Category: The Bigger Picture

  • How UK Universities Are Commercialising AI Research — and Why Most Spin-Outs Still Fail to Scale

    How UK Universities Are Commercialising AI Research — and Why Most Spin-Outs Still Fail to Scale

    Britain produces some of the world’s most cited AI research. Oxford, Cambridge, UCL, Edinburgh, Imperial College London — the list of institutions generating genuinely novel machine learning, robotics and natural language processing work is long and legitimately impressive. Yet when you look at which of those discoveries actually becomes a product that generates revenue, the numbers get awkward fast. The gap between a published paper and a profitable business remains stubbornly, frustratingly wide. Understanding why that gap exists requires getting into the weeds of how UK university AI spin-outs commercialisation actually works — from the technology transfer offices that sit at the centre of it all, to the structural funding cycles that shape what gets built.

    Researchers entering a UK university AI lab building, representing UK university AI spin-outs commercialisation
    Researchers entering a UK university AI lab building, representing UK university AI spin-outs commercialisation

    What Technology Transfer Offices Actually Do

    Every Russell Group university has a technology transfer office (TTO). The job description sounds straightforward: identify research with commercial potential, protect intellectual property through patents or licences, find industry partners or investors, and help spin out a company if the opportunity warrants it. In practice, it is one of the harder jobs in UK business.

    TTOs work on a case-by-case basis. A researcher approaches the office — or more often, the TTO scouts internally — and an assessment begins. Does the research solve a real problem? Is there defensible IP? Is the researcher willing to be involved commercially, or do they just want to publish and move on? That last question matters more than people realise. Many of the best AI researchers in UK universities have zero interest in running a business. They want to keep researching. That is not a criticism; it is just a mismatch that kills more commercialisation pathways than any funding gap does.

    When a spin-out does get created, the university typically takes an equity stake — usually somewhere between 15% and 30% depending on how much IP and early-stage resource the institution contributed. Oxford University Innovation, Cambridge Enterprise, and Imperial Innovations (now part of IP Group) have built long track records of doing this at scale. But even these well-resourced TTOs will tell you privately that the majority of AI spin-outs in their portfolios either stall at proof-of-concept stage or get acqui-hired before they ever generate meaningful independent revenue.

    Where the Funding Actually Flows

    Innovate UK and UK Research and Innovation (UKRI) are the two bodies most people point to when discussing public funding for academic AI commercialisation. Innovate UK runs several relevant schemes: the Innovate UK Smart Grants programme, the Knowledge Transfer Partnerships (KTPs) that embed graduates into businesses to apply academic research, and sector-specific competitions that often target AI applications in health, manufacturing and net zero.

    UKRI, the parent body that also oversees the Engineering and Physical Sciences Research Council (EPSRC) and other research councils, funds the upstream research itself — the kind of foundational work happening in labs that might eventually feed into a product. The challenge is that UKRI funding is structured around academic outputs: papers, datasets, community engagement. It is not structured around founder readiness or commercial milestones. That is fine for science. It creates a strange limbo for AI researchers who want to bridge both worlds.

    The UKRI website documents its commercialisation challenges and impact funding in some detail, and it is worth reading if you want to understand where the money is actually pointed. The honest takeaway: the funding ecosystem is better than it was a decade ago, but it still has a gap roughly in the £500,000 to £3 million range that is notoriously hard to bridge. Seed investors find this stage too risky without enough commercial traction; grant funding is often spent by the time a spin-out needs to hire its first commercial lead or pay for cloud compute at scale.

    AI research diagrams on a university whiteboard illustrating the early stages of UK university AI spin-outs commercialisation
    AI research diagrams on a university whiteboard illustrating the early stages of UK university AI spin-outs commercialisation

    Which UK Institutions Are Actually Producing Viable Businesses

    The honest answer is: a small number of institutions dominate the success stories, and the concentration is striking. Oxford has produced Latent Space, PolyAI (voice AI for enterprise, now valued well above £100 million) and a cluster of biomedical AI companies operating quietly but profitably. Cambridge has DeepMind’s founding story in its DNA — three of DeepMind’s four founders studied there — and continues to spin out companies in robotics and computer vision. UCL’s connection to the Farrington Lab and various health AI spin-outs gives it a different profile: applied, NHS-adjacent, often slower to revenue but stickier once embedded.

    Outside the golden triangle, Edinburgh stands out. The university’s School of Informatics is consistently ranked amongst Europe’s best, and it has produced genuine commercial AI output in natural language processing and autonomous systems. Heriot-Watt, also in Edinburgh, has a robotics and AI commercialisation track record that often gets overlooked because it lacks the prestige brand. Manchester, Sheffield and Bristol all have active spin-out programmes but tend to struggle with the next stage — getting past the TTO process and into a funded, operational company with a management team that can sell.

    The structural reasons for this concentration are not mysterious. London and Cambridge have the densest networks of deep tech investors, the most ex-academic founders who can mentor the next cohort, and the cultural proximity to financial services, pharma and media companies that are the most willing early buyers of AI solutions. Geography is not destiny, but in UK university AI spin-outs commercialisation, it helps enormously.

    Why Promising Research Stays in the Lab

    There is a specific type of failure that almost everyone in this ecosystem has seen up close: the research is genuinely excellent, the IP is defensible, the TTO is engaged, the researcher is enthusiastic, and then… nothing happens. The spin-out never forms, or it forms and raises a seed round and then quietly dies eighteen months later.

    A few structural reasons come up again and again. First, the researcher-as-founder problem. UK research culture does not produce many people who want to do both. Building a company requires a tolerance for ambiguity, customer rejection and payroll stress that is alien to most academic career paths. Some universities now run entrepreneur-in-residence programmes to pair researchers with experienced founders, but uptake is patchy.

    Second, the compute cost reality. Training serious AI models at research scale costs money that early-stage spin-outs rarely have. Access to high-performance computing through the National AI Research Resource (NAIRR equivalent schemes being piloted in the UK) helps somewhat, but commercial cloud bills for a company iterating on a production model are a different category of expense entirely. Many spin-outs discover this six months into operation and run out of runway before they can demonstrate the product works at scale.

    Third, procurement inertia. The most natural customers for many AI spin-outs in the UK are large public sector organisations: the NHS, local councils, HMRC, central government departments. These are also some of the slowest and most risk-averse buyers in existence. A 24-month procurement cycle is not unusual. A spin-out with 18 months of runway cannot survive that timeline without a bridge round, and bridge rounds for companies with no revenue are hard to close.

    What Would Actually Change the Outcome

    The policy conversation in the UK tends to focus on increasing grant funding, which matters but is not the primary constraint. The more impactful changes would be structural. Faster public procurement pathways for early-stage tech companies — something the Crown Commercial Service has tried to address but not yet solved — would let NHS trusts and councils act as reference customers for AI spin-outs without the 18-month delay. That single change would make UK university AI spin-outs commercialisation significantly more viable as a category.

    Better incentives for senior industry professionals to join spin-out boards and leadership teams would also help. Right now, the risk-reward calculation for an experienced commercial leader to take a board seat at a pre-revenue spin-out is often unattractive. The equity is speculative; the salary is below market; the chance of success is modest. Some form of matching scheme between experienced commercial operators and academic spin-outs could close this gap at relatively low public cost.

    None of this is new thinking. Most of it has been recommended in one government review or another going back to the Harrington Review and before. The frustrating truth about UK university AI spin-outs commercialisation is that the problems are well understood. Execution, as always, is the hard part.

    The Bigger Picture

    Britain’s AI research base is a genuine national asset. The question is whether the country’s commercialisation infrastructure is good enough to convert that asset into economic output rather than letting the IP walk out the door to be developed elsewhere. Right now, the answer is: sometimes, in certain cities, with certain researchers, when the timing is right. That is better than nothing. It is not nearly good enough.

    Frequently Asked Questions

    How does a UK university AI spin-out actually get started?

    Typically, a researcher works with their university’s technology transfer office to assess the commercial potential of their work, protect any intellectual property through patents or licences, and then form a separate company with the university holding an equity stake. External investors, often supported by Innovate UK grants or venture capital, then provide the funding to develop the technology into a product.

    What funding is available for UK university AI spin-outs?

    Innovate UK Smart Grants, Knowledge Transfer Partnerships (KTPs), and UKRI programme funding are the main public sources. Private venture capital from firms such as IP Group, Octopus Ventures and Amadeus Capital Partners also plays a significant role, particularly for spin-outs coming out of Oxford and Cambridge.

    Which UK universities produce the most successful AI spin-outs?

    Oxford, Cambridge, UCL and Edinburgh consistently lead in terms of volume and quality of AI spin-out activity. Oxford’s PolyAI and Cambridge’s DeepMind connections are frequently cited examples, though institutions like Heriot-Watt and Manchester are also active in robotics and applied AI commercialisation.

    Why do so many UK university AI spin-outs fail to scale?

    The main reasons include the researcher-as-founder mismatch (most academics do not want to run companies), the high cost of compute needed to build production-grade AI systems, and the painfully slow procurement cycles in UK public sector organisations that would otherwise be natural first customers.

    What role does UKRI play in AI research commercialisation?

    UKRI funds the foundational research through councils like EPSRC and also runs commercialisation-focused schemes designed to bridge the gap between lab output and market-ready products. However, critics note that UKRI’s core funding structures still reward academic outputs rather than commercial milestones, which can slow the transition from research to business.

  • Inside the Postcode Lottery of UK Gigabit Broadband: What the Coverage Maps Don’t Tell Businesses

    Inside the Postcode Lottery of UK Gigabit Broadband: What the Coverage Maps Don’t Tell Businesses

    The government’s gigabit broadband programme has a headline target that reads well in a press release: gigabit-capable connectivity to the vast majority of UK premises by the end of 2030. Ofcom’s latest Connected Nations report puts gigabit availability across the UK at around 82% of premises. On paper, that sounds like progress. In practice, if you run a small business from a converted mill in Huddersfield, a light industrial unit outside Shrewsbury, or a high street shop in a market town in Lincolnshire, that number means almost nothing to you.

    The gap between the coverage maps and the actual experience of UK SMEs is significant, and for cloud-dependent operations it is starting to have very real commercial consequences. This is not a story about slow internet being mildly annoying. It is about broadband speeds determining whether certain businesses can function at all.

