Most SMBs are running their first real AI security incident in slow motion. Not because something dramatic broke — but because half the team is pasting client emails into the free version of ChatGPT, the other half is sending contracts to whatever assistant their phone suggested, and nobody wrote down where any of it is supposed to go. The damage isn't a breach. The damage is that you don't know where your data is.

Sort your data into three buckets

You don't need a CISO-grade taxonomy. You need three labels. Public: marketing copy, blog posts, anything you'd put on your website. Internal: meeting notes, internal SOPs, customer names without sensitive context. Sensitive: anything covered by privilege, HIPAA, financial regulation, NDA, or specific client confidentiality. The point of the buckets isn't elegance — it's giving your team a 10-second decision for each thing they paste.

Standardize on one paid business-tier tool

Free-tier consumer AI tools train on your inputs by default. Business-tier subscriptions (Claude Team, ChatGPT Business, the equivalent at Google or Microsoft) contractually do not. Pick one. Pay for it for every person who touches client data. The cost of a Team plan is a fraction of the cost of an incident response call. Then explicitly disallow the free tier for anything beyond Bucket One.

Write the one-page policy

The policy that actually works at SMB scale is one page. It names the approved tool, lists which buckets can go into it, names two or three things that never go in (specific client identifiers, full social security numbers, contracts under negotiation), and tells people who to ask when they're unsure. That's it. A 20-page AI policy is a policy nobody reads. A one-pager pinned in Slack gets followed.

The honest caveat

Even a paid business tier won't save you from a screenshot sent to the wrong channel, a misforwarded chat thread, or a half-configured integration that connects your AI to your file storage without permission scoping. Tooling buys you a baseline. Habits and a short review cadence buy you the rest.

Your next step

Pick the tool this week. Write the one page next week. Get the team to sign it the week after. Review it once a quarter. That's the entire program for most businesses your size.