UK AI Management Essentials (AIME): Self-Assessment Guide

AI Management Essentials (AIME) is a self-assessment framework developed by the BSI (British Standards Institution) as a stepping stone towards ISO 42001 certification (BSI, 2024). It gives UK businesses a structured way to evaluate their current AI governance maturity without the cost of a formal certification audit. The assessment covers five domains: leadership and governance, risk management, data management, AI system development and deployment, and monitoring and review. AIME is designed for organisations that recognise they need AI governance but are not ready for full ISO 42001 — particularly SMEs with limited compliance resources. Completing the assessment produces a gap analysis that becomes your roadmap to more formal frameworks.

What is AIME?

AIME was developed by BSI in partnership with the UK government to address a practical problem: most UK businesses know they should be governing AI, but ISO 42001 certification is too expensive and complex as a first step (BSI, 2024). AIME bridges this gap by providing a lighter-weight, self-directed assessment that uses the same conceptual foundations as ISO 42001 but without the certification overhead.

Think of AIME as a structured health check. It asks: "Do you have the basics in place?" If the answer is yes, it points you towards ISO 42001. If the answer is no, it tells you specifically what is missing and where to focus first.

AIME is not a substitute for ISO 42001 — it does not provide certification or independently verified assurance. It is a preparation tool that builds the governance muscle you need before formal certification becomes worthwhile.

The five AIME assessment domains

1. Leadership and governance

Does your organisation have clear leadership commitment to responsible AI use? This domain assesses: whether top management has approved an AI policy, whether roles and responsibilities for AI governance are defined, and whether AI governance is integrated into existing management structures. For most SMEs, this means having a namedAI governance owner and a documentedacceptable use policy.

2. Risk management

Does your organisation identify, assess, and manage the risks of its AI systems? This domain covers: whether you have a process for assessing AI risks, whether risks are documented and prioritised, and whether mitigations are in place for the highest-priority risks. The NIST AI RMF provides a detailed methodology you can use here.

3. Data management

Does your organisation manage the data used by and generated by AI systems appropriately? This covers: data quality, data protection (UK GDPR compliance), data classification, and controls over what data flows to which AI tools. If your employees use AI tools with company data, this domain asks whether you know what data is being shared and whether it is lawful and appropriate.

4. AI system development and deployment

Does your organisation have processes for the responsible development, procurement, and deployment of AI systems? For businesses that use rather than develop AI, this primarily covers: how you assess and approve new AI tools, how you monitor AI tool performance and behaviour, and how you manage third-party AI providers. AnAI tools audit addresses the procurement and visibility aspects of this domain.

5. Monitoring and review

Does your organisation monitor the effectiveness of its AI governance and continuously improve? This covers: regular review of AI policies and processes, incident logging and response, performance measurement, and feedback loops. For most SMEs, a quarterly review of AI tools, policy compliance, and any incidents is sufficient to satisfy this domain.

How to complete the AIME self-assessment

1. Gather your current state. Collect your existing AI-related policies, tool inventories, risk assessments, and any governance documentation you have. If you have none, that is a valid starting point — the assessment will identify this as a gap.
2. Assess each domain. For each of the five domains, evaluate whether you have the practices in place. Be honest — the value is in the accuracy of the gap analysis, not in a flattering self-assessment.
3. Identify gaps. Where your practices fall short, document what is missing and what would need to change.
4. Prioritise actions. Not everything needs fixing at once. Prioritise by risk: gaps in risk management and data management are typically more urgent than gaps in monitoring and review.
5. Create an improvement plan. Set specific, time-bound actions for closing each gap. Review progress quarterly.

AIME vs ISO 42001: what is the difference?

For a detailed guide to ISO 42001, see ourISO 42001 guide for UK businesses.

From AIME to ISO 42001: the progression path

AIME is designed as a stepping stone, not a destination. The typical progression:

1. Complete AIME self-assessment — understand your current maturity and gaps.
2. Close critical gaps — implement the high-priority improvements identified.
3. Re-assess after 6 months — verify improvement and identify remaining gaps.
4. Decide on ISO 42001 — if client requirements, regulatory pressure, or competitive advantage justify certification, begin the formal ISO 42001 implementation process. Your AIME work becomes the foundation.

Many businesses will find that AIME provides sufficient governance for their needs. Not every organisation needs ISO 42001 certification. The decision should be driven by external requirements (client contracts, procurement criteria, regulatory expectations), not by a desire for certification for its own sake.

How Governably supports your AIME assessment

Governably automates the discovery work that underpins domains 2 (risk management), 3 (data management), and 4 (AI system deployment) of the AIME assessment. By scanning your email security, credential exposure, AI tool access, file sharing, and external footprint, Governably gives you the data you need to assess these domains accurately rather than guessing. Run a free scan to get a baseline before starting your AIME assessment.

Frequently Asked Questions

Is AIME a certification or a self-assessment?

AIME is a self-assessment, not a certification. It does not involve a third-party audit. You evaluate your own organisation's AI governance maturity against the AIME criteria and receive a gap analysis. This makes it significantly cheaper and faster than ISO 42001 certification, while still providing a structured, recognised framework for improvement.

How long does the AIME self-assessment take?

For a small business with fewer than 50 employees and a limited number of AI tools, the self-assessment can typically be completed in one to two weeks. This includes gathering information about your current AI governance practices, completing the assessment against each domain, and reviewing the results. Larger organisations with more complex AI use may need three to four weeks.

Does AIME satisfy UK regulatory requirements?

AIME is not a regulatory compliance mechanism — no UK regulation specifically requires it. However, completing the AIME self-assessment demonstrates that your organisation is actively assessing and improving its AI governance, which is the kind of evidence UK regulators look for when evaluating whether a business is managing AI responsibly.

What is the difference between AIME and ISO 42001?

AIME is a self-assessment tool that helps you evaluate your AI governance maturity and identify gaps. ISO 42001 is a certifiable management system standard that requires third-party audit. AIME is designed as a stepping stone — it builds the understanding and practices you need before pursuing formal ISO 42001 certification.

Can a micro-business (under 10 employees) use AIME?

Yes. AIME is designed to be proportionate. A micro-business will not need the same depth of documentation or processes as a larger organisation. The value of AIME for very small businesses is the structured thinking it introduces — it helps you identify which AI governance basics you are missing, even if the formal assessment process is lighter.