely answer |
|---|---|
| "We want AI trained on our data" | RAG on a managed platform (step 4) β or an existing tool (step 1) |
| "Our systems don't talk to each other" | Wire it (step 3) β integration, not AI |
| "We do this exact task 10,000Γ a month, same format" | Possibly fine-tuning (step 6) β after proving RAG/prompting first |
| "We need answers from live inventory/balances" | Tool-calling to live systems, not RAG over a static index |
| "It has to match our brand voice exactly" | Prompting first; fine-tuning if truly needed β not RAG |
Sample first RAG engagement (end to end)
A concrete picture of what a first client RAG project looks like β the phases, the scoping questions, a reference architecture, and rough pricing. Numbers are illustrative ranges to shape a proposal, not quotes.
Phase 0 β Qualify (is this even RAG?)
Before proposing anything, ask these β they double as a discovery script:
- What question(s) are users actually asking, and who are they? (frontline staff? customers?)
- Where does the knowledge live today, and what format? (PDFs, wiki, tickets, DB)
- How often does it change? (drives re-indexing/maintenance cost)
- Who is allowed to see what? (access-control requirements)
- What's the cost of a wrong answer? (sets the accuracy bar & how much human-in-the-loop)
- What query volume is expected? (drives inference cost)
- Can this data leave the environment / go to a third-party model? (drives vendor & architecture)
- What does "good enough" look like β and are there example questions with known-good answers? (the eval set)
Phase 1 β Discovery & data audit (~1β2 weeks)
Assess data readiness & security constraints, confirm the use case, collect the eval question set, choose managed vs. self-host based on data-egress answers. Deliverable: a scoping doc + go/no-go.
Phase 2 β Proof of value / pilot (~2β4 weeks)
Ingest a representative slice, stand up a managed pipeline, wire it into where users already work (Teams/Slack/web), and β critically β measure against the eval set so the productivity assumption in the ROI model is evidence, not a guess. Deliverable: a working pilot + measured accuracy.
Phase 3 β Production hardening
Access control via metadata filtering, monitoring & quality dashboards, citation/feedback capture, re-indexing schedule, incident/wrong-answer process. Deliverable: production system + runbook.
Phase 4 β Handoff / maintenance
Train the client's team, or take an ongoing retainer for index freshness + quality monitoring (this is the recurring maintenance line from the ROI model β price it in from day one).
Reference architecture (managed, SMB-friendly)
Sources (PDFs, wiki, tickets, DB) β Ingestion + chunking β Managed index (Azure AI Search / Bedrock KB / pgvector): embed + hybrid search + rerank β Orchestration β LLM (Claude / GPT) with citations β App surface (Teams / Slack / web) β with metadata access control, feedback capture, and an eval harness (Ragas) wired across it.Rough price / effort (illustrative)
| Phase | Range | Note |
|---|---|---|
| Discovery & data audit | $8kβ15k | Sellable on its own; de-risks everything after |
| Pilot / proof of value | $20kβ40k | Where the accuracy number gets proven |
| Production hardening | $30kβ60k | Access control, monitoring, eval |
| Maintenance retainer | $2kβ6k/mo | Index freshness + quality; recurring revenue |
Glossary
| Term | Plain meaning |
|---|---|
| RAG | Retrieval-augmented generation β fetch relevant data at query time and feed it to the LLM instead of retraining. |
| Embedding | A vector (list of numbers) representing the meaning of text; similar meaning β nearby vectors. |
| Vector database | A store indexed for fast similarity search over embeddings (Pinecone, Qdrant, pgvector, β¦). |
| pgvector | A Postgres extension that adds vector search β lets an SMB avoid a separate vector-DB vendor. |
| Chunking | Splitting documents into smaller pieces before embedding; strategy strongly affects retrieval quality. |
| Top-k retrieval | Returning the k most similar chunks (e.g. top 5) for a query. |
| Hybrid search | Combining semantic (vector) search with keyword search (BM25) to catch exact terms too. |
| BM25 | A classic keyword-relevance ranking algorithm; the "keyword" half of hybrid search. |
| Reranking | Re-scoring a broad candidate set with a more accurate model to keep only the best few. |
| Fine-tuning | Adjusting a model's weights on curated examples β changes behavior/format, not a live knowledge source. |
| Agentic / tool-calling | The model takes actions through tools/APIs in multiple steps, rather than only answering. |
| GraphRAG | RAG variant using a knowledge graph to answer questions needing cross-corpus reasoning. |
| Text-to-SQL | Translating a natural-language question into a database query β often better than RAG for structured data. |
| Eval set / Ragas | Test questions with known-good answers, and tooling to measure retrieval + generation quality. |
| RPA | Robotic process automation β software "robots" that repeat rule-based steps (UiPath, Power Automate). |
| iPaaS | Integration platform as a service β keeps disconnected systems in sync (Workato, Boomi). |
| Data egress | Data leaving the client's environment (e.g. to a third-party model) β often the deciding constraint. |
| Fully-loaded cost | An employee's total cost (salary + benefits + overhead), used to value hours saved. |
| Payback period | Time for cumulative net benefit to repay the one-time cost β the SMB's favorite metric. |
| Few-shot prompting | Giving the model 2β5 inputβoutput examples in the prompt to improve consistency β often replaces fine-tuning. |
| Structured output | Forcing JSON/schema output (or function calling) so results plug directly into downstream systems. |
| ReAct / agent loop | The reason β act β observe β repeat cycle an agent runs until a task is done. |
| Prompt injection | An attack where untrusted input hijacks an agent/model into taking unintended actions or leaking data. |
| Master data / source of truth | The authoritative system for a data domain (customer, product), so records don't conflict across systems. |
