The risk to your business was never whether to adopt AI. Your staff already did that. The risk is that nobody told them the rules.
Earlier this year, Axios reported that one company spent about half a billion dollars in a single month on an AI tool because nobody set a usage limit. The company was never named and the figure was never confirmed, so treat it as a cautionary tale, not a headline.
Here is the part that was confirmed. Uber burned through its entire 2026 budget for AI coding tools in four months. Its fix was not a seminar or a task force. The company capped each employee at $1,500 a month and moved on. A usage limit. That is the whole story.
You do not run Uber, and a seven-figure AI bill is not your problem. But the root cause is. People started using a powerful new tool faster than anyone set rules for it. That happens at a five-person office just as easily as it happens at a tech giant. The bill is smaller. The exposure is not.
The gap is not adoption. It is training.
Most small businesses are already past the question of whether to use AI. Your front desk is probably using ChatGPT to draft replies. Someone in marketing is using Canva's AI features. Grammarly is rewriting emails, and AI is now baked into the office software you already pay for. 58% of small businesses now use generative AI, up from 40% a year earlier, and more than half of them started within the last twelve months.
Adoption is racing ahead. Training is going backward. Jobs for the Future found that only 36% of workers say they have the training and resources they need to use AI at work. A year earlier it was 45%. More people are using these tools, and fewer of them feel ready.
The gap, in two pictures
Two different surveys, two different groups. One trend is climbing. The other is falling.
Small businesses using AI
Source: U.S. Chamber of Commerce, 2025
Workers who feel trained for AI
Source: Jobs for the Future, 2026
Untrained use bites in two ways, and neither one shows up until it is too late to undo.
Problem one: your data walks out the door
When someone pastes information into the free version of a public AI tool, that information can leave your control. In 2023, Samsung engineers pasted proprietary source code into ChatGPT to clean it up. The code was real, the leak was real, and there was no getting it back.
Now picture that at your scale. A receptionist at a dental office pastes a patient's history into a free chatbot to draft an insurance appeal. That is a HIPAA problem, full stop, because the standard consumer version of these tools is not covered by a business associate agreement. The same logic applies to client lists at a law firm, financials at an accounting practice, and donor records at a nonprofit. Once sensitive data is in a public tool, you have lost the ability to promise it is private.
Problem two: bad output that nobody caught
AI tools are built to sound confident. Confidence is not accuracy. They will invent facts, citations, and figures and present them in the same calm voice they use for the truth.
Lawyers have learned this in public. It started with one famous 2023 case, Mata v. Avianca, where attorneys filed a brief full of court cases ChatGPT had simply made up. The judge fined them $5,000. That was not a one-off. By late 2025, court watchers had documented more than 600 similar cases across the country, and a California court handed down a $10,000 sanction against an attorney who cited 21 fake cases out of 23.
The usual defense is "we will just buy the professional tool." That does not solve it either. Stanford researchers tested purpose-built legal AI tools and found they still produced wrong or made-up answers in roughly one of every six questions. The tool is not the safeguard. A trained human reviewing the output is the safeguard.
The risk was never adoption. It was untrained adoption.
This is the one idea to take away. Your staff using AI is not the danger. Your staff using AI with no idea what they can paste, what they cannot, and what has to be checked before it leaves the building. That is the danger.
The good news is that this is the cheapest problem on your desk to fix.
The fix is one page and one hour
You do not need a week-long course or a consultant on retainer. You need a one-page policy and a short, plain meeting that answers four questions. If a staff member cannot answer these for a given task, they should not hand that task to an AI tool.
1 / What can staff use?
Name the approved tools and the ones that are off-limits. Usually the line is between the paid business version your company controls and the free personal version that does not protect your data.
2 / What should they never paste?
Be specific. Customer and patient information, financial records, passwords and keys, and anything a client shared in confidence. If you would not email it to a stranger, do not paste it into a public AI tool.
3 / What needs a human review?
Anything headed to a client, a court, the public, or a live system gets read by a person first. Every time.
4 / When do they stop and ask?
Give them one name to call when something feels off or a mistake happens. Make it safe to report. A staffer who hides an accidental data paste is far more expensive than one who flags it in five minutes.
If you want a starting point, the SBA and SCORE both publish free small-business AI guidance, Google's AI Essentials course is free, and NIST has a free framework if you want more structure. None of this requires a budget.
Your people are already using AI today, whether or not anyone told them how. The cheapest risk you can buy down this quarter costs one page and one hour. Write the page. Hold the meeting.
Sources: Jobs for the Future 2026 worker survey; U.S. Chamber of Commerce C_TEC "Empowering Small Business" report (2025); Axios, "AI sticker shock hits corporate America" (May 28, 2026); TechCrunch on Uber's spending cap (June 2026); Cybersecurity Dive on the 2023 Samsung leak; Stanford HAI / RegLab on legal AI hallucination rates; reporting by the Associated Press and CalMatters on AI sanctions against attorneys.
Ready to put AI to work in your business?