2. How Much Training Have Nontechnical Users Received?
Programming is still a technical skill. Just because nontechnical users can generate applications using AI tools doesn’t mean these apps are ready for wider use. If an employee builds a discrete app with AI to help a particular workflow, that’s great — but that’s not something that can be shared and rolled out without a technical programmer taking a look first. This concern is not that different from the security and resource issues that shadow IT has created in the past.
DISCOVER: Multi-agent systems can support small businesses.
3. How Does AI Affect Your Organization’s Attack Surface?
Increasing the attack surface is inevitable with AI. Such coding solutions build their code on pre-existing open-source libraries and tools. Your software bill of materials will lengthen considerably, creating technical debt and dependencies on new-to-you packages. This is almost unavoidable and is a factor that must be documented for compliance and risk management purposes as AI-written software is moved into production.
4. How Ready Is Your Overall Environment for AI?
AI assumes a modern development environment. The coding tools are built on large language models that are trained on modern code and existing standards, which can create friction when interacting with legacy systems. To make the best use of AI tools, SMBs small businesses must adopt modern DevSecOps practices. Going full continuous integration/continuous deployment is not necessary, but you do want to make it easy to rapidly deploy fixes for both functional and security flaws you find downstream.
READ MORE: Ask these five questions about security debt for small businesses.
5. How Can AI Support Security Improvements?
AI doesn’t solve security problems, but it does make it easier to write secure systems. These coding tools are aware of security best practices, such as keeping credentials out of configuration and using encryption for network traffic, and they’ll encourage users to go down these paths. But they won’t enforce good practices or know about company-specific issues. That requires a security-aware developer to tell the AI tools things such as, “Iintegrate with our existing single sign-on system for authentication.” Writing, and then applying, a consistent set of security instructions for every vibe coding session is a necessary risk-reduction measure.