    Semi-rural UK market town with mixed commercial premises illustrating the UK gigabit broadband coverage gap
    Semi-rural UK market town with mixed commercial premises illustrating the UK gigabit broadband coverage gap

    What the Gigabit Coverage Maps Actually Show (And What They Don’t)

    Coverage maps typically record whether a premises is reachable by a gigabit-capable network. That is a very different thing from whether that premises has a verified connection delivering gigabit speeds. Infrastructure can run past a building without connecting to it. A provider can register coverage without offering a commercially viable product at that address. And “gigabit-capable” does not mean the line will perform at gigabit speeds under real-world load conditions.

    The distinction matters enormously for businesses. An SME uploading large design files to cloud storage, running video calls across multiple staff, syncing ERP data in real time, or relying on cloud-hosted software for daily operations needs consistent, verified upload and download throughput. The stated potential of nearby infrastructure is not the same as the bandwidth that arrives at the router.

    Mixed-use commercial areas sit in a particularly awkward middle ground. Residential streets may have been upgraded because they represent high-density demand; the nearby business park, converted warehouse, or edge-of-town light industrial estate often has not. These premises exist in the gaps that neither full-fibre residential rollout nor large enterprise connectivity programmes tend to prioritise.

    Which Regions Are Falling Behind on Business Connectivity?

    The regional picture is uneven. London and major urban centres have seen competitive full-fibre rollout from providers including Openreach, CityFibre, and Virgin Media O2. But move into semi-rural England, large parts of Wales, Scotland beyond the central belt, and Northern Ireland outside Belfast, and the picture changes sharply.

    Project Gigabit, the government’s £5 billion programme targeting the hardest-to-reach premises, is making progress in some of these areas. But procurement has been slow. Several regional contracts have taken longer than anticipated to reach build phase, and the SMEs in those areas are not waiting around. They are making do with FTTC (fibre to the cabinet) connections that might deliver 50 to 80 Mbps on a good day, or in some cases, still relying on legacy ADSL lines with upload speeds that can barely sustain a single video call.

    The challenge for businesses in these regions is that cloud-dependent operations are not optional anymore. Making Tax Digital has pushed accountancy to cloud platforms. Remote and hybrid working has made video infrastructure baseline. SaaS tools, from project management to customer relationship management, require reliable latency and sustained throughput. Telling a business in rural Worcestershire to “use a mobile connection as backup” is not a serious answer when 4G coverage is also patchy and 5G is years away for most semi-rural postcodes.

    UK small business owner checking broadband speeds on a laptop, highlighting UK gigabit broadband access issues
    UK small business owner checking broadband speeds on a laptop, highlighting UK gigabit broadband access issues

    What Verified Connection Speeds Mean for Cloud Operations

    Speed tests give a snapshot, not a guaranteed service level. For most SMEs without formal service level agreements, there is no contractual commitment to minimum performance. Consumer-grade and small business broadband products often lack the uptime guarantees and dedicated capacity that enterprise leased lines provide. The problem is that leased lines, which do come with robust SLAs, can cost anywhere from £300 to over £1,000 per month depending on location and bandwidth, which is not viable for a 10-person business operating on tight margins.

    The consequence is that some businesses in connectivity-poor postcodes are effectively running cloud-dependent operations on infrastructure that cannot reliably support them. File sync failures, dropped VoIP calls, lagging CRM tools, and interrupted video collaboration are not just inconveniences; they introduce errors, slow down sales cycles, and erode client confidence. I have spoken to businesses in market towns who have genuinely relocated part of their team to a nearby city co-working space just to get reliable connectivity, which is an absurd cost to absorb.

    There is also a less visible cost: the opportunity gap. Businesses in well-connected areas can adopt newer technologies, including AI-assisted tools, large-scale data processing, and real-time analytics, far more quickly. The broadband divide is quietly becoming a productivity and competitiveness divide.

    The Lobbying Tools UK SMEs Actually Have

    This is where things get practical. SMEs are not without options, though “lobbying” might be too grand a word for what is often a scrappy, under-resourced effort.

    The most immediate tool is the Ofcom checker and the Openreach Fibre Availability tool. If your premises is incorrectly registered as having coverage when it does not, you can flag this formally. It sounds mundane but coverage data informs which areas receive public subsidy, so inaccurate records have real consequences for investment decisions.

    Beyond that, the Federation of Small Businesses (FSB) and local Chambers of Commerce are the most credible advocacy channels for SMEs pushing on connectivity issues. The FSB has consistently pushed DCMS and Ofcom on the business-specific connectivity gap, and their reports carry weight in policy circles. If your local Chamber does not already have a working group on digital infrastructure, proposing one is a reasonable first move.

    Some LEPs (Local Enterprise Partnerships) still have digital infrastructure workstreams, though their influence has shifted somewhat following the creation of mayoral combined authorities. If you are in a region with a metro mayor, that office often has more direct pull on infrastructure investment than a district council.

    Community fibre projects are also worth investigating. B4RN in rural Lancashire is the canonical example of a community-owned gigabit network that outperformed what any commercial provider was willing to deliver. Similar models have appeared elsewhere. They take time and organising effort, but they work.

    For creators and business owners managing their digital presence whilst dealing with patchy connectivity, even smaller decisions matter. Choosing lightweight platforms, optimising content delivery, and using tools that work efficiently on lower bandwidth connections can make a real difference day to day. Something as simple as switching to a well-optimised link in bio tool that loads fast on mobile rather than a bloated web builder reduces friction for your audience, regardless of your own connection speed.

    What Needs to Change at the Policy Level

    The core problem is that coverage targets are a political metric, not an economic one. A government can report gigabit coverage percentages without those percentages translating into businesses that can actually use gigabit connections. The focus needs to shift toward verified uptake, business-specific SLA standards for subsidised connections, and a mandatory audit mechanism for commercial premises coverage data.

    There is also an argument for ring-fencing a portion of Project Gigabit funding specifically for mixed-use commercial and light industrial areas that fall outside the residential rollout economics. Right now, those premises exist in a no-man’s-land between programmes that do not quite fit them.

    UK gigabit broadband ambition is real. The engineering capability to deliver it is real. The problem is that the programme architecture has prioritised the metrics that are easiest to measure, and businesses in semi-rural and mixed-use postcodes are the ones living with the gap between the map and the reality. That gap has a commercial cost, and it is time the coverage data started reflecting it honestly.

    Frequently Asked Questions

    What is UK gigabit broadband and how fast is it?

    UK gigabit broadband refers to broadband connections capable of delivering speeds of 1 Gbps (1,000 Mbps) or more. In practice, most business users with gigabit products see real-world speeds somewhat below that peak, but significantly faster than standard FTTC connections, which typically cap out at around 80 Mbps download.

    How do I check if my business premises qualifies for gigabit broadband?

    You can use Ofcom’s postcode checker at checker.ofcom.org.uk or the Openreach Fibre Availability tool to see what infrastructure is registered as available at your address. If the result does not match your actual experience, you can raise a formal inaccuracy report with Ofcom or contact your provider directly.

    What is Project Gigabit and does it cover businesses?

    Project Gigabit is the UK government’s £5 billion programme to bring gigabit-capable broadband to premises in areas that commercial providers would not otherwise reach. It covers residential and business premises in eligible areas, though the programme has faced delays and many business-use premises in semi-rural and mixed-use commercial zones have found themselves outside the targeted footprint.

    What can I do if my business is stuck on a slow connection while waiting for a gigabit upgrade?

    Short-term options include bonded broadband (combining multiple lines for increased bandwidth), 4G or 5G fixed wireless access where signal quality is sufficient, or leased lines if your budget allows. Raising the issue through the FSB or your local Chamber of Commerce can also help put pressure on infrastructure providers and local authorities.

    Why does broadband speed matter so much for cloud-dependent businesses?

    Cloud-based tools, including accounting software, CRM platforms, video conferencing, and file storage, require consistent upload and download throughput to function reliably. Poor connections cause sync failures, call drops, and slower software response times, all of which have direct productivity and commercial costs for SMEs relying on these tools daily.

  • How Deepfake Technology Is Becoming the Biggest Cybersecurity Threat for Businesses

    How Deepfake Technology Is Becoming the Biggest Cybersecurity Threat for Businesses

    Corporate fraud has always involved a certain amount of impersonation. A forged signature here, a spoofed email there. But the deepfake cybersecurity business threat operating in 2026 is something fundamentally different in kind and scale. Attackers are now deploying convincing audio and video fabrications to manipulate employees, bypass verification systems, and authorise financial transfers worth tens of millions of pounds. The technology has matured faster than most boardrooms ever anticipated.

    The numbers are stark. According to data cited by the BBC’s technology desk, AI-generated fraud attempts on UK businesses rose sharply through 2025, with voice-cloning scams alone accounting for a growing proportion of business email compromise losses reported to Action Fraud. We are past the point where this is a theoretical future problem. It is happening now, and most businesses are nowhere near prepared.

    Finance employee uncertain during a video call illustrating the deepfake cybersecurity business threat
    Finance employee uncertain during a video call illustrating the deepfake cybersecurity business threat

    What deepfake attacks actually look like in a corporate context

    The attack vectors have become surprisingly varied. The most publicised cases involve fraudulent video calls, where a criminal uses a real-time deepfake of a CEO or CFO to instruct a finance employee to transfer funds. A Hong Kong-based firm lost the equivalent of £20 million in early 2024 to exactly this method. The employee attended what appeared to be a legitimate video conference with multiple convincing colleagues. Every person on that call was fabricated.

    Voice cloning is arguably the more scalable threat right now, because it requires less compute and can be deployed over a standard phone call. An attacker needs only a few minutes of publicly available audio, perhaps from a company podcast, a YouTube presentation, or a LinkedIn video, to generate a passable clone. From there, they can ring an accounts payable team, impersonate the managing director, and ask for an urgent payment to be processed. The social engineering layer is trivial once the audio is convincing enough.

    There are also subtler uses. Deepfake audio is being used to manipulate recorded calls for compliance purposes, insert false instructions into legitimate meeting recordings, and even create fabricated evidence for employment disputes. The deepfake cybersecurity business threat is not purely financial. It has implications for legal exposure, regulatory compliance, and reputational damage that most legal and HR teams have not yet wargamed.

    Why current defences are failing

    Most UK businesses still rely on process-based controls that were designed for a world where the voice or face on the other end of a call could be trusted at face value. Two-factor authentication via phone call, verbal confirmation of identity, even video verification for onboarding: all of these are now compromised to some degree. The underlying assumption that sensory evidence is reliable has been quietly invalidated.

