Technological Advancements

Shadow AI for SMBs: Hidden risks and security tips

Shadow AI for SMBs: Hidden risks and security tips is becoming an increasingly important topic as businesses adopt artificial intelligence tools at a rapid pace, often without formal oversight from IT teams or established cybersecurity policies.


Shadow AI for SMBs: Hidden risks and security tips for safer business operations


Artificial intelligence has quickly become an essential business tool, helping organisations improve productivity across research, marketing, finance, customer service and inventory management. However, alongside these benefits, experts are warning that the rise of unapproved AI applications—commonly known as “Shadow AI”—is creating new cybersecurity and data protection risks, particularly for small and medium-sized businesses.

According to an October 2025 survey by the Small Business & Entrepreneurship Council, only 12 percent of businesses reported not using AI tools. Most organisations now rely on multiple AI applications to support daily operations, making artificial intelligence an integral part of modern business workflows.

While AI adoption continues to accelerate, many employees are independently using publicly available AI platforms without approval from their organisations’ IT departments. This mirrors the long-standing issue of Shadow IT, where staff install or use unauthorised software, messaging platforms or cloud storage services outside official company systems.

The growing popularity of AI has expanded this challenge. Employees often adopt new AI chatbots and productivity tools because they are convenient and readily available. However, these services can create uncontrolled data flows, exposing confidential business information and increasing organisational risk.

One of the biggest concerns surrounding AI cybersecurity is that cybercriminals are actively exploiting interest in artificial intelligence. Attackers increasingly disguise malicious software as legitimate AI applications, targeting businesses eager to experiment with new technologies.

Cybersecurity company Kaspersky reported that between January and April 2026, its security solutions detected more than 33,300 attacks targeting small and medium-sized businesses, involving malicious or unwanted software disguised as popular AI services. The figure represents nearly a fivefold increase compared with the same period in 2025.

According to the findings, malware posing as ChatGPT accounted for approximately 42 percent of these attacks, followed by Claude at 24 percent and DeepSeek at 20 percent. As new AI services emerge almost daily, distinguishing genuine platforms from fraudulent ones has become increasingly difficult for many employees.

Cybercriminals are also creating fake AI subscription services designed to steal money from unsuspecting users. In one recent case identified by Kaspersky researchers, scammers promoted an AI platform specifically targeting contractors. Victims paid subscription fees but never received access to the promised service.

Beyond fake applications, another major concern involves employees sharing confidential company information with legitimate AI chatbots.

Business users frequently upload reports, financial data, customer information and internal documents to AI platforms to generate summaries, analyse data or draft content. However, once uploaded, that information is typically stored on the service provider’s servers and processed according to its terms of service.

Many AI developers also reserve the right to use submitted information to improve future versions of their large language models. Organisations that fail to understand these data handling policies may inadvertently expose commercially sensitive information.

Previous incidents have demonstrated these risks. Security researchers have identified software flaws that allowed some users to view portions of conversations belonging to others, raising concerns that confidential corporate information could be unintentionally disclosed.

Credential theft represents another growing threat. Login details for AI chatbots, image generators, translation platforms and other AI-powered services are increasingly traded on dark web marketplaces after being stolen through information-stealing malware.

If attackers gain access to an employee’s AI account, they may retrieve confidential files, conversations and business information stored within the platform. Such information could then be used to launch more sophisticated cyberattacks against the affected organisation.

Although large enterprises often invest in dedicated AI governance frameworks and advanced cybersecurity infrastructure, many small and medium-sized businesses face budget and resource limitations that make comprehensive AI security more difficult to implement.

Nevertheless, organisations can significantly reduce their exposure by adopting practical security measures. Establishing clear internal policies governing the use of external AI services helps ensure employees understand which platforms are approved and how sensitive information should be handled.

Regular employee awareness training is equally important. Staff should be educated on recognising phishing attacks, fake AI websites, malware, scams and other common cyber threats while learning safe practices for using AI tools responsibly.

Businesses should also require strong, unique passwords for AI accounts, encourage regular password updates and avoid downloading AI applications from unofficial websites or unverified sources.

Before adopting any AI platform, organisations should carefully review the provider’s terms of service to understand how business information is stored, processed and potentially reused. Sensitive corporate data should never be uploaded unless the platform fully meets the organisation’s security and compliance requirements.

As AI adoption continues to reshape business operations, maintaining strong AI cybersecurity practices will become increasingly important. By combining employee awareness, clear governance policies and cost-effective security solutions, businesses can benefit from artificial intelligence while reducing the risks associated with Shadow AI.