The new normal
In 2023, the question for most SMB leaders was whether they should be looking at AI at all. In 2026,
the question is whether they have any visibility into the AI their staff is already using. The
shift happened faster than most IT teams could write policy for. Free-tier ChatGPT spread first
through marketing and customer support teams. Then Claude got a foothold in legal and operations.
Then Microsoft and Google bundled AI into the productivity suites everyone was already paying for.
Then automation tools like n8n, Zapier, and Make got LLM connectors and a "let's try this" project
in one department became a workflow another department depends on.
The result is that virtually every business with a knowledge-worker headcount is now an AI-using
business — whether they think of themselves that way or not. Some of that usage is being done
thoughtfully. A great deal of it is not. We have walked into engagements where the company's
client data is being pasted into a free chatbot by three different people for three different
reasons, none of whom realized the inputs were being used to train the model. We have seen
regulated firms with active HIPAA exposure because someone used a public AI tool to summarize
a patient-related document. We have seen automation workflows running in production that nobody
in IT knew existed until they broke.
None of that means AI is bad. It means AI adoption is a real organizational change — like email
was in the nineties, like cloud was in the twenty-tens — and like every prior wave, the
companies that succeed are the ones that get in front of it instead of letting it happen to them.
Three risks no one talks about
Most AI risk conversations focus on hallucinations and "AI will replace jobs." Those are real but
well-discussed. Three risks that are less discussed and more practically dangerous to a business
adopting AI today:
1. Data leakage to model providers
When your staff pastes a confidential document into a public AI tool, the question of whether
that text becomes part of the model's training set depends on which tier of the tool, whose
account, and what was checked in the settings. The defaults are not your friend. Consumer
ChatGPT trains on inputs by default. Several other vendors' free tiers do the same. Enterprise
tiers typically do not — but you have to be on the right tier and the right account, with the
right contract, for that to be true. Most companies have no visibility into this and no policy
distinguishing safe from unsafe usage.
2. Compliance debt
SOC 2, HIPAA, PCI-DSS, CMMC, and most regulatory frameworks require that you know where
sensitive data is going and who is accessing it. AI tools introduce a new processor — the model
provider — into your data flow, and unless that processor is documented in your vendor inventory
and your data-processing agreements, you are accumulating compliance exposure with every use.
This catches companies in their next audit cycle, where the auditor asks for an AI usage policy
and the answer is "we'll have one soon." That conversation is much easier when the policy exists.
3. Vendor lock-in to whoever moved first
When one department independently standardizes on a specific AI tool — because someone there
liked it — that tool can become organizationally entrenched within months. Migration becomes
painful. New vendor evaluation gets dismissed because "we already have one." The result is
you end up locked into the AI vendor your most enthusiastic department picked, not the AI
vendor that's actually best for your overall posture. Centralizing the vendor decision early
is much easier than decentralizing it later.
The companies that get hurt are not the ones using AI. They're the ones who didn't know they were.
A 5-step framework
Here is the framework we use to take a company from "AI is happening to us" to "AI is happening
for us." It is not novel — it is the same five things every reasonable engagement does — but
it is in the right order and it is opinionated about what comes first.
1Establish policy first
Before you onboard your first AI tool, before you pick your first pilot, write the policy. The
policy does not need to be long. It needs to answer four questions in plain language: which AI
tools are approved for which kinds of work; what data is off-limits regardless of tool; who has
to be informed when a new AI use case is being considered; and what to do if you think a
violation has happened.
The temptation is to do the pilot first because it feels concrete and the policy feels abstract.
The reason that is the wrong order is that the pilot generates the use cases the policy needs
to cover, and if the policy is reactive to the pilot, you end up retrofitting rules to fit what
already happened. Write the policy first as a forward-looking position document. Iterate it
as the pilots inform what you missed.
A policy you can write in a week and your team can read in five minutes is better than a
comprehensive policy that takes six months and nobody opens.
2Pick a contained pilot
The first AI project should not be the highest-value AI project in your business. It should be
the project that proves your governance model and earns confidence to do bigger ones. The
criteria for a good first pilot are deliberately conservative: low data-sensitivity exposure,
clear and narrow scope, a small number of users, a fast feedback loop, and a measurable outcome.
Common good first pilots: an internal knowledge assistant on a non-sensitive document corpus,
a meeting-summary helper for one team, a draft-response generator for internal support tickets,
a research-and-summarize workflow for a defined kind of inbound request. Common bad first
pilots: a customer-facing chatbot, an AI-driven decision in a high-stakes loop, a fully
automated end-to-end workflow with no human in the middle.
The reason to keep the first one small is that the failure modes of AI projects are unfamiliar
to most operators. You want to encounter the surprises — the hallucination patterns, the
compliance review you didn't know you needed, the vendor contract clause that doesn't quite
cover what you assumed — at a scale where they're learning experiences rather than incidents.
3Set up governance early
By "governance" we don't mean a six-person committee. We mean three concrete things: a clear
owner for each AI tool, audit logging that captures who used what when, and a regular review
cadence.
Ownership matters because AI tools rot fast without it. Vendor pricing changes, model versions
deprecate, new capabilities ship that change what's possible. If nobody owns the tool, it
becomes someone's neglected side project until it breaks. Pick a person — usually a manager
in the function using the tool, not someone in IT — and write their name down.
Audit logging is the part most companies skip and most auditors ask about. You want to be
able to answer the question "who used the AI tool to do what last week" without doing
archaeology. Most enterprise-tier AI tools provide usage logs; turn them on at setup, not
later. Some require integration with your IdP for the logs to be useful; do that integration
at setup too.
Regular review cadence means a calendar event. Monthly works for early-stage rollouts;
quarterly works once things are stable. The review covers tool usage, any policy violations
or near-misses, vendor contract status, and whether the AI use case is still serving the
business goal it was deployed for. Skipping these reviews is how you end up with shelfware
you're still paying for.