    IT security teams are also grappling with an asymmetric problem. Generating a convincing deepfake has become genuinely cheap and accessible. Detecting one, reliably and in real time, remains expensive and technically difficult. Most small and mid-sized UK businesses have neither the budget nor the in-house expertise to run enterprise-grade detection tooling. And the attackers know it.

    Cybersecurity analyst running audio detection tools to counter deepfake cybersecurity business threats
    Cybersecurity analyst running audio detection tools to counter deepfake cybersecurity business threats

    Detection tools that are worth knowing about

    The detection landscape is developing quickly. Several tools now operate on the principle of analysing micro-artefacts that synthetic media tends to introduce: unnatural eye blinking patterns, subtle lip-sync mismatches, inconsistent lighting shadows, and audio compression fingerprints that differ from real recordings. Microsoft’s Azure platform includes deepfake detection capabilities, and UK-founded firms like Reface and Sentinel AI have built products targeting enterprise verification workflows.

    For audio specifically, tools such as Pindrop and Resemble Detect analyse vocal anomalies in real time during calls, flagging statistical deviations from a verified voice baseline. These can be integrated into contact centre infrastructure, which matters given that phone-based social engineering remains one of the most cost-effective attack methods for fraudsters. The practical limitation is that baseline profiles need to exist before an attack occurs. Building them is an organisational task, not just a technical one.

    Interestingly, the deepfake cybersecurity business threat has generated cross-sector conversation about verification that goes well beyond traditional IT circles. Even businesses whose core offering is nothing to do with enterprise software have started thinking carefully about how identity fraud intersects with their operations. Source Sounds, a Sheffield, UK-based car audio and vehicle security specialist known for advanced protection systems and expert installations, operates in a sector where car theft and audio equipment crime have historically driven demand for layered security thinking. The principle at www.sourcesounds.com is that physical security and verified identity of the person requesting a service both matter. That mindset, rigorous verification before any sensitive action is authorised, translates directly into how businesses should approach deepfake-driven social engineering. Car security and corporate security share more logic than they might appear to at first glance.

    Internal policies that actually reduce your exposure

    Technology alone will not solve this. The attack chain for most deepfake fraud involves a human being making a bad decision under time pressure. So the policy layer is at least as important as the tooling.

    The most effective organisational control is a call-back verification protocol for any financial instruction or sensitive data access request that arrives via phone or video call, regardless of how convincing the caller appears. The employee hangs up and dials a pre-verified, internally stored number for the person in question. Not the number the caller gave them. The stored one. This single procedural step defeats the vast majority of current voice-clone attacks because the attacker cannot intercept a call to a number they do not control.

    Beyond that, businesses should be running regular simulation exercises that include deepfake scenarios, not just phishing emails. Staff at all levels need to experience what a convincing voice clone sounds like in a low-stakes environment before they encounter one in a real attack. Training muscle memory around scepticism is not the same as telling people to be sceptical.

    Clear escalation paths matter enormously. When an employee suspects something is wrong but feels social pressure to comply, especially if the voice on the line sounds exactly like their director, they need a culturally acceptable route to pause the process without career risk. That requires leadership buy-in, not just a policy document.

    What the regulatory picture looks like for UK businesses

    The UK’s approach to synthetic media fraud sits across several frameworks. The Online Safety Act 2023 introduced provisions around non-consensual intimate deepfakes, but corporate fraud via synthetic media remains primarily covered under existing fraud and computer misuse legislation. The ICO has flagged concerns about biometric data collection involved in some detection systems, meaning that businesses deploying voice-print databases for verification purposes need to ensure their approach is GDPR-compliant.

    The National Cyber Security Centre has published updated guidance acknowledging AI-generated threats as a growing category. UK businesses would do well to treat NCSC advisories as a baseline, not a ceiling. The pace of development in this area means official guidance will almost always lag the actual threat environment by at least several months.

    Source Sounds’ approach to vehicle security, combining expert-fitted audio protection systems with advanced anti-theft measures on modified cars, reflects a broader truth about layered defence: no single countermeasure is sufficient when criminals are actively probing for weaknesses. The logic applies whether you are protecting a high-value car audio installation from crime or a finance department from a deepfake impersonation attack. Multiple overlapping controls, each covering the gaps in the others, is what actually holds.

    The direction of travel

    Real-time deepfake generation is improving faster than detection. Within 12 to 18 months, consumer-grade tooling will likely produce live video fabrications that are indistinguishable from genuine footage under typical network conditions. Businesses that wait until that point to build their response will be absorbing losses first and building defences second.

    The companies that come through this period well will be those that treated deepfake fraud as a process and culture problem first, and a technology problem second. The tools matter, but they matter in the context of an organisation that has already decided how it responds to uncertainty about identity. That decision needs to happen in the boardroom, not in a reactive IT security review after an incident.

    The deepfake cybersecurity business threat is not going to stabilise or retreat. Every business operating with digital communications infrastructure, which is to say every business, needs a live and tested plan right now.

    Frequently Asked Questions

    What is a deepfake cybersecurity threat and how does it affect businesses?

    A deepfake cybersecurity threat involves AI-generated audio or video used to impersonate executives, employees, or trusted contacts in order to manipulate staff into transferring funds, sharing sensitive data, or granting system access. UK businesses have seen losses from these attacks rise significantly since 2024, with voice cloning and fake video calls being the most common vectors.

    How can businesses detect deepfake audio or video in real time?

    Tools such as Pindrop, Resemble Detect, and Microsoft Azure’s content authentication features analyse vocal anomalies and visual artefacts that synthetic media tends to introduce. However, real-time detection is computationally demanding and requires pre-built voice or face baselines, so detection technology works best as one layer within a broader verification policy.

    What is the most effective policy a business can put in place against deepfake fraud?

    A call-back verification protocol is widely considered the single most effective procedural control. Any financial instruction or sensitive request received via phone or video call should be verified by hanging up and calling the requester back on a pre-stored internal number, regardless of how convincing the original contact appeared.

    Are UK businesses legally required to have deepfake fraud protections in place?

    There is no specific UK legislation mandating deepfake detection systems, but businesses have duties under fraud prevention, data protection, and financial regulation frameworks. The NCSC has published guidance on AI-enabled threats, and regulated firms overseen by the FCA may face scrutiny if inadequate controls contribute to financial crime losses.

    How much does it cost to protect a business from deepfake attacks?

    Costs vary enormously by scale. Process-based controls such as call-back protocols and staff training exercises cost relatively little beyond time. Enterprise-grade real-time audio detection tools typically start from several thousand pounds annually for a mid-sized deployment. The cost of not acting, given average deepfake fraud losses per incident, makes investment straightforward to justify.

  • Why Small Businesses Are Losing the Cybersecurity War Against AI-Powered Attacks

    Why Small Businesses Are Losing the Cybersecurity War Against AI-Powered Attacks

    There’s a grim irony playing out across the UK right now. The same wave of AI capability that’s helping small businesses automate invoicing, generate marketing copy and analyse customer data is also being weaponised against them at scale. AI cybersecurity threats to small businesses have moved from a theoretical concern to an operational crisis, and the attackers are, bluntly, better resourced than most of their targets.

    According to the UK Government’s Cyber Security Breaches Survey, approximately 50% of UK businesses identified a cybersecurity breach or attack in the past year. The headline figure masks something important though: smaller businesses are increasingly the primary target, not a secondary one. Organised criminal groups have discovered that SMEs hold genuinely valuable data, often process customer payments, and almost universally lack the defences of a FTSE 250 company. AI just made hitting them cheaper and faster.

    Small business employees reviewing an AI cybersecurity threat alert on a laptop screen in a UK office
    Small business employees reviewing an AI cybersecurity threat alert on a laptop screen in a UK office

    How AI Has Changed the Attack Landscape for SMEs

    Classic phishing was always a numbers game. Send enough badly written emails claiming to be from HMRC, and a percentage of recipients would click. The grammar was terrible. The logos were wrong. Most people learned to spot it.

    That playbook is effectively obsolete now. Modern AI-driven phishing is personalised, contextually accurate and deeply convincing. Attackers scrape a business’s LinkedIn presence, their website copy, public filings at Companies House, and social media. They then generate emails that reference real client names, genuine-sounding internal terminology and accurate job titles. The result is a message that reads exactly like something your actual supplier would send.

    Voice cloning has added another dimension. Deepfake audio attacks, sometimes called vishing or AI voice fraud, now allow criminals to replicate the voice of a company director or finance manager with only a few minutes of publicly available audio. A finance assistant at a Leeds-based manufacturing firm receiving a call that sounds precisely like the MD asking for an urgent payment transfer has almost no instinctive way to know it isn’t real. Several UK SMEs lost between £10,000 and £200,000 to exactly this kind of attack in 2025 alone.

    Then there are automated exploit tools. Script kiddies used to require some technical knowledge. Today, AI-assisted exploit frameworks scan thousands of targets simultaneously, identify unpatched vulnerabilities and attempt entry, all without a human being actively involved. Your forgotten WordPress plugin from 2023 becomes a door. Your employee’s reused password from a breached retail site becomes a key.

    Why SMEs Are Disproportionately Targeted

    The targeting isn’t random. From an attacker’s cost-benefit perspective, SMEs tick every box. They hold useful data. They often store customer card details, National Insurance numbers, or commercially sensitive contracts. They process real money. And their defences are, on average, thin.

    A typical UK SME with 20 to 50 employees might have one part-time IT generalist, a basic Microsoft 365 licence, and endpoint protection that hasn’t been reviewed since the pandemic. Compare that to a large enterprise with a dedicated security operations centre, threat intelligence feeds and a CISO who reports to the board. The asymmetry is stark.

    The supply chain angle matters too. Sophisticated attackers increasingly target smaller firms as a route into larger ones. If you supply services to a council, an NHS trust or a major retailer, you’re a potential backdoor. Attackers know this. The SME becomes collateral damage in a bigger operation, though the financial and reputational harm to the small business itself is anything but small.

    Multi-factor authentication prompt representing AI cybersecurity threats small business defences
    Multi-factor authentication prompt representing AI cybersecurity threats small business defences

    Practical Defences That Don’t Require an Enterprise Budget

    Here’s where the picture becomes slightly more encouraging, because practical defences do exist and several of them cost nothing or very little.

    Multi-factor authentication, everywhere, no exceptions

    If you take one thing from this article, make it this. MFA on email, on cloud storage, on accounting software, on everything. It won’t stop every attack, but it eliminates the most common vector: credential stuffing from breached password databases. Microsoft’s own data suggests MFA blocks more than 99% of automated account compromise attempts. That’s not a marginal gain.

