The non-technical guide to AI risk

When staff paste information into AI tools, that information lands somewhere — a server in another country, a vendor's training pipeline, a logging system someone has access to. None of this is sinister, but it's also not invisible. The fix is approval and discipline: tell the team which tools are approved, what data is off-limits, and make 'when in doubt, ask' a real cultural norm.

The 30-minute fix: write a one-page policy. The 30-day fix: hold a team meeting to walk through it. The forever fix: review quarterly.

AI tools are confident in a way that misleads. They will sometimes invent facts, miscount, or recommend the wrong product. If a customer-facing output rides on AI without human review, you will eventually hand a customer something embarrassing.

The fix is a single rule: anything that goes to a customer gets read by a human first. That rule is older than AI — it's how good companies have always operated. AI just makes it more important.

If your support team rebuilds their workflow around an AI summarizer, and that vendor changes their pricing, terms, or shuts down, you have an outage. Not a security incident — an operational one. The fix is humility about how much your business should rely on any single AI tool.

The rule of thumb: if the tool disappeared tomorrow, would the team be back to the old way in a day or in a quarter? If it's a quarter, you have a dependence problem to mitigate.

Two things people worry about that almost never matter for small businesses today: AI 'taking over' your business in some sci-fi sense, and AI being 'biased' in a way that makes the news. Both are real concerns at scale; neither is what's going to bite you in the next 12 months. Focus on the boring three risks above and you will be ahead of 90% of similar-sized companies.