News
AI
By Chris Wall
5 min read

If your company has more than ten employees, there's a good chance someone is already using an AI tool you don't know about. I see it constantly in the businesses I work with. I've seen an estimator paste a customer contract into a free chatbot for a quick summary. I've seen office staff upload client spreadsheets because the AI was better at cleaning up messy data than Excel. Sales teams are using AI for follow-up emails, sometimes without realizing they've just uploaded pricing information into a personal account.
Nobody involved is trying to cause a problem. They found something that makes the job easier and they used it. That's what capable people do.
The part that catches leadership off guard is that while they've been discussing whether to adopt AI, the adoption already happened. It happened gradually, in tools nobody vetted, under accounts the company doesn't control, governed by terms of service almost nobody has read. This is what people mean by shadow AI, and in my experience it's already present in nearly every organization I look at.
Why I treat this as a security problem first
Most of my work is security work, across a portfolio of small and mid-sized companies, so that's the lens I bring. Shadow AI is an unauthorized data path. I've investigated incidents where data left a company through a forgotten API key tied to an offboarded vendor. This is the same problem. Data leaves your environment through a channel you don't control and can't monitor, and you can't shut it off because you don't know it's there.
What makes it worse than the vendor cases I've worked is visibility. A rogue integration usually leaves logs somewhere. An employee typing customer data into a consumer AI tool leaves almost nothing to find. And depending on the tool and the account tier, that data may be retained indefinitely or used to train someone else's models. If that provider has an incident of its own, your data is part of it.
There's also what's happening on the attacker side. The 2026 Verizon Data Breach Investigations Report, which draws on more than 22,000 confirmed breaches, found that vulnerability exploitation became the leading way attackers get in, a first in the report's history, and that attackers are using AI to find weaknesses faster. Nearly half of all breaches now involve a third party. So the sprawl of company data into unvetted tools is growing at the same time attackers are getting better at finding exactly that kind of exposure.
You don't need to be an AI company to carry AI risk. Employees with browsers are enough.
Banning it doesn't work
The first instinct I hear from leadership is to block everything. I understand why, but I've watched how that plays out. The behavior doesn't stop. It moves to personal phones and home computers, where you have even less visibility than before. And you've now told your most productive people that the thing helping them do their job is contraband, so they stop telling you what they use. The information you needed most just went underground.
The companies I've seen handle this well didn't try to ban AI. They figured out what people were already using, established some reasonable guardrails, and gave employees approved tools that accomplished the same thing. Once that happened, most of the shadow usage disappeared on its own.
What I'd actually do this quarter
None of this requires a strategy retreat. Four moves cover it.
Take inventory. Ask each department what AI tools they're using. Ask without any threat attached, because you want honest answers. Every time I've run this exercise, the list comes back two or three times longer than leadership expected, and the most sensitive use cases are never the ones anyone guessed.
Publish an acceptable use policy. One page is enough. Spell out what data can never go into an AI tool. Customer records, payment information, employee data, anything covered by a contract or a regulation. Name the approved tools and tell people who to ask when something new comes up. Most employees follow the rules once they know rules exist. The problem is usually that nobody ever wrote them down.
Run third party security assessments on your critical vendors. AI didn't just arrive through browsers. It's being switched on inside software you already own, including your CRM, your industry platforms, and your Microsoft environment. A TPSA is how you get ahead of that instead of learning about it during an incident. For each vendor that touches your data, cover the basics: what data they hold, how it's secured, what attestations they can produce (SOC 2 is the common baseline), what their breach notification commitment says, and who actually answers the phone when something goes wrong. Then add the AI questions. Are they using AI on your data? Is your data used to train models? Can you opt out, and do they offer a zero data retention option? A vendor that answers cleanly is a partner. One that can't is a risk you've accepted whether you meant to or not. The Verizon finding that nearly half of breaches involve a third party is the whole business case in one sentence.
Make vendor review a standing process. New tools show up constantly, and vendors change their AI practices between renewals without telling anyone. The rule I recommend is simple: no new vendor gets access to company data without an assessment, and critical vendors get reassessed annually or whenever they ship a major AI feature. Tier vendors by risk so the effort goes where the exposure is. Most companies assess a vendor once at contract signing and never look again. Attackers understand that gap better than most organizations do.
Where I'd focus
There's a lot of noise about what AI will do for your business right now, and most of it comes from people who benefit from the excitement. Before buying anything, get governed. Know what's in use, set the rules, and close the data paths you didn't know you had. That foundation is inexpensive, and it's the difference between adopting AI on your terms and finding out mid-incident that it adopted you.
If you're trying to get ahead of this before it becomes a security issue, we'd be happy to help you work through the inventory, policy, or vendor assessment process.
Chris Wall is the CIO of Universal Systems Inc., a full-stack IT solutions provider in Salt Lake City providing managed IT services, system integration, hardware distribution, and structured cabling.
← All insights
© 2026 Universal Systems, Inc. All rights reserved.