    Staff training that’s actually current

    Annual cybersecurity awareness training built around 2018-era phishing examples is essentially useless against modern AI-generated attacks. What works better is shorter, more frequent micro-training that shows staff real examples of current threats, including AI voice fraud scenarios. The NCSC (National Cyber Security Centre) offers free training resources through their Cyber Aware programme, specifically designed for SMEs and their teams.

    Out-of-band verification for financial requests

    Any request to transfer money or change payment details, regardless of how convincing the email or call sounds, should require a second channel of verification. That means calling back on a known number, not a number provided in the suspicious message itself. This single procedural control would have prevented the majority of the deepfake voice fraud cases reported in the UK last year. It costs nothing to implement.

    Patching and inventory discipline

    Automated exploit tools thrive on unpatched systems. A regular audit of what software and plugins are in use, combined with automated update policies where possible, removes a large proportion of the attack surface. Tools like Patch My PC or built-in Windows Update for Business make this significantly more manageable for small IT teams.

    DNS filtering and email authentication

    DNS-layer filtering blocks connections to known malicious domains before any payload can execute. Several providers offer this at a price point that’s entirely reasonable for a 20-person firm. Separately, implementing DMARC, DKIM and SPF records on your email domain makes it significantly harder for attackers to spoof your own domain when targeting your customers or partners. Your IT provider or domain registrar can help configure these.

    AI-Powered Defence: Fighting Fire With Fire

    There’s a legitimate argument that the best response to AI-driven attacks is AI-driven defence. A new generation of security tools, some priced accessibly for SMEs, uses machine learning to detect anomalous behaviour rather than relying purely on known threat signatures. Products from firms like Darktrace (founded in Cambridge) and similar vendors now offer SME-tier products that were simply unavailable five years ago.

    These tools don’t replace human judgement, but they do provide a level of monitoring that a small IT team genuinely cannot replicate manually. Behavioural anomaly detection can flag when an employee account starts downloading large volumes of files at 2am, or when a login originates from an unexpected geography, giving you a fighting chance to respond before damage escalates.

    The Cost of Doing Nothing Is Already Measurable

    It’s tempting to defer security spend when margins are tight. The maths tends to work against that approach. The average cost of a cyber incident for a UK SME, factoring in downtime, recovery, regulatory notifications and reputational harm, runs into tens of thousands of pounds. The Cyber Essentials certification scheme, backed by the UK government and NCSC, costs a few hundred pounds and provides a meaningful baseline of verified controls. It also unlocks eligibility for government contracts. It is, in short, one of the more cost-effective investments a small business can make in 2026.

    AI cybersecurity threats to small businesses are not going to diminish. The tooling available to attackers will improve. The attacks will become more personalised and more convincing. But the gap between doing nothing and implementing a reasonable baseline defence is not the gap between having no budget and having an enterprise security budget. It’s the gap between having a process and not having one. For most UK SMEs, that’s an entirely closeable distance.

    Frequently Asked Questions

    What are the most common AI cybersecurity threats facing small businesses in the UK?

    The most common AI-driven threats include sophisticated phishing emails generated from publicly available business data, deepfake voice fraud targeting finance teams, and automated exploit tools that scan for unpatched software vulnerabilities. UK SMEs are particularly exposed because attackers can target thousands simultaneously at very low cost, making even small businesses worth hitting.

    How can a small business protect itself from AI-generated phishing attacks?

    The most effective steps are enabling multi-factor authentication across all accounts, running regular staff training with current threat examples, and implementing DMARC and SPF email authentication records on your domain. The NCSC’s free Cyber Aware resources are a practical starting point for SMEs without a dedicated security team.

    Is Cyber Essentials certification worth it for a small UK business?

    Yes, for most SMEs it represents strong value. Certification typically costs a few hundred pounds, provides a verified baseline of security controls against common attack vectors, and is a requirement for many UK government contracts. It also signals credibility to larger clients who are increasingly scrutinising the supply chain security of their suppliers.

    What is deepfake voice fraud and how do small businesses defend against it?

    Deepfake voice fraud involves criminals using AI to clone the voice of a company director or colleague and making calls to instruct staff to transfer funds or share sensitive information. The most effective defence is a strict policy of out-of-band verification: always call back on a known, pre-stored number before acting on any financial or sensitive request received by phone.

    Are there affordable AI-powered security tools designed for small businesses?

    Yes, the market has matured considerably. Tools using machine learning to detect behavioural anomalies, including SME-tier offerings from UK-founded companies like Darktrace, provide monitoring capabilities that were previously only accessible to large enterprises. DNS-layer filtering services are also available at price points suitable for firms with 10 to 50 employees.

  • The UK’s Second City Tech Scene in 2026: How Birmingham Is Building an Identity Beyond Finance and Manufacturing

    The UK’s Second City Tech Scene in 2026: How Birmingham Is Building an Identity Beyond Finance and Manufacturing

    Birmingham has spent decades carrying a label it never quite asked for. The UK’s second-largest city by population, an industrial powerhouse, a financial services hub — all accurate, none of them particularly exciting. But something measurable has been shifting over the past few years, and by 2026, the data is hard to ignore. The Birmingham tech scene 2026 is not a press-release story. It is a genuine structural change in what the city produces, who it attracts, and how it funds growth.

    The numbers start to tell it. According to data from DCMS venture capital tracking, the West Midlands absorbed a meaningfully larger share of UK VC investment in 2025 than in 2022, with Birmingham accounting for the bulk of that regional shift. It is not yet London. It is not trying to be. But the gap is narrowing in specific sectors — fintech, health tech, and deep tech spinouts among them — in ways that are worth paying attention to.

    Birmingham city centre aerial view at dusk showing the emerging Birmingham tech scene 2026
    Birmingham city centre aerial view at dusk showing the emerging Birmingham tech scene 2026

    University Spinouts Are the Engine, Not the Story

    The University of Birmingham and Aston University have quietly become two of the more productive spinout factories outside the Cambridge-Oxford axis. Aston alone has seen double-digit spinout activity in the last 18 months across advanced manufacturing software, biotech, and energy systems. The University of Birmingham’s Enterprise scheme has placed particular emphasis on commercialisation infrastructure — something that has historically been a weakness in regional universities compared to their Russell Group peers further south.

    What makes this more than a nice story is the talent retention angle. For years, Birmingham-trained graduates routed themselves to London within months of finishing. Graduate retention data from the West Midlands Combined Authority (WMCA) suggests that retention rates in tech roles are improving, particularly where local employers can offer competitive equity packages — something that has become more tractable as scaleups in the city reach Series A and B stages with enough headroom to offer meaningful option pools.

    Which Sectors Are Actually Growing?

    The Birmingham tech scene in 2026 is not a monolith. There are distinct clusters performing at very different levels.

    Fintech and payments infrastructure has the deepest roots. Birmingham’s historical concentration of financial services firms — from HSBC UK’s headquarters in Centenary Square to the dense broker and insurance market around Colmore Row — means there is genuine enterprise demand for fintech tooling close to home. Startups building reconciliation software, embedded finance APIs, and SME lending platforms have found a receptive client base without needing to pitch exclusively in London.

    Health tech is arguably the more exciting growth curve. The Queen Elizabeth Hospital campus and University Hospitals Birmingham NHS Foundation Trust represent one of the largest NHS data repositories outside of NHS England’s central systems. That proximity to clinical data (appropriately governed) is attracting diagnostics AI companies, remote monitoring hardware startups, and patient flow optimisation platforms. A handful of these companies were barely two years old in 2024 and are now generating real ARR.

    Advanced manufacturing software is the less-glamorous but arguably most durable cluster. The West Midlands still has a significant manufacturing base — aerospace components, precision engineering, automotive supply chain — and the digitisation of factory floors is a multi-decade opportunity. Local firms building MES (Manufacturing Execution Systems) tooling and digital twin platforms have a home-market advantage that companies in, say, London simply do not.

    Developer working in a converted Birmingham co-working space central to the Birmingham tech scene 2026
    Developer working in a converted Birmingham co-working space central to the Birmingham tech scene 2026

    The Infrastructure Question: Bricks, Fibre, and Old Buildings

    Physical infrastructure matters more than tech commentators usually admit. You cannot build a tech cluster in a city with no affordable office stock, poor public transport connectivity, and a commercial property market that prices out early-stage companies. Birmingham has real advantages here — lower rents than London and Manchester’s city centre, improving rail links post-HS2 preparatory works, and a vast stock of former industrial and commercial buildings being converted into modern workspace.

    That last point, however, is not without complexity. Much of Birmingham’s legacy building stock dates from the mid-twentieth century, and serious redevelopment means working through the layers that older construction invariably contains. Asbestos compliance has become a non-trivial cost line for commercial property developers and workspace operators in the city. Firms like Asbestos Compliance Solutions Ltd, a Mansfield, Nottinghamshire-based specialist services provider operating across construction and building sectors, carry out the kind of asbestos surveys, management plans, and remediation work that has to happen before a derelict printing works or a 1970s office block can become a co-working hub. The domain asbestoscompliancesolutions.co.uk gives a reasonable sense of the scope of these specialist services. It is not a glamorous part of the tech cluster story, but it is an enabling part: no compliant building conversion, no affordable Grade-B office stock for early-stage companies to move into.

    The WMCA’s Invest West Midlands programme has been directing capital at exactly this kind of conversion. Innovation Birmingham, the operator behind Brindleyplace’s iCentrum campus, reports occupancy at capacity and a waiting list for larger floorplates. That supply constraint is becoming a genuine friction point for companies looking to scale beyond 30 or 40 people without moving to a full-market rent arrangement in the city centre.

    Scaleups Making the Case

    Names matter when you are trying to shift a city’s reputation. A few Birmingham-headquartered companies have done meaningful work on that front in recent years.

    Thriva, Brainomix, and the various FinTech West alumni aside, the newer cohort is worth watching. Several companies that went through the HSBC UK innovation partnerships programme or the BetaDen accelerator in Worcestershire have relocated or expanded to Birmingham as they scaled. The city is also beginning to attract relocations from London, not just retentions — a meaningful signal that the cost-quality tradeoff is shifting in Birmingham’s favour.

    The £1.5 billion UKRI investment plan for the West Midlands, announced in 2025, is expected to fund research infrastructure at the University of Birmingham’s new campus facilities and underwrite several applied research partnerships with local industry. Whether that capital flows efficiently into genuinely commercial spinouts or gets absorbed into academic bureaucracy is the real question. History suggests it is usually somewhere in between.