4Train before you scale
AI deployment without training produces wide variance in outcomes — some users get value, most
do not, and a few create problems. Training closes that gap. The training doesn't have to be
long. It does have to be role-specific. A finance lead does not need the same AI training as a
customer support rep, and giving them the same training serves neither well.
Cover three things at minimum: how to use the specific tool for the specific tasks that role
actually does, the policy rules that apply to that role, and the verification habit — how to
check AI output before it goes anywhere it shouldn't. The verification habit is the most
important and the most often skipped. AI is wrong with confidence; people who haven't built
the muscle to check it will pass through bad outputs.
Plan training as part of the pilot rollout, not after. The staff using the pilot should be
trained before they touch the live tool. Reinforcement training every six to twelve months
keeps them current as the tooling evolves and as your policy gets refined.
5Audit quarterly
Once you're past the first pilot and starting to scale, build a quarterly audit into the
rhythm. The audit covers six things, and it's small enough to run in a single afternoon if you
have the logs set up right.
- Tool inventory. What AI tools are in use in the company? How does that compare to last quarter?
- Vendor posture. Are the tools still on the right tier with the right contracts? Any vendor changes that affect data handling?
- Usage patterns. Pull usage logs. Anything unusual? Any spike or drop that warrants understanding?
- Policy violations or near-misses. What got reported? What didn't get reported but should have?
- Outcomes against goals. Is the AI still serving the business goal it was deployed for? Has the goal shifted?
- Next-quarter plan. What are you adding, retiring, or evolving in the next 90 days?
The audit is not bureaucracy — it is the operational check that keeps the AI program from
becoming the same kind of shadow IT it was when you started.
Common pitfalls
Six failure modes we see often enough to warn about:
- Skipping policy because "we'll figure it out as we go." By the time you're figuring it out, your team has formed habits the policy now has to fight against. Set the policy first even if it's imperfect.
- Picking a customer-facing pilot. The reputational and data exposure of a chatbot that misbehaves on a real customer is much worse than the upside of being early to it. Save customer-facing for project three or four, once the muscle is there.
- Centralizing on the wrong tier of the right vendor. The Enterprise tier of ChatGPT has different data handling than the Team tier. The Claude API has different terms than Claude.ai. Read the contract before you standardize.
- Treating training as a one-time event. AI capabilities and the policy around them shift quarterly. Training that worked in Q1 is partially obsolete by Q3. Build the cadence in.
- Promising ROI numbers you can't verify. "AI will save us 30% on X" sounds great in a board deck and terrible in the next quarter's review when X actually went up. Underpromise on the first project; let it earn the bigger ones.
- Letting "shadow AI" win. When a team uses an unapproved tool, the temptation is to shrug because it's working. Don't. Either approve it (review, contract, governance) or stop it. Tolerating it sets a precedent that policy is optional.
This is a tool list, not a manifesto. It reflects what we currently see working well in the
small and mid-sized businesses we onboard. Tooling moves fast; we update this section roughly
twice a year. Always verify the current data-handling terms before standardizing.
- Anthropic Claude (Team / Enterprise / API). Strong general-purpose model with explicit zero-data-retention options for business tiers. Where most of our regulated-client engagements start.
- OpenAI ChatGPT Enterprise / Team. Good general-purpose option with enterprise data controls. Avoid the free or Plus tiers for any business use of confidential data.
- Microsoft Copilot (M365 + Copilot Studio). Where Microsoft 365 is the existing productivity stack, Copilot is the path of least resistance. Data stays in the tenant boundary by design.
- Google Gemini for Workspace. The Workspace-shop equivalent of Copilot. Similar tenant-boundary properties.
- n8n. Open-source automation platform that pairs well with LLM APIs for workflow building. Self-hostable, which matters for some compliance scopes. See AI & Automation for the implementation service.
- Zapier / Make. Hosted automation platforms with AI integrations. Easier to start with than n8n; less control over data residency.
Notably absent: customer-facing chatbot platforms and any "AI agent" framework. Both can be the
right answer; both are riskier first picks than the tools above. We'll discuss them in a
specific engagement when they're the right fit.
When to bring in a partner
You don't necessarily need outside help to run this framework. If you have a CIO or CTO with
cycles for the work and a strong security and compliance team, you can run it internally. Most
of the SMBs we see are missing one or both of those pieces — and that's where a partner pays
for itself.
Specifically, bring in an outside partner when: you don't have an internal owner with bandwidth
and AI experience; you're in a regulated environment where the policy and contract work needs
an experienced hand; you want to move faster than your internal team can absorb the work; or
you want a forcing function for the cross-departmental coordination that AI adoption requires
and that internal politics often resist.
Slyder Consulting Group's AI Services engagement is specifically
structured around this framework: onboarding covers steps 1-3,
training covers step 4, and quarterly advisory covers step 5.
Tactical execution (when you need someone to actually build the automation, not just advise
on it) lives under AI & Automation.
The TL;DR
- Your company is already using AI. Get visibility into where.
- Write a short policy before you do the first project.
- Pick a small, contained first pilot. Save the high-stakes one for round two or three.
- Set up audit logging at deployment. Don't wait for the audit.
- Train staff role-specifically before they touch the tool, not after.
- Run a quarterly review. Treat it as operational, not bureaucratic.
- Don't tolerate shadow AI. Either approve it or stop it.
- Underpromise ROI on the first project. Let it earn the bigger ones.
Most of the difficulty in adopting AI is not the AI. It is the organizational discipline of
introducing a new operational capability into a business that already has other priorities.
The framework above is the boring, opinionated way of doing it that we have seen work
repeatedly. Boring is the right answer here.