Confidence IT named four IT challenges facing UK SMEs in 2025. Underneath all four sits an engineering substrate that does not depend on which Managed Service Provider you choose.

The Confidence IT brief, in one paragraph

Confidence IT in Milton Keynes have published a tidy and broadly correct read of where UK SMEs sit on IT in 2025. They name four challenges. Cyber security, with the Cyber Security Breaches Survey 2024 figure that 58% of UK small businesses experienced a cyber-attack in the past twelve months. Compliance, principally the post-Brexit UK GDPR regime and the sector layers around it. AI adoption, where the gap between large-firm uptake (around 68%) and SME uptake (around 15%) is now structural, and where over a third of SMEs that did adopt AI in 2023 reported their AI projects failed inside twelve months. Hybrid work, where the technical question is unified endpoint management and the social question is retention. Their recommended answer is the Managed Service Provider model, scaled to the SME. That answer is correct as a service-delivery answer. The question this article is here to put alongside it is the engineering one underneath: what is the substrate that makes any of those answers verifiable, portable, and durable, regardless of which MSP an SME ends up with.

Why the substrate question matters for SMEs specifically

An SME does not have the budget, or the technical depth, to evaluate every vendor's audit log on its own merits. A 12-person company cannot afford to read three different vendor JSON formats and decide which one is trustworthy. The implicit deal in the MSP relationship is therefore: the MSP absorbs that complexity on the SME's behalf. That is a reasonable trade. But the MSP relationship itself becomes a single point of failure for audit. If the MSP changes, the audit chain changes. If the MSP is acquired, the audit chain changes. If a regulator turns up two years later asking what an AI agent did to a customer record on 3 February 2025, the SME is now negotiating with whichever MSP succeeded the original one, in whichever audit format the new MSP supports. None of that is a Confidence IT problem in particular. It is a structural feature of the audit market today.

The fix is structural too. An SME wants the same record format under whatever MSP, in whatever cloud, against whatever AI vendor. The same verifier in any browser tab. The same cryptographic discipline so the chain still verifies in 2035 against quantum attacks that did not exist when the record was signed. That is what the Open Inter-Vendor Audit Record (OAR) is for. The format and its companion offline verifier are filed at the UK Intellectual Property Office and intended for joint open-source release. The patent claims protect the inventive composition; the licensing posture for the schema, the conformance vectors, and the reference verifier is open.

Cyber security: the audit layer that survives the breach

The Cyber Security Breaches Survey 2024 figure of 58% of UK small businesses breached in twelve months is not in dispute. The question is what posture the SME holds the day after a breach. If the audit log was vendor-issued, signed under a key the vendor controls, hosted on a vendor endpoint, the SME has a contractual position with the vendor and almost no cryptographic position. If the audit chain was signed at commit under a key the SME holds in TPM 2.0 or a small HSM, in the OAR canonical format, the SME has the chain on its own hardware regardless of what happened to the vendor. This is not a Confidence IT vs Mickai story. An SME that adopts OAR-compliant tooling and an SME that runs Confidence IT's MSP playbook are doing complementary things. The MSP delivers the operational discipline, including key rotation, attestation hygiene, and incident response. The substrate guarantees that the resulting evidence is verifiable by an independent third party without the MSP or the vendor in the loop.

Concrete example. An SME accountancy firm runs a Microsoft 365 tenant under MSP-managed Cyber Essentials. An attacker compromises the AI assistant that summarises client emails. With the standard configuration, the audit trail of what the assistant did is held inside Microsoft's audit log. With OAR enabled, every action the assistant took is signed at commit under the SME's key, in a deterministic CBOR format, with a hash-linked chain. A forensics team can walk that chain on a sandboxed laptop, offline, in any browser, weeks after the breach, and emit a deterministic verdict (VERIFIED, INVALID, STALE, REVOKED) per record.