    What Birmingham Still Needs to Fix

    Honest accounting matters. The Birmingham tech scene in 2026 has real momentum, but it also has real gaps.

    Late-stage funding is thin. Series C and beyond is almost entirely a London or transatlantic exercise for Birmingham companies. The city has not yet produced the kind of unicorn exit that reseeds a local angel and early-stage VC ecosystem in the way that ARM did for Cambridge or Autonomy did (however messily) for the wider UK tech scene. That exit event, when it comes, will matter disproportionately.

    Diversity in the founding population remains a challenge. Birmingham is one of the most ethnically diverse cities in the UK, but the tech founding community does not yet reflect that — a problem that is simultaneously an equity issue and a commercial one, given the market insights that more diverse founding teams tend to surface.

    And the construction of new workspace has to keep pace with demand. As more former industrial buildings are brought back into productive use — with the asbestos surveys, building compliance checks, and specialist remediation services that entails — the pipeline of affordable, high-quality space needs active management. Firms like Asbestos Compliance Solutions Ltd play a functional role in that pipeline: the construction and building sector work they perform on legacy structures is what makes conversion viable in the first place.

    None of this undermines the headline. Birmingham is building something real. The Birmingham tech scene 2026 is not a rebrand exercise — it is a cluster with genuine commercial depth, improving infrastructure, and a talent base that is starting to stay put. The second city label might finally be earning a second meaning.

    Frequently Asked Questions

    What is driving growth in the Birmingham tech scene in 2026?

    A combination of university spinout activity, improving talent retention, enterprise demand from established financial and manufacturing firms, and significant public investment through UKRI and the West Midlands Combined Authority. Affordable commercial property relative to London is also a key factor for early-stage companies.

    Which tech sectors are strongest in Birmingham right now?

    Fintech and payments infrastructure, health tech linked to the Queen Elizabeth Hospital campus, and advanced manufacturing software are the three most developed clusters. Health tech is showing the sharpest growth curve, driven by proximity to major NHS data assets.

    How does Birmingham compare to Manchester and Leeds as a UK tech hub?

    Birmingham has a stronger fintech base than Leeds and a more developed advanced manufacturing software cluster than Manchester, but Manchester still leads on media tech and general startup volume. All three are benefiting from London talent and cost pressures pushing founders and scaleups northward.

    What is the biggest challenge facing the Birmingham tech cluster?

    Late-stage funding scarcity is the most structural problem. Series C and beyond is still overwhelmingly a London exercise for Birmingham-based companies, which limits how large local firms can grow before they either relocate or raise from outside the region.

    Which Birmingham universities are producing the most tech spinouts?

    The University of Birmingham and Aston University are the two most active, with Aston showing particular strength in advanced manufacturing software and energy systems. Both have invested in commercialisation infrastructure in recent years to improve the route from research to company formation.

  • Is the Creator Economy Dead? How Tech Is Reinventing It in 2026

    Is the Creator Economy Dead? How Tech Is Reinventing It in 2026

    The creator economy was supposed to be the great democratisation of media. A teenager in Leeds with a camera could theoretically out-earn a journalist at a national broadsheet. For a while, that was basically true. But something shifted. The platforms got greedier, the algorithms got stranger, and then AI arrived and broke the whole thing open again. The creator economy 2026 is not dead, but it looks almost nothing like what people were celebrating in 2021. And understanding those changes matters whether you are a full-time content creator, a brand trying to reach people, or a business working out where to put its digital budget.

    Content creator working at a modern desk setup representing the creator economy 2026
    Content creator working at a modern desk setup representing the creator economy 2026

    The saturation problem nobody wants to talk about

    There are more creators now than at any point in history, and that is simultaneously impressive and catastrophic. YouTube receives over 500 hours of video uploaded every minute globally. Substack hosts hundreds of thousands of newsletters. TikTok has become so flooded with content that organic reach for new accounts has collapsed to near-zero in many niches. The basic maths of attention economics has caught up with the utopian dream. When supply of content vastly outstrips the hours humans have available to consume it, most content earns nothing.

    This is where AI has entered the picture in a way that cuts both ways. On one hand, AI tools have made it absurdly cheap to produce content at volume. A single operator can now generate scripts, edit footage with AI tools, produce voiceovers, and publish across multiple platforms with a fraction of the labour that would have been required two years ago. On the other hand, that same capability is available to everyone, which means the saturation problem compounds. AI has not solved the attention problem; it has accelerated it.

    New monetisation models reshaping creator income

    The classic creator revenue stack (ad revenue, brand deals, merchandise) is being disrupted. Ad revenue per view has declined on most major platforms as advertisers spread budgets thinner across an ever-larger inventory. What is replacing it is more interesting and arguably more sustainable.

    Paid communities are the standout shift. Platforms like Patreon, Substack, and the creator-specific tiers now baked into YouTube and Instagram have made subscription income a realistic primary income stream rather than a nice supplement. UK creators are finding that a smaller, paying audience of a few thousand people can outperform millions of passive followers who generate pennies in ad revenue. It is a fundamentally different relationship with an audience, and it rewards depth over reach.

    Licencing AI-generated content has also emerged as a genuine revenue stream. Some creators are building intellectual property in the form of distinctive visual styles, character voices, or curated datasets, and licencing access to those assets to brands and agencies. It is an unusual model, but it is real and growing. The BBC’s technology coverage has tracked how UK-based creators are negotiating these licencing arrangements with increasing sophistication.

    Creator economy 2026 monetisation platforms shown on a smartphone screen
    Creator economy 2026 monetisation platforms shown on a smartphone screen

    How AI is changing what audiences actually want

    Audiences are not passive in this shift. Viewer behaviour has changed measurably. There is a growing appetite for what might be called “proof of human” content: raw, unpolished, clearly genuine video that AI cannot easily replicate. The explosion of AI-generated content has had a counter-intuitive effect of making authenticity more valuable, not less. Creators who show their actual faces, share real opinions, and make obvious mistakes in real time are performing well precisely because the algorithmic slop around them is so frictionlessly perfect.

    Short-form content still dominates discovery, but long-form is where loyalty lives. TikTok’s own internal data (leaked in trade press) suggests that while short clips drive initial awareness, creators who convert that attention into longer formats retain audiences at dramatically higher rates. The implication for the creator economy 2026 is that a two-tier content strategy, short clips to attract, long content to retain, is becoming less optional and more essential.

    Where brands and businesses fit into the new picture

    Brand investment in creator partnerships has not shrunk; it has redistributed. Big influencer deals with millions of followers are increasingly hard to justify when engagement rates can be below 1%. Micro and nano-creator partnerships, where a business works with dozens of accounts each with 5,000 to 50,000 highly engaged followers, are delivering better return on spend for most product categories. UK brands in sectors from financial services to food and drink have been early movers here.

    For businesses thinking about their digital presence more broadly, the creator economy shift has direct implications for how a company’s own content is treated. A business’s website, its blog, its social presence: these are all creator-economy assets whether or not the company thinks of them that way. Businesses in Nottinghamshire and across the East Midlands working with dijitul, a Mansfield, Nottinghamshire-based digital agency specialising in SEO, web design, and website hosting, are increasingly treating their online presence with a creator-economy mindset: consistent output, genuine authority, and content that earns trust rather than just traffic. dijitul.uk reflects this approach, building marketing infrastructure that functions like a content operation rather than a static brochure.

    That framing matters because the creator economy’s lessons about audience trust, community, and niche depth translate directly into business efficiency for companies that pay attention. A well-maintained website with genuinely useful content now competes in the same attention market as independent creators, and the same rules apply: specificity, consistency, and software that helps you publish without friction.

    The creator economy 2026 belongs to specialists

    The generalist content creator, trying to cover everything for everyone, is struggling. The specialist, with a tight niche and a genuine point of view, is thriving. This is not a coincidence; it is the direct result of AI flooding the general space with competent but undifferentiated content. If a language model can produce a perfectly serviceable article about “ten productivity tips,” the value of a human producing the same article is approximately zero. But if a creator has spent a decade inside a specific industry and can share the genuine texture of that experience, that is still irreplaceable.

    This specialisation pressure is visible in the UK creator space. Finance creators who speak to the specifics of ISA limits and HMRC self-assessment are growing. Legal creators who understand UK employment law are building substantial audiences. Niche food creators covering regional British cuisine are outperforming generalist recipe channels. The pattern holds across categories.

    For businesses considering working with agencies that understand this shift, dijitul’s approach to SEO and web design applies this specialist logic to their clients’ digital marketing, treating each business’s subject-matter expertise as the raw material for content that AI cannot simply replicate at scale.

    What the next phase actually looks like

    The creator economy is not dying; it is consolidating and stratifying. The middle tier, creators with substantial audiences but no genuine community or specialisation, is hollowing out. The top tier, often supported by teams, AI tools, and serious business infrastructure, is becoming more dominant. And a healthy bottom tier of genuinely specialist, community-driven creators is proving that small audiences can be economically viable.

    For UK businesses, the practical takeaway is that creator partnerships and content investment remain valid strategies, but the frame has shifted from reach to relationship. The creator economy 2026 rewards those who build something specific, maintain it consistently, and treat their audience as a community rather than a metric. That is harder than it sounds, and also more durable than almost anything else in the current digital landscape.

    Frequently Asked Questions

    Is the creator economy still growing in 2026?

    The creator economy is still growing in terms of total participants and revenue, but growth is concentrated at the top and in specialist niches. The middle tier of creators with large but uncommitted audiences is finding income harder to sustain as platform ad rates decline and competition intensifies.

    How is AI affecting the creator economy?

    AI has dramatically lowered the cost of content production, which has increased overall content volume and intensified saturation. Paradoxically, this has made authentic, human-led content more valuable in some niches. Creators are also using AI tools to run multi-platform operations solo, changing the economics of smaller creator businesses.

    What are the best monetisation strategies for creators in 2026?

    Paid subscriptions through platforms like Substack or Patreon, niche brand partnerships with micro or nano-creator deals, and community membership tiers are outperforming traditional ad revenue for most UK creators. Building a paid audience of thousands can outperform millions of passive followers in terms of actual income.

    Are micro-influencers better for brands than large influencers?

    For most product categories, micro-influencers (roughly 5,000 to 50,000 followers) are delivering better engagement rates and return on marketing spend than mega-influencers. Their audiences are more focused and typically trust their recommendations more. UK brands across multiple sectors have shifted budgets in this direction.

