The headlines worry about AI agents acting autonomously and causing harm. For most small and mid-sized businesses, that is not where the danger lives. The danger is already on your team’s screens, in a browser tab, right now.
It’s called shadow AI — staff using personal accounts on unapproved AI tools to get their work done. It is not malice. It is people being resourceful. But roughly 80% of AI use at smaller firms is bring-your-own-AI, and a meaningful share of those interactions involve sensitive data leaving your control. That is the number-one AI risk for an SMB, and it is mundane, not cinematic.
Why banning tools makes it worse
The instinct is to lock everything down. That reliably backfires: when the approved/sanctioned path is slower than the personal ChatGPT tab, people quietly take the faster path, and now you have the same exposure with none of the visibility. Prohibition produces shadow AI; it doesn’t prevent it.
The cheapest control that actually works
A one-page AI policy — a short list of approved tools and a short list of data rules — is, per the Hekima IQ benchmark, the highest-impact-per-dollar control available to a small business. Not a 40-page governance manual. One page that answers two questions:
- Which tools are approved/sanctioned? Name them. Configure at least one for zero data retention.
- What data must never go into them? Name it plainly — customer PII, anything under contract or regulation, credentials.
Pair that with a single human checkpoint on anything customer-facing — the lesson of the Air Canada chatbot case, where an unreviewed AI answer became a binding promise — and you have closed the most common failure mode for a few hours of work.
That’s the pattern across everything in the benchmark: the controls that move the needle for SMBs are cheap, fast, and decided rather than bought.