Compliance: UK GDPR Articles 25 and 30, in primitives

Confidence IT are right that UK GDPR is the central compliance question for SMEs. The framing they offer (compliance as competitive differentiator) is sound. The engineering implication is more specific. Article 30 of the UK GDPR requires records of processing activities. Article 25 requires data protection by design and by default. Both are easier to satisfy with a signed, append-only, hash-linked record of every AI-touched decision than with a vendor JSON log. OAR satisfies the structural requirement of Article 30 at the primitive level: the chain itself IS the record of processing, and it cannot be edited after the fact without breaking the hash linkage. For Article 25, the trust-domain externalisation pattern (the SME holds the keys, not the vendor) is the strongest expression of by-design accountability that current cryptography supports.

An SME's MSP can adopt OAR for the SME without rewriting any of the SME's tooling. The integration is a wrapper around the AI vendor's existing decision-emit hook plus a one-time operator key ceremony. The SME does not need to understand ML-DSA-65. The MSP does.

AI adoption: the failure mode that does not depend on the AI

The Confidence IT brief cites the figure that over a third of UK SMEs that adopted AI in 2023 reported their AI projects failed inside twelve months. The named failure modes (solution-first thinking, data silos, skills shortages, hidden customisation costs) are all real. Sitting underneath those failure modes is a quieter one: when the AI does not work, the SME has no way to inspect the actor and the action chain. The AI vendor says the model behaved correctly. The SME has no audit position to dispute that. The project gets quietly abandoned.

An SME that adopts OAR-conformant AI tooling has a different posture twelve months in. Every action the AI took is signed, exportable, and replayable. When something is wrong, the failure surface is visible, and the SME can either remediate the configuration or migrate to a different AI vendor without losing the historical record. The historical record is in OAR format, so any other OAR-conformant vendor can read it. The lock-in disappears. SMEs become more willing to adopt AI in the first place because the cost of getting AI adoption wrong is bounded.

Hybrid work: zero-trust at the audit layer

Confidence IT recommend unified endpoint management and zero-trust security frameworks for hybrid environments. Both are correct. The substrate angle is that zero-trust, as a topology, becomes coherent only if the audit chain is itself zero-trust: the verifier must not depend on any one vendor or hosting provider. OAR is that audit-layer zero-trust. The browser-resident WebAssembly verifier runs on the operator's laptop with a no-network invariant. A regulator inspecting an SME's hybrid AI workload from a remote location does not have to phone home to any vendor to validate the chain.

What an SME and its MSP can do today

Three steps that fit inside an SME's existing budget and an MSP's existing engagement model.

• Inventory the AI-touched decisions in the business. The list is usually short (chat summarisation, document classification, accounts coding, customer support triage). Identify the ones that produce decisions a regulator could later audit.
• Demand from each AI vendor a signed action chain in an open format, exportable on request, verifiable without the vendor's tooling. If the vendor cannot supply it, treat that as vendor-locking the audit and price it accordingly in the next renewal.
• Pilot OAR against one workload. The reference verifier is open and runs in a browser tab. The SDK ships with conformance test vectors so any third party can replay the verdict offline.

An MSP working with the SME can deliver all three steps as part of the normal cyber-security, compliance, and AI-adoption engagements Confidence IT and others already run. None of this requires the SME to switch its MSP, its cloud provider, or its AI vendor.

An invitation to UK MSPs

OAR is an open primitive. The engineering case for it does not depend on which MSP delivers it to which SME. UK MSPs that want to integrate OAR into their cyber-security, compliance, and AI-adoption packages are open to a fifteen-minute briefing at any time. press@mickai.co.uk. The schema, the conformance vectors, and the reference verifier are scheduled for joint open-source release at github.com/Micky-CMO upon UK IPO acknowledgement of the OAR family. Confidence IT in particular have framed this conversation cleanly enough that their brief belongs alongside any UK SME's IT-strategy reading list this year.

Sources and references

• Confidence IT, 'Top IT Challenges Facing UK SMEs in 2025', confidenceit.co.uk.
• UK Department for Science Innovation and Technology, Cyber Security Breaches Survey 2024.
• UK GDPR, Articles 25 (data protection by design and by default) and 30 (records of processing activities).
• FIPS 204 (ML-DSA), NIST post-quantum digital signature standard.
• Open Inter-Vendor Audit Record (OAR), filed at the UK IPO and intended for joint MIT-style open-source release.
• Browser-resident offline post-quantum verifier, filed at the UK IPO.
• Trust-domain externalisation architectural pattern, filed at the UK IPO.