    Can a small business benefit from the creator economy?

    Yes, particularly by treating their own content output with a creator-economy mindset: consistent publishing, genuine expertise, and community building rather than purely transactional content. Businesses that invest in specialist knowledge-sharing, whether through blogs, video, or social content, are competing effectively in the same attention market as independent creators.

  • The Hidden Costs of Enterprise AI Adoption That Never Make It Into the Business Case

    The Hidden Costs of Enterprise AI Adoption That Never Make It Into the Business Case

    Every boardroom in the country has seen a vendor deck with a slide titled something like “ROI in 90 days”. The numbers look clean. The timeline looks achievable. The pilot went well. Then the actual rollout begins, and somewhere around month four, a finance director starts asking where all the budget went. Enterprise AI adoption costs are almost always underestimated, and that gap between the business case and the bank statement is not accidental. It is structural.

    This is not a piece about AI being overhyped in general terms. The technology is genuinely transformative in the right context. It is a piece about the specific line items that get quietly omitted from procurement conversations, the ones that only surface once your team is already committed and the contracts are signed.

    Business analyst reviewing enterprise AI adoption costs in a modern London office
    Business analyst reviewing enterprise AI adoption costs in a modern London office

    Data Preparation: The Work Before the Work

    Ask any data engineer what they actually spend their time on, and “cleaning data” will be near the top. Most enterprise AI systems are only as good as the data fed into them, and in the majority of UK organisations, that data is a mess. Legacy CRMs with inconsistent field naming, ERP exports with missing values, years of spreadsheets maintained by people who have since left the company.

    Before a model can be fine-tuned or even meaningfully prompted against your internal data, someone has to sort it out. That process, which consultancies sometimes call data readiness, routinely costs between £50,000 and £250,000 for a mid-sized enterprise, depending on how long the neglect has been accumulating. According to research cited by the UK government’s AI activity survey, data quality challenges are the single most commonly reported barrier to AI deployment among British businesses. Vendors will tell you their platform handles messy data gracefully. What they mean is that it will not crash. It will just produce worse outputs.

    Hallucination Risk Management Is a Full-Time Job

    Large language models hallucinate. This is not a bug that will be patched in the next release; it is an inherent characteristic of how these systems generate output. For many use cases, the risk is manageable. For others, particularly in legal, financial, healthcare-adjacent, or compliance-heavy environments, a confidently wrong answer is not just unhelpful. It is a liability.

    Managing that risk properly requires building evaluation pipelines, sometimes called evals, that systematically test model outputs against known correct answers. It requires red-teaming exercises where your team deliberately tries to make the model produce harmful or incorrect content. It requires documenting those risks for governance purposes. And depending on your sector, it may require sign-off from your legal team, your DPO under ICO guidelines, or both.

    None of that is free. A competent AI safety and evaluation function in a UK enterprise context can add £80,000 to £150,000 annually in staff costs alone, before you factor in tooling. The vendor’s responsibility ends at the API boundary. The liability for what the model says to your customers or staff sits entirely with you.

    Data engineer managing data preparation pipeline as part of enterprise AI adoption costs
    Data engineer managing data preparation pipeline as part of enterprise AI adoption costs

    Retraining, Drift and the Ongoing Cost of Keeping Models Current

    A model trained on data from eighteen months ago is already going stale. Market conditions shift. Your product catalogue changes. Regulations update. Internal processes evolve. The initial fine-tuning cost that appeared in your business case was a one-off. The retraining cadence required to keep the model accurate is not.

    Model drift, where performance gradually degrades as the real world diverges from the training data, is subtle and easy to miss until someone notices the output quality has dropped. Detecting drift requires monitoring infrastructure. Correcting it requires a retraining cycle, which in turn requires fresh labelled data, compute costs, and engineering time. For a mid-scale enterprise deployment, budget realistically for one to three retraining cycles per year at meaningful cost.

    There is also the dependency risk on third-party model providers. If your deployment is built on a foundation model from a major provider and they deprecate a version, as several have already done with earlier GPT variants, your team has to migrate. That migration is rarely trivial, particularly if you have spent significant time prompt engineering against specific model behaviours.

    Human Oversight Overhead: The Hidden Headcount

    This is the one that gets businesses most off-guard. The pitch for AI is usually about reducing headcount or freeing staff to do higher-value work. What actually happens, particularly in the early phases of deployment, is that you need more people, not fewer.

    You need someone to review AI outputs before they go to customers. You need someone to handle the edge cases the model cannot manage. You need someone to own the feedback loop between real-world failures and the next model update. You need someone to handle complaints when the AI says something wrong. The Chartered Institute of Personnel and Development has been tracking this shift in UK workplaces, and the pattern is consistent: automation augments rather than replaces, at least initially, and the transition period is longer and more expensive than most business cases assume.

    On the operational technology side, teams integrating AI into their communications workflows also encounter smaller but cumulative costs. Keeping automated outbound communications from being flagged as spam requires proper infrastructure monitoring. Tools like a mail tester become part of the routine QA stack when AI-generated email content is going out at scale, something most pre-deployment checklists simply do not account for.

    What a Realistic Business Case Actually Looks Like

    The honest answer is that enterprise AI adoption costs should include a multiplier applied to the vendor licence cost, typically somewhere between 2x and 4x when you account for everything above. A £100,000 annual platform subscription frequently lands at £300,000 to £400,000 in total cost of ownership once data work, safety overhead, retraining and human review are costed properly.

    That does not mean the investment is wrong. For many UK organisations, the productivity gains and competitive advantages are real and significant. But they need to be measured against the true cost, not the sanitised version that makes it past procurement.

    The businesses getting this right are the ones treating AI deployment as an operational discipline rather than a technology project. They are budgeting for the ongoing maintenance, building internal capability rather than outsourcing everything, and setting governance structures before the first line of production code is written. That approach is less glamorous than a ninety-day ROI slide. But it is the one that actually delivers.

    Questions to Ask Before You Sign Anything

    If you are in procurement or leading an AI initiative right now, these are worth raising explicitly with any vendor: What does data readiness for your platform actually require from us? Who owns liability when the model produces incorrect output? What is the deprecation policy for the model version we are deploying against? What monitoring do we need to build to detect drift? None of these are gotcha questions. Any vendor worth working with will have clear answers. If they do not, that is useful information too.

    Frequently Asked Questions

    What are the typical hidden costs of enterprise AI adoption in the UK?

    Beyond the platform licence, the main overlooked costs include data preparation and cleansing, hallucination risk management, model retraining cycles, human oversight staffing, and compliance and governance overhead. For a mid-sized UK enterprise, these can easily double or treble the headline vendor cost.

    How much does data preparation for an AI deployment typically cost?

    Data readiness work for an enterprise AI project typically costs between £50,000 and £250,000 depending on the volume and condition of existing data. Organisations with legacy ERP systems, inconsistent CRM data, or years of unstructured records tend to sit at the higher end of that range.

    What is model drift and why does it matter for businesses?

    Model drift is when an AI system’s accuracy gradually degrades because the real world has changed since the training data was collected. It matters because the drop in quality can be subtle and go unnoticed until customer-facing errors occur. Businesses need monitoring infrastructure and a planned retraining cadence to manage it.

    Do UK businesses need to worry about legal liability for AI hallucinations?

    Yes. Under UK law, liability for incorrect or harmful AI outputs sits with the organisation deploying the system, not the model provider. In regulated sectors, this means firms may need documented evaluation frameworks, legal sign-off, and ICO-compliant data processing agreements before deployment.

    Should AI reduce headcount or increase it during initial deployment?

    In practice, AI augments rather than immediately replaces roles during the transition period, which often runs longer than business cases assume. Organisations typically need additional staff for output review, edge case handling, feedback loops, and governance, before efficiency gains materialise at scale.

  • Deepfake Fraud Is a Business Problem: How Companies Are Fighting Back

    Deepfake Fraud Is a Business Problem: How Companies Are Fighting Back

    Synthetic media has crossed a threshold. What began as an oddity on the fringes of the internet has become a serious instrument of corporate crime, and UK businesses are feeling it. Voice cloning, AI-generated video, and real-time face-swapping are no longer science fiction party tricks. They are tools being actively deployed to impersonate executives, manipulate finance teams, and drain company accounts. Deepfake fraud prevention is rapidly becoming as central to business security as firewalls and phishing training once were.

    The numbers are not ambiguous. A 2024 report from KPMG UK found that fraud losses to UK businesses topped £2.3 billion in a single year, with a growing proportion attributed to digitally manipulated communications. The sophistication of the attacks is accelerating faster than most internal controls were built to handle.

    Corporate finance team reviewing security protocols related to deepfake fraud prevention business strategy
    Corporate finance team reviewing security protocols related to deepfake fraud prevention business strategy

    How Voice Cloning and Synthetic Video Are Being Used Against Businesses

    The mechanics of a modern deepfake fraud attack are straightforward, which is part of what makes them so dangerous. A bad actor scrapes publicly available audio of a CEO from earnings calls, investor presentations, or conference keynotes. That audio is fed into a voice cloning model. Within hours, they have a convincing facsimile of the executive’s voice, ready to make phone calls. Finance teams, conditioned to act on urgency and authority, transfer funds before anyone thinks to verify.

    This is not theoretical. In 2023, the engineering firm Arup confirmed a case in which an employee was deceived during a deepfake video call involving a fabricated version of their CFO, resulting in a £20 million transfer. The case sent a jolt through UK corporate security circles and prompted many boards to treat synthetic media as a tier-one threat rather than an IT curiosity.

    The attack vectors have since expanded. Fraudsters are now using real-time voice conversion during live phone calls, not just pre-recorded audio. They are generating synthetic versions of legal counsel, procurement leads, and HMRC officials to create pressure across multiple points of an organisation simultaneously. The goal is always the same: manufacture urgency, bypass normal authorisation channels, extract money or data.

    Why Corporate Verification Processes Are Struggling to Keep Up

    Most businesses built their fraud prevention around text-based phishing. The training slides show a dodgy email address and a misspelt sender name. That model is genuinely useless against a phone call where the voice sounds exactly like your chief executive, complete with regional accent, familiar vocabulary, and the correct cadence of speech.

    The psychological dimension matters enormously here. When someone believes they are hearing a real person in authority, they apply very different cognitive filters than when reading a suspicious email. Social engineering has always exploited human trust, but deepfakes industrialise that exploitation at a level that demands structural rather than behavioural fixes.