| Idempotency | Property where running the same operation twice has no extra effect β prevents duplicate records in syncs. |
| RBAC | Role-based access control β permissions granted by role; the backbone of least-privilege access. |
| PII / PHI | Personally identifiable information / protected health information β the sensitive data compliance rules govern. |
| DPA | Data Processing Agreement β contract governing how a vendor may process personal data (GDPR requirement). |
| BAA | Business Associate Agreement β required under HIPAA before a vendor may touch protected health information. |
| TCO | Total cost of ownership β all one-time + recurring costs over time; the honest basis for build-vs-buy. |
| ADKAR | Change-management model: Awareness, Desire, Knowledge, Ability, Reinforcement. |
| Classic / supervised ML | Learning patterns from labeled historical data to predict a number or category (not generative). |
| Gradient boosting (XGBoost/LightGBM) | The workhorse model for tabular business data β usually beats deep learning there. |
| Feature engineering | Crafting the input variables for an ML model β often matters more than model choice for tabular data. |
| Overfitting | A model that memorizes training data and fails on new data; guarded against with a train/test split. |
| Model drift | Prediction quality decaying as the world changes β drives retraining and monitoring. |
| AutoML | Cloud services that automate much of model building (Vertex, Azure ML, SageMaker Canvas, DataRobot). |
| OCR | Optical character recognition β converting images/scans of text into machine-readable text. |
| IDP | Intelligent document processing β OCR + layout/LLM extraction + validation to structure documents. |
| Straight-through processing | Share of documents/transactions handled end-to-end with no human touch β the key IDP ROI metric. |
| STT / TTS | Speech-to-text / text-to-speech β the front and back ends of a voice AI pipeline. |
| Deflection / containment rate | Share of conversations a bot resolves without escalating to a human. |
| Open-weight model | A model whose weights you can download and self-host (Llama, Mistral, Qwen) β for data-sovereignty or scale. |
| Context window | How much text a model can consider at once β caps document size and RAG context. |
| MFA | Multi-factor authentication β the single highest-ROI security control. |
| EDR | Endpoint detection & response β modern endpoint security beyond basic antivirus. |
| IAM / SSO | Identity & access management / single sign-on β controlling who can access what, centrally. |
| Zero-trust | Security model of "never trust, always verify" β no implicit trust by network location. |
| RTO / RPO | Recovery time / recovery point objective β how fast you must restore, and how much data loss is acceptable. |
| NIST CSF / CIS Controls | Standard frameworks for structuring and prioritizing a security program. |
| ETL / ELT | Extract-transform-load β moving data into a warehouse; ELT (load then transform) is the modern default. |
| Data warehouse | A central store optimized for analytics across systems (Snowflake, BigQuery, Redshift). |
| dbt | The standard tool for transforming/modeling data in the warehouse and defining metrics once. |
| Semantic layer | Central metric definitions so every report agrees on "what a number means." |
| BI | Business intelligence β dashboards/reporting that turn data into decisions (Power BI, Tableau). |
| Low-code / no-code | Visually building apps/workflows with little or no code (Retool, Power Apps, Airtable). |
| IaaS / PaaS / SaaS | Cloud service models by how much the provider manages β infrastructure, platform, or full software. |
| FinOps | Cloud financial operations β governing and optimizing cloud spend. |
| BPMN | Business process model & notation β the standard way to diagram a process. |
| Process mining | Reconstructing the real process from system event logs to find bottlenecks and automation ROI (e.g. Celonis). |
| Acceptable-use policy (AUP) | Internal policy defining what employees may/may not do with AI tools β the key SMB governance deliverable. |
| Shadow AI | Employees using AI tools ungoverned (e.g. pasting sensitive data into consumer chatbots) β a common real exposure. |
| Human-in-the-loop | Requiring human review/approval on consequential AI outputs or actions. |
| Disparate impact | When a neutral-seeming AI decision disproportionately harms a protected group β a legal-risk concept. |
| EU AI Act | EU regulation imposing risk-tiered obligations on AI systems; affects anyone serving the EU. |
| NIST AI RMF / ISO 42001 | Frameworks for structuring an AI risk-management / governance program. |
| Martech | Marketing technology stack β email, automation, landing pages, analytics β usually integrated with CRM. |
| CRO | Conversion-rate optimization β improving the % of visitors who take a desired action. |
| SEO | Search engine optimization β being found in search; local SEO (Google Business Profile) matters most for local SMBs. |
| VoIP | Voice over IP β phone calls over the internet, replacing legacy PBX/landlines. |
| UCaaS / CCaaS / CPaaS | Cloud unified-communications / contact-center / communications-API platforms. |
| IVR / ACD | Interactive voice response / automatic call distribution β contact-center call routing. |
| MLOps / LLMOps | The practice of deploying, monitoring, and maintaining ML / LLM systems in production ("day 2"). |
| Golden test set | Curated representative inputs with known-good outputs β the core asset for evaluating an AI system. |
| LLM-as-judge | Using an LLM to automatically score another model's outputs at scale β cheaper than humans, imperfect. |
| Computer vision | AI that interprets images/video β detect, classify, count, inspect, or read. |
| Edge computing | Running inference on-site/on-device (vs. cloud) for latency, bandwidth, or privacy. |
| IoT | Internet of things β networked sensors/devices feeding data for monitoring & predictive maintenance. |
| Digital twin | A virtual replica of a physical system/process used to monitor and simulate it. |