Most companies are already using AI, whether or not anyone signed off on it. It drafts emails, answers customers, sorts data, screens résumés. It’s useful. It’s also the same technology writing the phishing emails landing in your inbox and cloning voices to authorize wire transfers.

That’s the part the hype skips over. AI isn’t good or bad for a business. It amplifies whatever you do with it, and the same goes for the people trying to break in — they get the upgrade too. What shifts most as you grow from a small shop to a large enterprise is the security math, so that’s where most of this is going to land.

What AI is actually good for

The upside is real, and it isn’t reserved for companies with big budgets.

The obvious win is grunt work. AI handles the repetitive, high-volume tasks that wear people down — summarizing meetings, sorting tickets, drafting first versions of documents, reconciling data. That doesn’t just save time. It frees up your good people for the work that actually needs judgment.

It’s also good at finding things in data you already have. Most businesses collect far more than they ever look at, and AI surfaces patterns in sales, inventory, and customer behavior that would take an analyst weeks to dig out. Demand forecasting, churn prediction, pricing — none of that is enterprise-only anymore.

Then there’s customer service. Conversational AI fields routine questions at any hour, in any language, without getting tired or short-tempered. Handled well, it cuts wait times and lets your human staff take the calls that need a human.

The bigger shift is that the floor has come up. A two-person agency can now ship work that used to need a full team. Capabilities that were once the preserve of large companies are within reach of small ones. AI tends to reward whoever already has clean data and decent processes, and it quietly exposes whoever doesn’t.

Where it bites back

The risks are easy to wave off when productivity is up. They shouldn’t be.

It lies confidently. Generative AI produces fluent, authoritative output that is sometimes just wrong — an invented statistic, a misread contract clause, a citation that doesn’t exist. Treat it as a fast assistant, not a source of truth. The damage lands when its output goes out under your name and nobody checked.

It inherits bias. Models learn from history, and history is biased. Run hiring, lending, or screening decisions through one and you can automate discrimination — faster, at scale, and harder to catch than when a person was making the call.

It makes people lazy. Lean on it for everything and institutional knowledge thins out. You end up with staff who can prompt a tool but can’t tell whether the answer is any good.

And it costs more than the sticker price. Compute, licensing, integration, and the human oversight needed to use it safely all add up, as does depending on one vendor’s model and one vendor’s pricing.

The security part, which is the real story

Here’s where it stops being a productivity conversation. AI changes security in both directions at once, and right now most organizations are far better at adopting the offensive uses than defending against them.

Start with the attacker’s side. Everything that helps your business helps them too. Phishing used to give itself away with bad grammar and clumsy spelling. That tell is gone. AI now writes clean, personalized, context-aware lures by the thousand, and they work — machine-written phishing pulls click-through rates several times higher than the human-written kind. Voice and video deepfakes have made executive impersonation genuinely convincing, and “the CFO called and approved the transfer” is now a credible way to lose serious money. There are documented cases in the tens of millions. Attackers also lean on AI to scan for weaknesses and spin up malware variants. Running a real attack barely takes skill anymore.

Then there’s the quieter problem you create yourself: staff pasting confidential data — source code, customer records, deal terms — into public AI tools, where it can be retained or exposed. Plenty of AI incidents aren’t break-ins at all. They’re well-meaning employees handing sensitive information to a third party without realizing what they’ve done.

The good news is that AI cuts the other way for defenders. It’s genuinely good at spotting anomalies in network traffic and user behavior that older signature-based tools miss, at triaging the flood of alerts so your team isn’t drowning, and at speeding up response when something does go wrong. On detection at scale, it’s becoming hard to do without.

How exposed you are, though, depends a lot on how big you are.

Small businesses

If you run a small business, drop the assumption that you’re too small to bother with. It’s the opposite. Attackers like small businesses because they’re soft targets — little or no security staff, tight budgets, few tools. The numbers are blunt: a large share of all attacks hit small businesses, and they get breached at several times the rate of big companies.

AI has made this worse by industrializing attacks that used to take skill, so a five-person shop now faces the same quality of phishing and fraud as a corporation, with none of the defenses. The data-leakage problem is sharp here too, because small teams adopt free AI tools fast and informally, usually with no rules about what’s allowed in them.

You don’t need a security operations center. You need the basics done properly: multi-factor authentication on everything, a short written policy on which AI tools are approved and what data can go into them, training that specifically covers AI phishing and deepfakes, and a hard rule that any payment or sensitive request gets verified through a separate channel — and ideally a pre-agreed code word — before anyone acts. A managed security provider lets you rent the expertise you can’t afford to hire.

Medium-sized businesses

Mid-sized companies get the worst of both worlds. You’re big enough to be worth targeting on purpose and to hold data worth stealing, but you usually don’t have the mature security program a large enterprise does. You’re also the most likely to have AI adoption sprinting ahead of any governance, with different departments standing up their own tools and nobody keeping track.

That fragmentation is the core risk. One team’s using an AI coding assistant, another’s feeding customer data into a marketing tool, a third’s trialing some AI support vendor, and no one has a single view of where company data is actually going. This is where shadow AI lives.

The fix is visibility before expansion. Know which AI tools are in use. Put a real approval process around new ones. Classify your data so people know what counts as sensitive. Do actual due diligence on how AI vendors store and retain what you hand them. Mid-sized companies also get the most mileage out of putting AI on defense — automated detection and alert triage stretch a small security team much further than headcount alone ever will.

Large enterprises

Large organizations usually have the budget, the staff, and the formal program. Their problem isn’t resources. It’s scale and sprawl. The attack surface is enormous: thousands of employees, a tangle of vendors, legacy systems nobody wants to touch, and now hundreds of AI integrations scattered across the business.

They’re also the favorite target of the most capable attackers — nation-states and organized crime running patient, well-funded campaigns. And because big companies build and train their own models, they take on risks smaller firms never see: model poisoning, adversarial inputs designed to manipulate how a model behaves, prompt injection, and outright theft of proprietary models and training data.

At this size the work is governance at scale and defense in depth — a formal AI governance framework, continuous monitoring, red-teaming your own AI systems, serious supply-chain risk management, and security built into the AI development process rather than bolted on at the end. Regulation becomes its own full-time concern: data-protection law, sector rules, and the AI-specific regulation now arriving.

The thread running through all of it

Whatever the size, the pattern holds. The businesses that get burned are the ones adopting AI’s capabilities faster than the controls to manage them. The gap between “we use AI everywhere” and “we know exactly what data it touches and who it talks to” is where the damage happens.

None of the fix is exotic. Know what AI tools you’re actually running. Control what data goes into them. Train your people to recognize AI-driven deception. Verify anything that moves money or data through a channel the attacker doesn’t control. And use AI on defense at least as hard as the people targeting you are using it on offense.

The companies that get hurt by AI usually aren’t the ones holding back on it. They’re the ones who let it run ahead of anyone keeping track.

Categories: AI, Just a thought