Vai al contenuto principale
All resources
AI Adoption · · 10 min read

The first 90 days of AI adoption at an SME: a roadmap

'Which tool do I buy?' is the third question, not the first. First comes a journey, and the journey has a precise shape: the first 30 days for the foundations, the first 90 for momentum. A roadmap calibrated for the SME that brings together the three steps almost everyone gets wrong — weeks 1-2 knowing where you are (the readiness snapshot by domain, not an opaque number), weeks 3-6 a single use case with an owner who has a name, and the minimum controls from day 1 and not from day 90 (risk tier, DPIA, human in the loop, traceability). With the three checkpoints at 30/60/90 days and the reason why 29% of projects die in exactly this window.

An SME that has decided to adopt AI almost always faces the same ill-posed question: "which tool do I buy?". It's the wrong question, or rather: it's the third, not the first. Before a tool you need a journey — and the journey, when it works, has a recognisable shape and a precise duration. The most solid adoption playbooks around — GitHub's public one is the most readable — all mark it out the same way: the first 30 days for the foundations, the first 90 days for momentum, then the ongoing regime for scale. This article takes that structure and calibrates it for a small Italian business: what to do, in what order, and with what controls, in the first three months.

It's worth starting from an uncomfortable figure, because it explains why the roadmap matters more than the tool. Industry analyses agree on two numbers: the vast majority of AI agents never reach production, and about 29% of projects are abandoned within 90 days. Not for technical limits — the tools work — but because they started without knowing where they were going, without an owner and without controls. The 90 days aren't an arbitrary countdown: they are exactly the window in which a poorly set-up adoption dies. Setting it up well is the whole game.

Weeks 1–2: knowing where you are, before buying anything

The first mistake is buying a tool before having measured the starting point. The first thing a serious journey produces isn't software, but an honest snapshot of where the company stands. The maturity models the market uses to take it — from Gartner to Deloitte — return a one-line answer: "you're at stage X of 5". But the version useful for an SME doesn't give a single number: it separates the score into two domains — the Foundations (data, technology, skills) and the Strategy (governance, risk, objectives, culture) — so as to explain why you're stuck, not just how much. It's a distinction that changes the moves: good foundations but no strategy is the opposite problem to someone with clear ideas but data in disarray.

Here's a point that holds particularly for Italy. The best-known readiness indices (Cisco, say) weight infrastructure and data heavily — a reflection of a world of large enterprises. For most Italian SMEs the bottleneck isn't the infrastructure: it's the strategy and the process. They know they have to do something with AI, they don't know what or where from. An assessment calibrated for the SME, then, shifts the weight onto strategy, governance and culture, and from there points to which department is genuinely ready to start first. It's the work we've made self-serve and free: our AI-readiness assessment gives that snapshot in two minutes — what stage you're at by domain and which department is best to open first. It's the roadmap's kilometre zero; without it, every subsequent step is a gamble.

Weeks 3–6: a single use case, with an owner

With the snapshot in hand, the temptation is to set off on three fronts at once. It's the mistake that produces that 29% of abandonments. The rule of the first 90 days is the opposite: a single use case, in the department the assessment flagged as most ready, taken all the way to production. Not a trial parked in a corner — a flow that someone genuinely uses every day, with a measurable before and after. Winning once, small and for real, is worth more than five abandoned pilots.

The second ingredient is the one that makes the difference between a project that lasts and one that evaporates as soon as the enthusiasm ends: an owner. Enterprise playbooks call it a Center of Excellence and assign it five distinct functions — who decides the priorities, who has the final word, who trains the people, who keeps the standards and reusable templates, who watches the value signals. An SME doesn't have five teams for these things, and doesn't need them: it needs one or two people who cover all five of those functions. Not the hierarchical rank, but the ownership: someone whose name is next to the use case. Without an owner with a name, the flow belongs to no one, and what belongs to no one is the first to be abandoned.

This first use case isn't an isolated episode: it's the first entry of a playbook that grows. Every entry carries a phase — pilot, then scale, then regime — so that halfway through you can filter by "what comes next" instead of rereading pilots already closed. How a playbook entry is made inside — the structure, the owner, the wired-in controls — we've broken down in the anatomy of an AI Workflow Design.

