The AI Risk Already Inside Your Business

By Tracey Birkenhauer, journalist and Chief Impact Officer, STACK Cybersecurity

Executives think AI adoption is a decision.

It isn't.

It's already happened.

Somewhere in every company, someone is using Claude to write emails.

Someone is using Copilot to summarize meeting notes.

Someone is using DeepSeek to research prospects.

Someone is probably using ChatGPT right now.

The question isn't whether your staff is using AI. The question is whether you know which employees are using it, how often, and for which use cases.

AI Changing How Work Gets Done

The White House signed a new Executive Order on AI and cybersecurity on June 2, and lawmakers released a bipartisan discussion draft of the Great American AI Act just days later. If you're a business leader, it's easy to look at those developments and assume they're aimed at Silicon Valley, federal agencies, or the biggest technology companies in the country.

Not so fast.

The conversations happening in Washington point to a reality many business leaders haven't fully recognized yet: artificial intelligence is already changing how work gets done inside their companies. And chances are, it's happening faster than they think.

To understand what that means for executives, Rich Miller, CEO of STACK Cybersecurity, offered his perspective in his responses to 10 questions. Founded in 2006, STACK is a security-forward IT managed service provider (MSP) based in Livonia, Mich.

The cybersecurity executive's message was direct: the biggest AI risk isn't the technology. It's human behavior.

Q&A with Rich Miller, CEO of STACK Cybersecurity

1. Rich, everyone seems to be talking about AI right now. What should business leaders take away from the Executive Order?

The Executive Order matters because it signals that AI security has become a national priority. It directs federal agencies to strengthen cyber defenses, establishes a framework for evaluating frontier AI models before they're widely released, and creates an AI cybersecurity clearinghouse connecting the government with private industry.

The order also directs the Attorney General to prioritize enforcement of federal criminal laws against AI-driven cybercrime, which tells you something about where threats are heading.

For business leaders, the takeaway is that AI has become important enough that governments, health care systems, financial institutions, and cybersecurity professionals are all paying attention to the risks alongside the opportunities. That's a conversation every business leader should already be having.

2. What about the Great American AI Act discussion draft? Does that change anything?

It reinforces the same message.

The Great American AI Act is a bipartisan discussion draft, so it hasn't been formally introduced yet. But it's attempting to create a federal framework for transparency, accountability, and governance around AI systems, including third-party audit requirements for the largest AI developers and limits on how states can regulate AI separately from federal standards.

Whether it becomes law in its current form isn't really the point. The point is that governance is becoming a core part of the AI conversation.

Five years ago, cybersecurity was viewed as an IT problem. Today it's a business problem. AI is following the same path. The businesses that start thinking about governance now will be in a much stronger position than those that wait until a customer, a regulator, an insurance carrier, or a cyber incident forces the conversation. We've written about that gap before in our piece on cybersecurity overconfidence, and it applies just as much to AI.

3. What's the biggest AI-related threat businesses face today?

Most people assume I'm going to say some sophisticated AI-powered cyberattack. That's not what concerns me most right now.

The biggest risk today is something called Shadow AI: what happens when employees start using AI tools without the knowledge, oversight, or guidance of leadership.

And it's happening everywhere. Someone uses ChatGPT to draft a proposal. Someone uploads financial data into a Copilot assistant to help analyze a spreadsheet. A salesperson uses AI to summarize customer notes before a meeting. An HR generalist pastes internal company information into a public AI platform because they're trying to save time.

These AI users don't know they're creating security issues. They're trying to be productive. That's what makes Shadow AI so difficult to address.

4. Why is Shadow AI such a concern?

Think about it this way. Imagine you've spent years securing your office. You've installed locks, cameras, alarms, and access controls. Then one day, employees start holding company meetings in random coffee shops around town.

That's essentially what Shadow AI can look like. The problem isn't the technology itself. The problem is that you've lost visibility. And cybersecurity starts with visibility. You can't protect information you don't know is leaving the building. You can't manage a risk you don't know exists. If you don't have the proper cybersecurity tools to identify Shadow AI, you could be in real trouble. Shadow AI was involved in roughly 20% of reported breaches studied by IBM, as was reported in the 2025 Cost of a Data Breach (PDF) survey.

When staff use AI tools outside approved channels, businesses lose that visibility entirely. It's the same dynamic we see with phishing attacks: the threat isn't always sophisticated. It just takes advantage of gaps that nobody thought to close.

One real-world example worth knowing: Samsung discovered that employees had entered sensitive internal source code into ChatGPT. The information was processed by an external AI system before anyone in leadership knew it had left the building. That's not a hypothetical. That's what Shadow AI looks like in practice.

5. Are companies really seeing this today?

Absolutely. Most leadership teams are surprised when they see how much AI is already being used inside their business. According to research from Microsoft WorkLab, around 78% of workers already use AI tools on the job, and a significant share of that usage happens through personal accounts outside enterprise controls. Gartner research across 500 companies found that 68% of employees use unauthorized AI tools at work, up from 41% in 2023.

