HomeBlog / AI Risks Your IT Provider Should Be Managing
Blog

AI Risks Your IT Provider Should Be Managing

Share this post on:

Your Employees Are Using AI. Your IT Provider Should Have a Plan for It.

Three out of four small and mid-sized businesses are now using artificial intelligence tools in their daily operations. That number would have been unthinkable five years ago. But here is what should concern you: 70 percent of those businesses acknowledge that AI introduces new cybersecurity risks, and 40 percent have no policy governing how employees use AI at work.[1]

If your IT provider has not raised this topic with you, that silence is itself a red flag.

The managed services industry has spent decades telling business owners to worry about firewalls, patching, and backup. All of that still matters. But in 2026, a new category of risk has moved from theoretical to routine, and most small businesses are navigating it without guidance.

What Shadow AI Looks Like in a Small Business

Shadow AI is the use of artificial intelligence tools without the knowledge or approval of your IT team. It is the 2026 version of shadow IT, and it is already widespread:

  • 75 percent of employees use AI tools that have not been sanctioned by their employer, according to Microsoft’s 2025 WorkLab AI at Work Report.[2]
  • 78 percent of those employees brought their own personal AI tools to work, meaning consumer-grade accounts are processing company data.[2]
  • Even among senior leadership, 41 percent have personally used an unsanctioned AI tool for a work task in the past 90 days, according to Deloitte’s 2025 AI Governance Global Survey.[2]

The risk is not hypothetical. IBM’s 2025 Cost of a Data Breach Report found that shadow AI adds an average of $670,000 to the cost of a breach, pushing the average breach cost to $4.63 million compared to $3.96 million in environments without shadow AI exposure.[3] One in five organizations has already experienced a breach linked to unsanctioned AI use.[4]

For a small business, a six-figure breach increase is not a statistic. It is an existential event.

How AI Tools Become Attack Vectors

Most business owners think of AI as a productivity tool. Attackers think of AI as an entry point. ESET, after scanning more than 800,000 AI skills (pre-built instruction sets for AI agents), found approximately 25,000 suspicious skills and more than 3,000 clearly malicious ones.[1]

These malicious skills include trojans disguised as legitimate tools, downloaders that silently install malware, backdoors that enable remote system control, keyloggers that steal credentials, and cryptominers that hijack system resources.[1]

In one documented case, a weather-forecasting AI skill acted as an infostealer, exfiltrating session tokens and API keys to attacker-controlled servers.[1]

Against this backdrop, the 40 percent of SMBs without AI usage policies are not just unprepared. They are operating with a blind spot that attackers actively exploit.

What a Competent IT Provider Should Be Doing

Your IT provider cannot control which tools individual employees download. But a competent managed service provider should be doing five specific things to reduce your AI risk:

  1. Inventory your AI exposure. You cannot manage what you cannot see. Your provider should identify which AI tools are in use across your environment, including personal accounts on work devices.
  2. Establish an acceptable use policy. A written policy defines which tools are approved, what data categories may not be entered into AI systems, and what the consequences are for violations. Sixty-three percent of organizations lack a formal AI governance policy.[3] Your provider should help you create one.
  3. Classify your sensitive data. Customer records, financial data, trade secrets, and employee information should never be entered into public or consumer-grade AI tools. Your provider should help you define these categories and enforce them through endpoint controls.
  4. Extend least-privilege access to AI agents. AI tools should operate with the minimum permissions necessary. Many AI agents run 24/7 and can circumvent multi-factor authentication, making access controls critical.[1]
  5. Monitor for anomalous AI-driven behavior. New tools in your environment should trigger review. Unusual data flows, privilege escalations, or access from unfamiliar AI agents should be flagged and investigated.

If your IT provider is doing none of these things, you are paying for monitoring that does not cover the most significant new risk category of the decade.

The Gap Between Confidence and Preparedness

ESET’s 2026 SMB Cyber Readiness Index found that 68 percent of SMBs are confident in their cybersecurity measures, and 75 percent trust their ability to respond to incidents.[5] At the same time, 45 percent experienced at least one cybersecurity incident in the past year, with 14 percent experiencing more than one.[5]

Thirty-four percent of SMBs admit they struggle to keep up with evolving threats.[1] AI is the fastest-evolving threat category. The gap between confidence and capability will only widen without deliberate action.

