Artificial Intelligence

Small Businesses Must Address Shadow AI Without Slowing Innovation

Employees have become more familiar with generative artificial intelligence tools, but small businesses are still working on how to control shadow AI use.

Jonathan Ortiz

Jonathan Ortiz is a Cybersecurity Solution Specialist for CDW’s Small Business Technology Solutions Group. For more than seven years at CDW, Jonathan has helped businesses with a variety of technology needs, including endpoint, email and identity management. In his current role, Jonathan helps customers understand their business and industry requirements and fulfill these with a combination of solutions and services.

Whether for work or personal use, getting access to a generative artificial intelligence tool is as easy as signing up for any digital service. Many even have app versions for smartphones. Whatever the case, employees are using these tools, but there may be little to no oversight in how they’re using them.

While small businesses are trying to encourage the use of these tools for productivity gains (among other benefits), there are serious risks related to confidential data, regulatory compliance and intellectual property exposure. An evolution of shadow IT, shadow AI refers to the unauthorized use of AI tools by employees, and it’s becoming a fast-growing concern for small businesses.

To gain visibility into unsanctioned tools, IT teams need to implement practical controls that let employees use AI safely without stifling innovation or efficiency. That’s why small businesses need to be intentional about AI use while still allowing room for employees to explore emerging capabilities.

Click the banner below to get small business insights delivered to your inbox weekly.

Shadow AI Risk Management for Small Businesses

Employees who use their personal logins for ChatGPT or Anthropic’s Claude to do work risk sharing their company’s sensitive data on a public platform. They should be using an enterprise account managed by the company with the proper guardrails in place.

Small business leaders must have control to lock down any unsanctioned applications, so any tools used by employees must be vetted by IT. Many common web security tools (available from Cisco, Palo Alto Networks and Zscaler, to name a few) can also regulate what AI tools are available for employees to use. Data loss prevention and cloud access security broker suites can also provide control for security teams. Visibility goes a long way when it comes to the intentional adoption of AI.

LEARN MORE: AI is forcing businesses to rethink their infrastructure strategies.

And just as AI is used to defend IT environments, malicious actors are also using it to develop attacks and exploit vulnerabilities at an astonishing speed. So, it’s imperative that small businesses control how AI interacts with their environment — that’s going to be table stakes.

The safe adoption of AI tools mirrors regular security awareness training for phishing. Perhaps updated employee training can include questions connected to AI: Should you be putting this data into your personal ChatGPT login? Does this AI agent need access to these particular files? Is this a sanctioned AI tool for company work? All employees should be trained on the risks associated with unfettered AI use.

AI Delivers — When You Have a Plan

AI is helping small businesses do more with tight budgets and limited team members. A local café owner, for example, can use generative AI for suggestions on how to pack goods more effectively, or a new makeup brand can discover cost-effective shipping services.

The U.S. Chamber of Commerce’s 2025 Empowering Small Business Report found that 58% of small businesses owners are using generative AI, and 20% are using some kind of generative AI coding tool (such as Replit or GitHub Copilot) to improve workflow efficiency.

Of course, small business leaders want their team members to use AI to support the work they’re doing so they can focus on more high-level, strategic goals rather than menial tasks. But new tools require a clear strategy, with security and compliance at the forefront.

This article is part of BizTech's AgilITy blog series.