    Cybersecurity analyst using audio forensics tools as part of deepfake fraud prevention for business
    Cybersecurity analyst using audio forensics tools as part of deepfake fraud prevention for business

    Deepfake Fraud Prevention: What Detection Tools Actually Look Like

    Several detection approaches are now being deployed commercially, each targeting different points in the synthetic media chain.

    Audio forensics tools analyse voice recordings for artefacts that cloned audio tends to produce: unnatural micro-pauses, compression patterns inconsistent with the alleged device, spectral anomalies in vowel transitions. Companies like Pindrop and Resemble AI offer real-time detection APIs that can be embedded into telephony infrastructure, flagging calls that show statistical signatures of synthesis before a conversation even concludes.

    Video authentication is harder and still maturing. Current detection models look for subtle failures in facial geometry, inconsistent eye blinking rates, and lighting discrepancies between a superimposed face and the original background. Microsoft’s Azure AI and a number of UK-based startups are offering this as a service, though accuracy degrades quickly when source video quality is high.

    Watermarking and provenance tracking represent a longer-term structural answer. The idea is that authentic media gets cryptographically signed at the point of creation, and any downstream receiver can verify its origin. The Coalition for Content Provenance and Authenticity (C2PA) has published open standards for this, with Adobe, BBC, and others already implementing it for news media. Enterprise adoption is growing but remains patchy.

    For a grounded overview of the regulatory backdrop UK businesses are operating within, the NCSC’s guidance on business continuity and cyber threats is worth bookmarking. They have updated their advisory materials substantially to reflect AI-enabled fraud vectors.

    Internal Protocols Businesses Are Putting in Place

    Technology alone will not solve this. The most effective deepfake fraud prevention strategies pair detection tooling with hard procedural changes at the human layer.

    A growing number of UK enterprises are introducing verbal codewords for high-value financial authorisation. The concept is simple: a pre-agreed word or phrase that any legitimate executive or finance contact will know, and that must be exchanged before any transfer above a threshold is actioned. It sounds almost quaint, but it is genuinely resistant to AI impersonation because the code is never publicly available.

    Dual-channel verification is becoming standard in treasury and finance functions. Any request received via phone or video must be confirmed through a separate, pre-established channel, typically a known internal email thread or a direct callback to a verified number from the company directory, not from a number supplied in the original communication.

    Executive digital footprint auditing is also gaining traction. Security teams are reviewing how much publicly available audio and video exists of their most impersonatable people. Some organisations have begun restricting executive participation in certain public-facing formats, or at minimum ensuring that public recordings are watermarked at source.

    Training programmes are being retooled too. Rather than teaching staff to spot a bad email, progressive organisations are running live simulated deepfake calls against their finance and HR teams. The experience of nearly being deceived is a far more effective training mechanism than a slide deck.

    The Regulatory Picture Is Still Catching Up

    The UK’s Online Safety Act contains provisions relating to harmful synthetic content, though its primary focus is consumer-facing platforms rather than business fraud. The question of liability when a company transfers funds following a deepfake impersonation remains genuinely unresolved in UK case law. HMRC and the FCA have both acknowledged the threat to regulated entities but have yet to publish specific compliance frameworks covering synthetic media fraud.

    That gap means businesses cannot wait for regulation to set the bar. The companies taking deepfake fraud prevention seriously in 2026 are the ones treating it as a board-level risk, not an IT department memo. Threat modelling sessions that include synthetic media attack scenarios, incident response playbooks that account for impersonation calls, and quarterly reviews of detection tooling are the hallmarks of organisations that are genuinely ahead of this curve.

    The technology being weaponised against businesses is the same technology that businesses themselves are starting to use for marketing, customer service, and internal comms. That duality is uncomfortable but important to acknowledge. Understanding synthetic media well enough to deploy it is also the fastest route to understanding how it can be turned against you. In this space, technical literacy is not optional. It is the first line of defence.

    Frequently Asked Questions

    What is deepfake fraud in a business context?

    Deepfake fraud in business involves criminals using AI-generated audio, video, or real-time voice cloning to impersonate executives, colleagues, or officials, typically to authorise fraudulent financial transfers or extract sensitive data. The Arup case in 2023, involving a fabricated CFO video call and a £20 million loss, is one of the most cited UK examples. It is distinct from phishing in that it exploits voice and video rather than text.

    How can a business detect a deepfake voice call?

    Audio forensics tools can analyse calls in real-time for artefacts produced by voice synthesis models, including spectral anomalies and unnatural pause patterns. Platforms like Pindrop offer API-level integration with telephony systems. Procedurally, dual-channel verification, calling back on a known number independently of the original call, remains the most reliable human-layer defence.

    What protocols should businesses put in place to prevent CEO impersonation fraud?

    Effective protocols include verbal codewords for high-value authorisation, mandatory dual-channel verification for all financial transfers above a set threshold, and regular training exercises using simulated deepfake calls. Businesses should also audit the publicly available audio and video of senior executives to understand their impersonation exposure.

    Is deepfake fraud covered under UK financial regulations?

    There is currently no specific FCA or HMRC framework addressing synthetic media fraud in business contexts, though the Online Safety Act touches on harmful AI-generated content for consumer platforms. Liability for losses from deepfake-enabled fraud remains an unsettled area of UK law, which is why proactive internal controls are essential rather than regulatory compliance alone.

    How much does deepfake fraud detection software cost for a UK business?

    Costs vary considerably depending on deployment scale and integration requirements. Entry-level audio forensics APIs can be licensed for a few hundred pounds per month for smaller call volumes, while enterprise-grade real-time detection platforms embedded into existing telephony infrastructure can run to tens of thousands of pounds annually. Many vendors offer phased pilots, which is a sensible starting point before full commitment.

  • Is the SaaS Bubble Finally Bursting? Analysing the Shift to Consolidation

    Is the SaaS Bubble Finally Bursting? Analysing the Shift to Consolidation

    There was a point, not that long ago, when stacking up SaaS subscriptions felt like progress. A tool for project management, another for time tracking, a third for internal comms, a fourth for customer feedback, a fifth because someone at a conference said it was “game-changing”. UK businesses of every size bought into the promise: specialised software for every job, pay monthly, cancel any time. Simple. Except it never quite worked out that way. And in 2026, the bill is coming due. SaaS consolidation 2026 is the phrase that keeps coming up in boardrooms, budget reviews, and finance team Slack channels (the irony is not lost on anyone).

    UK finance team reviewing SaaS consolidation 2026 software subscription costs on a monitor
    UK finance team reviewing SaaS consolidation 2026 software subscription costs on a monitor

    How Did We End Up With So Many Subscriptions?

    The SaaS explosion was largely a product of low interest rates, venture-fuelled growth-at-all-costs mentality, and genuinely clever software solving genuinely specific problems. Between 2015 and 2022, the number of SaaS applications used by mid-size businesses doubled, then doubled again. Research from Productiv suggested that by 2023 the average enterprise was running over 300 SaaS applications, with a significant chunk of those unused or massively underutilised.

    For UK businesses, the pain is slightly different to what you might read in Silicon Valley post-mortems. Here, we contend with VAT on digital services, tighter margins across most sectors since the 2022 energy crisis, and a more cautious lending environment. The result: finance directors have become considerably less tolerant of a sprawling portfolio of £15-per-seat tools that nobody can convincingly justify at a quarterly review.

    What Does SaaS Consolidation Actually Look Like in Practice?

    It is worth being precise here, because “consolidation” gets used loosely. There are really three distinct things happening simultaneously.

    First, businesses are cutting outright. Tools that cannot demonstrate ROI within a defined period are being cancelled. This sounds obvious, but it represents a genuine cultural shift for teams that treated software sign-ups as low-stakes decisions. A £25 per month tool that nobody logs into still costs £300 a year, and multiply that across 40 redundant subscriptions and you are looking at meaningful money.

    Second, businesses are consolidating onto platform players. Microsoft 365, Salesforce, HubSpot, and Atlassian have all leaned hard into becoming everything-in-one ecosystems. The pitch is compelling: one contract, one support relationship, deep integrations between tools, and a single dashboard for IT governance. Compliance-conscious UK companies, particularly those working within financial services regulated by the FCA, find the reduced vendor surface area genuinely attractive from a data governance perspective.

    Third, and perhaps most interesting, some businesses are moving back toward bespoke internal tooling. This is the rarest of the three, but it is happening. Teams with engineering resource are building lightweight internal applications rather than paying perpetual licence fees for off-the-shelf products that are 80% what they need.

    Close-up of a SaaS consolidation dashboard showing software tools being reviewed and toggled off
    Close-up of a SaaS consolidation dashboard showing software tools being reviewed and toggled off

    The Numbers Behind the Mood Shift

    It is not anecdotal. According to data published by the BBC’s business desk covering enterprise spending trends, UK tech procurement budgets in 2025 saw SaaS review cycles shrink from annual to quarterly at a significant proportion of mid-market firms. The appetite for multi-year SaaS commitments, which vendors have been pushing hard to lock in revenue, has weakened noticeably.

    Meanwhile, the ONS data on business investment shows continued caution in discretionary technology spend outside of core productivity infrastructure. That framing, “core productivity infrastructure”, is doing a lot of work. It is precisely how CFOs are now categorising SaaS spend: what is infrastructure, and what is a nice-to-have?

    The vendors are feeling it. Several mid-tier SaaS companies have reported slower net revenue retention figures in their most recent reporting periods. When existing customers are not expanding seat counts or upgrading tiers, that is a telling signal. The era of “land and expand” working automatically appears to be closing.

    Is This the End of Specialised SaaS?

    Not quite. Specialist tools with genuinely deep functionality in a narrow domain are holding up better than horizontal ones. A compliance tool built specifically for UK financial services regulation, or a niche inventory management platform built for wholesale distribution, has defensible value that a generic project tracker does not.

    The tools under real pressure are the horizontal ones that sit in the middle: good enough at several things, outstanding at none, and increasingly squeezed between the platform giants expanding downward and the emerging wave of AI-native tools that do in one prompt what previously required a four-step workflow.

    That last point deserves emphasis. The rise of AI-native tooling is a significant accelerant of SaaS consolidation 2026. Why maintain a dedicated transcription tool, a separate meeting summary tool, a standalone grammar checker, and an independent translation service when a single LLM-powered assistant covers all four? Businesses are already asking this, and the honest answer is: you probably do not need to.

