I was reviewing a company’s systems last year when I found it almost by accident. An employee, trying to be helpful and fast, had been pasting customer contracts into a free AI chatbot to summarize them. Hundreds of them, over several months. Nobody told her not to. Nobody told her anything, because the company had no idea it was happening. She was not malicious. She was efficient. She had also, without knowing it, handed a pile of confidential client data to a third party nobody had vetted.
If you run a business with more than a handful of people, I will say this with some confidence: your employees are already using AI tools. The question is not whether to allow it. That ship has sailed. The question is whether you know how they are using it, and whether you have given them any guidance at all.
Why a ban does not work
The instinct is to forbid it. Send a stern email, block a few websites, call it handled. I understand the appeal and I will tell you why it backfires. People use these tools because they make the work faster, and you are not going to win a fight against “faster” with a memo. A ban just pushes the activity onto personal phones and personal accounts, where you have zero visibility and zero protection. You have not stopped the risk. You have blindfolded yourself to it.
The real risk is not that AI is evil. It is mundane. It is that company data typed into a consumer tool may be stored, may be used to train someone else’s model, and is now sitting somewhere outside your control. For most businesses that is a confidentiality problem and sometimes a compliance problem, depending on what kind of data walked out the door.
A policy a normal person will follow
You do not need a forty-page AI governance framework. You need one page that a busy employee will actually read and remember. The version I give clients comes down to three plain rules:
- Do not paste confidential or customer data into public AI tools. Contracts, financials, personal information, anything covered by a client agreement. If you would not post it publicly, do not paste it.
- Use the approved tool for work. Pick one paid business-tier tool where the vendor agrees not to train on your data, and point people to it. Now the helpful, fast employee has a safe place to be helpful and fast.
- You own what comes out. AI is confidently wrong on a regular basis. Anything it produces gets checked by a human before it goes to a customer or into a decision.
Give people the safe path
The whole trick here is the same one that works for almost every security problem involving people. Do not try to stop the behavior. Give it a safe channel. The employee pasting contracts did not need a lecture. She needed a business-tier tool that does not retain the data, a one-page rule that told her where the line was, and someone to say “here, use this instead.” The day we set that up, the risk did not get banned. It got managed.
AI is going to keep showing up in your business, invited or not. You can pretend it is not happening, or you can spend one afternoon writing the one page that turns a quiet liability into a tool your team can use without putting your clients at risk. I know which one I would rather explain to a customer later.
Further reading
- From Resolute Security: Your Weakest Link Is a Vendor You Forgot About
- From Resolute Security: Compliance Is Not Security
- NIST AI Risk Management Framework
- FTC cybersecurity for small business
- Not sure where you stand? Take the free 10-minute cyber readiness assessment.