BIZTECH: According to CrowdStrike’s 2025 Threat Hunting Report, free and open-source tools used to build AI agents, while powerful and widely used, have been exploited by hackers. What should small businesses take away from this?
RODRIGUEZ: Open source isn’t the enemy; blind trust is. These frameworks are powerful and widely used, but when businesses adopt them without guardrails, attackers have a field day. It’s no different than downloading a free app on your phone: Some are fine, but if you install them without checking permissions, you’re asking for trouble. SMBs shouldn’t avoid open source, but they do need to ask hard questions: Who maintains this project? How often is it patched? What data does it touch? The security risk comes from not knowing, not from the tool itself.
BIZTECH: Shadow AI is becoming a real challenge for SMBs. What risks should they consider, and what’s the right balance between empowering innovation and tightening controls?
RODRIGUEZ: The risk with shadow AI isn’t the technology itself, it’s the blind spots it creates. If you don’t know what tools employees are using or what data they’re putting into them, you’ve already lost control. For an SMB, that could mean customer records, financial details or sensitive business plans showing up in a system you don’t own. The answer isn’t a blanket ban; people will use AI anyway because it makes them faster. The smarter move is to set boundaries and make them clear: Whitelist safe tools, block risky ones and train your people on what’s off-limits. You don’t fight shadow AI with restrictions; you fight it with visibility and practical guardrails.
DIVE DEEPER: Here are the five biggest cybersecurity risks for small businesses.
BIZTECH: AI adoption expands the attack surface in new ways. How should SMBs evaluate AI tools from a security perspective and manage risks with partners that might be leveraging AI on their behalf?
RODRIGUEZ: Every AI tool is another doorway into your business, and the real risk isn’t what it creates, it’s what it collects. Before you bring in a tool, ask the hard questions: Does it encrypt your data? Does it use it for training? Where is it stored? For SMBs, this due diligence is the difference between protecting sensitive information and handing it over to attackers. And it’s not just your own tools; if partners are using AI to process your data, their weakest link becomes your problem. Contracts and vendor reviews should spell out exactly how your data is handled, because once it’s out of your hands, you can’t take it back.
BIZTECH: AI policy and governance feel like moving targets. What practical steps should SMBs take to set effective policies, mature their AI use and ensure IT is contributing meaningfully to AI governance?
RODRIGUEZ: AI governance doesn’t need to be a 50-page policy manual. For SMBs, it should start simple and stay practical: what AI tools are allowed, what data is off-limits and who to call if something goes wrong. That’s it. IT’s role is to put those rules into practice — building the guardrails, monitoring usage and updating as the landscape changes. The point isn’t to slow people down, it’s to keep them safe while they use AI to move faster. Governance isn’t about a binder on a shelf, it’s about the rules people actually follow today, with the flexibility to evolve tomorrow.