For a business leader, the question is not whether AI is changing your risk profile. It already has. The question is whether your IT provider is keeping pace.

Questions to Ask Your IT Provider

You do not need to become an AI expert. You need to know whether your provider has thought about it. Start with these five questions:

  • Have you assessed our current AI tool usage, including unsanctioned tools?
  • Do we have a written policy on acceptable AI use, and when was it last updated?
  • What controls do we have to prevent confidential data from being entered into unauthorized AI tools?
  • How do you monitor for new AI agents or tools appearing in our environment?
  • What is our response plan if an AI-related breach occurs?

If your provider cannot answer these questions, the conversation itself tells you something important about the relationship.

AI is not going away. The businesses that manage it well will use it as a competitive advantage. The businesses that ignore it will learn what risk looks like the hard way.

Frequently Asked Questions

What is shadow AI?
Shadow AI is the use of artificial intelligence tools by employees without approval from their IT or security team. It includes personal ChatGPT accounts, unapproved browser plugins, and AI-powered productivity apps that process company data outside your security controls.

Why is shadow AI more dangerous than regular shadow IT?
AI tools can access, process, and exfiltrate data autonomously. Unlike a rogue spreadsheet, an AI agent can run 24/7, chain actions together, and bypass traditional access controls. IBM research shows shadow AI adds $670,000 to average breach costs.[3]

Can my IT provider block all AI tools?
Not practically, and not without disrupting productivity. The goal is not to block AI but to govern it: define what tools are approved, what data can be used, and how access is controlled. A competent provider helps you build that framework.

Is AI risk covered by our cybersecurity insurance?

Review your policy with your insurance provider. Many cyber insurance policies are still catching up to AI-specific risks. Some are beginning to require documented AI governance practices as a condition of coverage.

How do I start an AI usage policy?
Start with three things: define approved tools, define prohibited data (customer records, financials, trade secrets), and communicate expectations to all employees. Your IT provider should help you draft, implement, and enforce the policy through endpoint controls.

About the Author

Brent Lacy has spent over 20 years in the managed services industry, including as Manager at Core Managed since 1997. He is the author of Rewired MSP: Mastery, Scalability & Performance, vCIO Rewired: Virtually Conquering IT Obstacles, and Near Miss: Preventable IT Failures Threatening Your Business. His work focuses on helping MSPs and the businesses they serve build trust-based, operationally sound technology partnerships. Learn more at rewiredmsp.com.

Sources

  1. ESET. “Useful but Risky: A Complicated Relationship Between SMBs and AI Tools.” Roman Cuprik, June 8, 2026. 73% of SMBs integrating AI; 70% acknowledge new risks; 40% lack policies; 97% of AI-breached organizations lacked proper access controls.
  2. Aona.ai. “Shadow AI Statistics 2026.” 75% of employees use unsanctioned AI tools (Microsoft WorkLab 2025); 78% use personal AI tools (Microsoft WorkLab 2025); 41% of executives used unsanctioned AI (Deloitte 2025).
  3. Reco.ai. “How to Quantify Shadow AI Risk in Dollar Terms for Your CFO.” IBM Cost of a Data Breach Report 2025: shadow AI adds $670K to breach costs; median unauthorized AI tool active for 403 days before detection; 63% of organizations lack formal AI governance policies.
  4. Vectra.ai. “Shadow AI Explained: Risks, Costs, and Enterprise Governance.” Over 80% of employees use unapproved AI tools; IBM reports 1 in 5 organizations experienced a breach linked to unsanctioned AI.
  5. MSP Channel / Digitalisation World. “SMB Cyber Readiness in Focus: ESET’s 2026 Index Insight.” 68% of SMBs confident in defenses; 45% experienced a cybersecurity incident in the past 12 months; 14% experienced more than one.

All links verified June 12, 2026.

Share this post on:

Author: Brent Lacy

View all posts by Brent Lacy >

Related Posts

Image Placeholder
Blog
Developing vCIOs Within Your MSP: From Technician to Strategic Advisor
Image Placeholder
Blog
On-Call Excellence Without Burnout: The MSP Owner’s Framework
Image Placeholder
Blog
The Fiduciary Standard: Why vCIOs Should Never Earn Commissions

Leave a Reply