Employees adopt AI long before formal policies exist because AI is genuinely useful. People are writing faster, researching faster, and solving problems faster. The challenge is that productivity moves much faster than governance. That's why so many businesses discover they have AI usage but no AI strategy. Our AI FAQs for Business is a good starting point for teams trying to get their bearings.

6. What should business owners be doing right now?

First, don't panic. Second, don't try to ban AI. History tells us that doesn't work. The better approach is to acknowledge reality and create guiderails and guardrails.

Start by asking a few basic questions. Do we know which AI tools employees are using? Do we have an AI policy? Do employees understand what information can and can't be shared with external AI platforms? Do we have an approved way for employees to use AI safely?

Most businesses can't confidently answer those questions today. That's where they need to start. According to IBM's 2025 Cost of a Data Breach Report, 63% of breached companies either had no AI governance policy or were still developing one at the time of the breach. That gap has real consequences. If you want a structured way to think it through, our AI Readiness Evaluation walks you through exactly that process.

7. How is STACK helping clients address these risks?

The most common question we hear is: "How do I know what my employees are doing with AI?"

The honest answer is that most business owners don't. That's why we built AI Guardian by STACK Cybersecurity. We offer managed AI packages the same as we offer managed IT packages to other businesses so they have a set monthly spend. Our AI managed service helps businesses discover Shadow AI, establish governance, secure company data, and safely deploy AI tools.

One of the most valuable things we do is identify unauthorized AI usage already occurring inside a business. Many owners are genuinely surprised by what we find. Once we understand what's being used, we help create policies, establish oversight, train employees, and provide approved alternatives that align with the company's goals and risk tolerance.

Most businesses don't need another AI application. They need visibility, governance, and a strategy. For businesses already using Microsoft 365, our Microsoft AI Decision Brief is worth a look before making any licensing decisions.

8. Why not just buy ChatGPT or Copilot licenses?

Because buying a tool isn't the same as managing risk.

An AI subscription doesn't tell you who's using unauthorized tools on the side. It doesn't create governance policies. It doesn't identify potential data exposure. It doesn't monitor AI activity across the business or help leadership understand where AI is creating value and where it's creating risk.

That's the gap where businesses need guidance. The technology is only one piece of the equation. Using it responsibly is the bigger challenge. For businesses in regulated industries, that responsibility also has legal dimensions worth understanding, whether it's state AI laws already on the books or federal requirements still taking shape.

IBM's 2025 Cost of a Data Breach Report found that Shadow AI breaches cost an average of $670,000 more per incident than breaches at firms with little or no Shadow AI involvement. A licensing decision that saves a few hundred dollars a month looks very different next to that number.

9. We've talked a lot about risk. What are businesses getting right about AI?

That's an important question because I don't want anyone to walk away thinking AI is something to fear.

Quite the opposite. The businesses embracing AI thoughtfully are seeing real benefits.

We're seeing owners use AI to draft communications faster. Sales teams are preparing for meetings more efficiently. Administrative staff are reducing repetitive work. Leaders are spending less time searching for information and more time making decisions.

The opportunity is real. What concerns me isn't AI adoption. It's unmanaged AI adoption.

Every major technology shift creates winners and losers. The winners are usually the ones that embrace change while putting the right guardrails in place.

Think about cybersecurity itself. Twenty years ago, businesses that invested in cybersecurity gained an advantage because they could operate more confidently and earn trust more easily. I think AI is heading down a similar path.

The businesses that learn how to safely leverage AI today will likely be more productive, more competitive, and more profitable tomorrow. We all need to make sure it's creating value without creating unnecessary risk. And that's a balance every business can achieve.

10. Where do you see this heading?

I think AI will become as common as email. Within a few years, every company will be using it in some form. The businesses that thrive won't be the ones that avoided AI. They'll be the ones that learned how to govern it.

Right now most companies are focused on what AI can do. The next phase is understanding how it should be managed. That's where cybersecurity, governance, and business leadership all come together. And honestly, that's where the biggest opportunities exist.

What Business Owners Should Do Next

The new Executive Order and the emerging federal debate around AI governance aren't warnings to avoid AI. They're reminders that every powerful technology requires responsibility.

For executives, the greatest AI risk is the AI activity already happening inside the company that nobody can see. Before you can govern AI, secure it, or benefit from it, you have to know it's there.

Explore STACK's full library of AI resources at our AI Hub, or take our AI Readiness Evaluation to see where your business stands today.

Related AI & Cybersecurity Resources

• What Is Shadow AI?
• AI FAQs for Business
• AI Security Checklist for Businesses
• State AI Laws Guide
• Microsoft AI Decision Brief
• Cybersecurity Overconfidence
• How Phishing Attacks Work