SMBs generally have a fire evacuation plan, work health and safety policies, liability and cyber insurance, and financial controls.
Some have acceptable use policies for technology. Some have device management. Some even have a cyber incident response plan.
But I rarely see an SMB with an AI usage policy.
Staff can be using AI tools that touch customer data, generate content published under the brand, and influence business decisions. But there is no policy governing any of it.
Some of those tools are not even what they claim to be. There are wrappers and extensions out there that look like they give you more from an AI platform. Some are legitimate. Some are not. They sit between your staff and the actual AI service, and everything typed into them passes through something you have never vetted. There is no privacy policy. No terms of use. No guarantee about where that data goes.
Without a policy that governs which tools are approved and how they are identified, nobody is checking. Nobody even knows to check.
None of that is malicious. All of it is risk.
An AI usage policy does not have to be complicated. But it does have to exist. Because right now the default in a lot of SMBs is: use whatever you find, and hope nothing goes wrong.
We insure against things that might happen. We should be governing the things that are already happening.