From day 1, not from day 90: the minimum controls

The most expensive mistake of the first 90 days is deferring governance to the end — "first let's make the thing work, then we'll put the controls in". It's exactly the reverse: the minimum controls must be put in on the day the use case launches, because adding them later means redesigning the flow, not tweaking it. You don't need a heavy apparatus — you need four moves, all verifiable before going to production:

  • Classify the risk. Which tier of the AI Act does the use case fall into? Most SME uses — an internal copilot, content generation, a first-tier bot — live in the minimal or limited tier, where the burden is light. The heavy machinery kicks in only for high-risk uses (staff recruitment, credit, biometric data): if your first use case is one of these, you already know more caution is needed.
  • Check whether a DPIA is needed. If the flow makes automated decisions with effects on people, or processes special data at large scale, the GDPR impact assessment is due — and a "standard" DPIA isn't enough, because it misses AI's own risks (model opacity, drift, memorisation, the right to be forgotten). It's a question to ask on day 1, not to discover at an inspection.
  • Put a human in the loop. No output that touches a customer, a candidate or money should go out without a human step. It's the control worth more than all the written policy, and it must be designed into the flow, not hung on the side.
  • Keep a trail. Who did what, when, with what input. For high-risk cases the AI Act requires logs to be kept for at least six months; for all the others, traceability is anyway what lets you answer an auditor, reconstruct a mistake and defend a decision.

They're the same four moves that our compliance overlay wires to every workflow we design — not as a downstream formality, but as part of the design. The full reasoning, with the risk taxonomy and the why of each control, is in the article on the controls that make a use case defensible.

The 90-day finish line: from pilot to method

If the first six weeks went well, at day 90 you don't have "one more tool": you have a use case in production, an owner with a name, the controls wired in and — the thing that matters most — a method that can be repeated on the second department without starting from scratch. It's worth fixing three checkpoints along the way:

  • Day 30 — foundations. The readiness snapshot is done, the starting department is chosen, the owner is named, the minimum controls are defined. No tool necessarily bought yet: first the why and the who, then the what.
  • Day 60 — momentum. The first use case is live and someone uses it every day. The first honest numbers and the first internal "success story" are gathered — the one that convinces the second department to try.
  • Day 90 — scale. The use case stands on its own, the second is queued with the same structure, and the playbook now has two entries instead of one. From here adoption is no longer a project: it's a way of working.
The first-90-days roadmap
  1. Giorno 30

    Foundations

    Readiness measured, department chosen, owner named, minimum controls defined. No tool necessarily bought.

  2. Giorno 60

    Momentum

    The first use case is live and used every day. First honest numbers and the first internal success story.

  3. Giorno 90

    Scale

    The use case stands on its own, the second is queued, the playbook has two entries. Adoption is a way of working.

Three checkpoints, not a countdown: the 90-day window is the one in which a poorly set-up adoption dies — or becomes a method.

One last thing on the numbers, because it's the point where adoptions delude themselves. Measuring success by "how many use it" is the first rung, not the last: after breadth of use comes depth (who really uses it, and for what) and only at the end the business impact — the time saved, the errors avoided, the revenue touched. A pilot everyone has "tried" but no one uses in depth isn't a success: it's an abandonment that hasn't yet declared itself. The 90 days serve to bring at least one use case up to the third rung.

The difference between the one who at 90 days has a method and the one who has another unused tool doesn't lie in the technology — it lies in having done things in the right order: first knowing where you are, then a single use case with an owner, the controls from day 1, and scale only afterwards. It's exactly the order in which we graft AI into a company.

The first step, though, is always the same and you can do it now: knowing where you are. The free assessment gives you, in two minutes, the starting snapshot and the department from which it's best to open your 90 days. If you then want to understand how to move from understanding to doing, let's talk — no obligation.

This article is for orientation. The abandonment percentages and timelines cited come from market analyses and from industry sources, not independently verified, and should be read as indications of direction, not as guarantees. The risk tiers, the DPIA obligations and the log-retention periods depend on the use case and on the regulation in force — the EU AI Act is evolving — and must always be verified against the context of the individual company before acting.

From theory to your business. We graft AI in.

Want to know which department to start from in your company? The free assessment gives you a first answer in two minutes — then, if it makes sense, we talk.

We use cookies

We use cookies and similar technologies to improve your experience, analyse traffic and personalise content. You can accept all cookies or customise your preferences.

Cookie preferences

Necessary cookies Always on

Essential for the site to work. They cannot be disabled.

Analytics cookies

They help us understand how you use the site so we can improve your experience.

Marketing cookies

Used to show you relevant ads and measure campaigns.

Personalisation cookies

They let us personalise content and features.