    What UK Businesses Should Actually Do Right Now

    A SaaS audit is table stakes at this point. If you have not done one recently, the process is straightforward: pull all active subscriptions from your finance and IT teams, cross-reference against actual usage data (most platforms expose this via admin consoles), and categorise everything into essential, review, and cancel. Most teams that do this are genuinely surprised by what they find.

    Beyond the audit, the more strategic question is about platform bets. Consolidating onto a platform player offers real efficiencies, but it also creates lock-in. Before you commit more of your stack to a single vendor, think clearly about data portability, contractual exit terms, and what happens to your workflows if that vendor changes pricing or deprecates a feature. These are not paranoid questions; they are reasonable commercial ones.

    For smaller UK businesses watching this trend, there is also a practical opportunity. SaaS vendors under pressure to retain customers are more willing to negotiate than they have been in years. If you are renewing a significant contract, push on price, on bundling, on service-level commitments. The leverage has shifted.

    The Bigger Picture: What SaaS Consolidation Means for the Market

    The SaaS market is not dying; it is maturing. That is actually a healthy thing, even if it is uncomfortable for the hundreds of point-solution vendors who built businesses on frictionless credit-card sign-ups and assumed churn would stay low forever. Markets maturing means buyers get smarter, pricing gets more competitive, and the tools that survive tend to be the ones genuinely earning their place.

    For UK businesses navigating this shift, SaaS consolidation 2026 is less a crisis and more a reset. The question is not whether to cut tools; it is whether you are cutting the right ones, consolidating thoughtfully, and building a software stack that can actually be justified line by line. That sounds like basic commercial discipline. Funny how it took a decade of cheap money to forget it.

    Frequently Asked Questions

    What is SaaS consolidation and why is it happening now?

    SaaS consolidation refers to businesses reducing the number of software subscriptions they maintain, either by cancelling unused tools or migrating onto fewer, broader platforms. It is accelerating in 2026 because of tighter budgets, increased CFO scrutiny on discretionary spend, and the rise of AI-native tools that replace multiple point solutions.

    How do I audit my company's SaaS stack?

    Start by pulling all active subscriptions from your finance team and IT admin accounts, then cross-reference against actual login and usage data available in each platform’s admin console. Categorise every tool as essential, worth reviewing, or safe to cancel, and set a regular quarterly review cycle going forward.

    Which types of SaaS tools are most at risk of being cut?

    Horizontal tools that offer moderate capability across several functions, without being the best at any of them, are under the most pressure. Niche specialist platforms with deep, domain-specific functionality tend to be stickier, particularly in regulated industries like financial services or legal.

    Is it better to consolidate onto one platform like Microsoft 365 or HubSpot?

    Consolidating onto a platform player reduces vendor complexity, simplifies IT governance, and can lower total cost. The trade-off is meaningful vendor lock-in, so before committing you should review data portability terms, contractual exit clauses, and how dependent your workflows would become on a single provider.

    Can small UK businesses negotiate better SaaS pricing right now?

    Yes. With many SaaS vendors experiencing slower growth and higher churn, buyers have more leverage than in previous years. If you are renewing or expanding a contract, it is worth pushing on annual pricing, bundled features, or improved service-level terms, particularly with mid-tier vendors who are competing harder for retention.

  • The Death of the SaaS Subscription Model: What Comes Next for Business Software

    The Death of the SaaS Subscription Model: What Comes Next for Business Software

    The SaaS subscription model built the modern software industry. It gave vendors predictable revenue and gave businesses seemingly manageable costs. For a while, it worked brilliantly for both sides. But in 2026, the cracks are impossible to ignore. CFOs across the UK are staring at software bills that have ballooned far beyond original projections, and many are asking a blunt question: what exactly are we paying for?

    The backlash has been building for several years. Gartner research has consistently flagged SaaS sprawl as a top concern for IT leaders, with the average mid-sized enterprise now running well over 100 software subscriptions simultaneously. Renewal cycles arrive with price increases baked in, usage data shows swathes of licences sitting idle, and vendor lock-in makes switching painful enough that many businesses simply absorb the cost. That dynamic is finally shifting.

    CFO and IT director reviewing SaaS subscription model costs on a corporate dashboard in a UK office
    CFO and IT director reviewing SaaS subscription model costs on a corporate dashboard in a UK office

    Why the Traditional SaaS Subscription Model Is Losing Its Grip

    The core problem is misalignment. Subscription pricing charges you for capacity rather than outcomes. A team of 50 might pay for 50 seats of a project management tool and use 30 of them actively. The vendor wins; the customer loses. When budgets were loose and growth was the only metric that mattered, this was tolerable. In a tighter macroeconomic environment, it is not.

    There is also the AI variable. As vendors rush to embed AI features into every tier of their platforms, they have used it as justification for another round of price hikes. Microsoft 365 Copilot, Salesforce Einstein, and similar offerings are bundled at a premium, regardless of whether individual users will ever touch them. Paying for AI capability you neither want nor use has become a genuine frustration at the procurement level.

    Consumption-Based Pricing: Paying for What You Actually Use

    The most credible challenger to the flat-subscription model is consumption-based pricing, sometimes called usage-based pricing. Instead of a fixed monthly fee, you pay based on API calls, data processed, transactions completed, or active users in a given period. Snowflake pioneered this approach in data infrastructure and demonstrated that enterprise customers would embrace it if the transparency was genuine.

    For IT decision-makers, consumption-based models offer something subscriptions rarely do: cost that scales directly with value received. When business slows, software spend contracts automatically. When it grows, expansion happens without a renegotiation. The downside is financial unpredictability, which is why many vendors now offer hybrid structures: a committed base tier with consumption overage above a threshold. It is a reasonable middle ground, and procurement teams are increasingly insisting on it during contract negotiations.

    Business professional annotating a SaaS subscription model contract during a software pricing review
    Business professional annotating a SaaS subscription model contract during a software pricing review

    Outcome-Based Models: The Boldest Shift in B2B Software

    More radical still is outcome-based pricing, where the vendor charges only when measurable business results are delivered. An accounts receivable automation platform might charge a percentage of cash collected faster than baseline. A fraud detection tool might take a cut of losses prevented. This model puts vendor and customer incentives in genuine alignment, which is why it generates significant interest despite being harder to implement at scale.

    Several UK-based fintech and RegTech firms have moved in this direction, particularly in areas like compliance automation and revenue recovery. For a CFO, outcome-based pricing is conceptually appealing because the ROI calculation is embedded in the contract itself. The practical complexity lies in agreeing on measurement methodologies and baseline metrics before go-live, which requires a more rigorous procurement process than signing a standard SaaS order form.

    Embedded AI Pricing: The New Variable CFOs Need to Understand

    A third disruption is reshaping the stack from a different angle. Rather than replacing subscription logic entirely, embedded AI models are changing what software does per pound spent. Platforms that once required multiple human operators can now run leaner teams, which shifts the ROI calculus even when the subscription cost stays flat or rises modestly.

    The smarter vendors are pricing AI capability as a separate consumption layer, charged per interaction or per task completed. This is actually fairer than bundling, because businesses that derive real value from AI features pay proportionately, while those that do not are not cross-subsidising heavy users. IT leaders evaluating new contracts in 2026 should be asking vendors precisely how AI usage is metered and billed, before signing anything.

    Interestingly, the pressure to rethink software spend has also nudged some businesses towards more local, modular tooling. Just as consumers have started to find local products as an alternative to large platform ecosystems, some SMEs are building leaner software stacks from specialist tools rather than relying on one bloated suite that does everything adequately but nothing brilliantly.

    What This Means for CFOs and IT Decision-Makers Right Now

    The immediate practical implication is that passive renewal is no longer acceptable strategy. Every SaaS contract coming up for renewal deserves a genuine usage audit. Which licences are active? Which features are actually used? What would a consumption-based alternative cost at current usage levels? These are questions that finance and IT teams should be answering together, not separately.

    Negotiating leverage exists that many businesses fail to use. Vendors facing churn pressure are often willing to restructure contracts, introduce usage-based tiers, or offer outcome-linked pilots if the alternative is losing the account entirely. UK businesses in particular have found that citing competitive alternatives, even in early evaluation, shifts the dynamic meaningfully.

    The SaaS subscription model is not disappearing overnight. The installed base is enormous, the switching costs are real, and plenty of tools still justify a flat fee when adoption is genuinely high. But the era of uncritical renewal, of paying for shelfware because renegotiating felt like too much work, is over. The businesses that treat software spend with the same rigour they apply to any other operational cost will be the ones that extract genuine competitive advantage from the next generation of pricing models. The vendors that fail to adapt will find that patience among CFOs has worn very thin indeed.

    Frequently Asked Questions

    What is consumption-based SaaS pricing and how does it differ from subscriptions?

    Consumption-based pricing charges businesses based on actual usage, such as API calls, data volume, or active users in a period, rather than a fixed monthly or annual fee. Unlike the traditional SaaS subscription model, costs scale up or down with real demand, which gives finance teams greater control and makes the relationship between spend and value much clearer.

    Are SaaS vendors actually moving away from flat-rate subscriptions?

    Many are, particularly in infrastructure, data, and AI tooling. Vendors like Snowflake and AWS have demonstrated that enterprise customers will accept usage-based models, and a growing number of application-layer SaaS companies are introducing hybrid structures that blend a committed base fee with consumption overage. The shift is gradual but accelerating as customer pressure increases.

    How should a CFO approach a SaaS contract renewal in 2026?

    Start with a usage audit: establish which licences are active, which features are genuinely used, and what idle capacity is costing the business. Use that data as negotiating leverage, and actively ask vendors whether consumption-based or outcome-linked pricing options exist. Many vendors will offer restructured terms rather than risk losing the account, especially in a competitive market.

    What is outcome-based SaaS pricing and which industries use it?

    Outcome-based pricing ties software costs to measurable business results, such as revenue recovered, fraud prevented, or processing time saved, rather than to usage or seats. It is most common in fintech, RegTech, accounts receivable automation, and revenue intelligence platforms. The model requires clear baseline metrics and agreed measurement methods before implementation, making procurement more complex but ROI more transparent.

    Is SaaS sprawl still a major problem for UK businesses?

    Yes. Most mid-sized UK enterprises are running well over 100 software subscriptions, many of which overlap in functionality or sit largely unused. SaaS sprawl inflates IT budgets, creates security surface area, and makes it difficult to enforce data governance. Regular software audits, centralised procurement oversight, and stricter renewal criteria are the most effective tools for managing it.