A business owner told us recently that his company doesn’t use AI.
He runs a successful professional services firm in Greater Boston, keeps a close eye on what’s happening in his industry, and figured the hype surrounding AI was something he could revisit down the road. His team uses Microsoft 365. His sales pipeline goes through Salesforce. His accounting lives in QuickBooks Online.
What he doesn’t realize is that all three have AI built directly into them.
We have this conversation regularly. It almost always goes the same way once we start walking through the tools a business is already paying for.
The AI you didn’t sign up for
Microsoft 365 Copilot is now embedded across Word, Outlook, Excel, PowerPoint, and Teams. It can summarize email threads, draft responses, and generate reports from the data already in your inbox and files. Google Workspace has Gemini doing similar work. Salesforce has Einstein. HubSpot, Zoom, QuickBooks – all the major platforms most businesses run on have spent the past two years integrating AI directly into their interfaces, often through routine updates, often without any announcement.
These features don’t always arrive with a policy document or a training plan. Some are on by default. Some show up in menus that employees click through because the button looks useful and they’re trying to get something done. This is worth separating from the decision to “adopt AI.” It’s just software updating, adding capabilities, and shipping features whether you asked for them or not.
If you’re an SMB in the Greater Boston area running standard business software, there’s a reasonable chance AI is already active in your environment. But does anyone in your organization know how to use it well and what to avoid doing with it?
The AI tools no one approved
Beyond the AI embedded in licensed software, there’s also Shadow AI: employees finding and using their own tools.
ChatGPT, Claude, Perplexity, and similar platforms are free or cheap, accessible from any browser, and genuinely capable of speeding up common tasks, such as drafting emails, summarizing documents, or cleaning up data. A 2025 WalkMe survey of 1,000 U.S. employees who use AI at work found that 78% admitted to using AI tools their employer hadn’t approved. Research from the National Cybersecurity Alliance put the share of employees who had shared sensitive company information with an AI tool without their employer’s knowledge at 43%.
Neither figure is hard to explain once you consider how these tools get used. It’s as easy as pasting in a client contract to get it summarized faster, uploading a financial spreadsheet to clean it up, or dropping in an email chain to draft a response. These are small, practical decisions made by people trying to do their jobs well. The issue here is that most employees don’t know where that data goes once it leaves their screen. Consumer AI tools aren’t built with your compliance obligations in mind, nor negotiated with your IT team or reviewed by your legal counsel. And because this all happens at the individual level, there’s often no log, no audit trail, and no way to know it occurred. Each action sends real business data to a third-party platform that nobody in your organization signed off on.
Why visibility matters more than a ban
When businesses discover Shadow AI use, the first instinct is usually to block it. Samsung, Verizon, and J.P. Morgan Chase have all restricted or banned ChatGPT internally. For most small and mid-sized businesses, though, a blanket ban tends to drive the behavior out of sight instead.
Ask yourself a few things: do you know which AI features are currently enabled in your Microsoft 365 subscription? Has your team been told what’s acceptable to put into these tools? Do you have a sense of which outside tools staff might be using?
If you’re not sure of the answers, those gaps are worth addressing. Operating without that picture creates real exposure. IBM’s 2024 Cost of a Data Breach Report, as analyzed by ISACA, found AI-associated breach incidents cost organizations more than $650,000 per event. For most businesses, a hit of that scale is a serious problem.
There’s also an upside to getting clear on this. If your team is already using AI tools and getting results, that’s valuable information. You might have employees who’ve figured out genuine productivity gains using tools you’ve never heard of. Without visibility into what’s happening, you can’t build on that, and the opportunity gets lost alongside the risk.
Start with what you already have
The businesses that handle this well understand what they’re running before making any decisions about what to add or change. For most SMBs, that’s a more manageable exercise than it sounds. All it requires is starting with your existing software subscriptions, a direct conversation with your staff about what they’re using day to day, and an honest look at whether your current setup gives you any visibility into that at all. That’s a realistic starting point for almost any business, and it’s usually enough to surface the issues worth acting on.
The way SecureWon approaches this mirrors how we handle every new client engagement. We understand what’s in your environment first and make recommendations second. If you want to see how that process works in practice, it’s straightforward – assess, plan, resolve, manage.
On the morning of June 12, we’re hosting a small group of Greater Boston business owners for a conversation about AI and your business. We’ll cover what’s likely already running in your software, how Shadow AI impacts your data, and where automation tends to be the easiest place to start. Breakfast is on us. Places are limited.
Ready to unlock the potential of AI for your business? Join us on June 12th for an exclusive event to learn practical AI tips and security considerations. Don’t miss out
