Article · 13th Jul 2026 · AI for Growth
Is Your Business Using AI Safely? Here's How to Check
Most UK small businesses using AI have no security practices in place. Find out what to look for and how to check in under 10 minutes.
Most UK small businesses using AI have no security practices around it. Not because they don't care about security, they do. It's because the conversation about AI risk usually focuses on things that feel distant, like deepfakes and state-sponsored attacks. The real risk is closer and more ordinary than that.
To check if your business is using AI safely, review which AI tools your staff are actually using, what data is going into them, which tools you've formally approved, and whether your team knows the rules. Most of this can be done in an afternoon, without any technical knowledge.
According to the UK Government's Cyber Security Breaches Survey 2025/2026, of the 31% of UK businesses currently using or adopting AI, only 24% have any process in place to manage the security risks. That means three in four businesses using AI tools have no house rules around them. No guidance on what staff can paste in. No checks on which tools can see customer data. No record of which AI services the business is actually using.
That's the gap. And it's one of the most practical things a small business can close right now.
What does "using AI safely" actually mean?
It doesn't mean turning AI off or hiring a security consultant. For most small businesses, it means answering four basic questions, and knowing how to answer each one properly.
1. Do you know which AI tools your team is using?
The risk isn't usually the tool you chose. It's the tool someone on your team signed up for at lunch without telling anyone. According to the Verizon 2026 Data Breach Investigations Report, unsanctioned AI tools were involved in 45% of breaches in 2025/2026, roughly triple the year before. By the time that's discovered, the data has already been processed and stored by a third-party service you didn't evaluate.
Here's how to actually find out, rather than guess:
- Hold a ten-minute team conversation. Ask directly: "What AI tools do you use for work, including anything you signed up for yourself?" Most staff aren't hiding anything, they've just never been asked.
- Ask in your team chat. A single message in Slack, Teams, or WhatsApp asking people to reply with any AI tools they use often surfaces two or three you didn't know about.
- Do a quick audit of browser extensions and app subscriptions. Check company card statements for AI subscriptions, and look at browser extensions on shared or work devices. Recurring charges to tools you don't recognise are a common way shadow AI shows up.
- Check your email and calendar for AI add-ons. Many AI tools connect via an "Add to your account" flow inside Gmail, Outlook, or Google Calendar. These are easy to miss because no separate login is created.
None of this needs to feel like an investigation. Most business owners are surprised by what turns up, not because staff are being careless, but because nobody had asked before.
2. What data is going into those tools?
AI tools learn from and process what you put into them. If a member of staff is pasting in a client email, a contract, financial data, or HR records, that information is being handled by the tool's provider under whatever terms they've agreed to.
You don't need to ban all data input. You just need to know what's going in and decide what's acceptable. A practical way to do this is to ask your team to flag, just for one week, any time they paste business or customer information into an AI tool. You'll get a realistic picture of your actual exposure, rather than a guess.
3. Which tools have you actually approved?
The simplest approach is to pick one or two AI tools your business has evaluated and decided are acceptable. Microsoft 365 Copilot and Google Gemini within Workspace both process data within your existing tenant and are covered by your existing data processing agreements. If your business already uses these platforms, they're a lower-risk starting point than external tools with unknown data handling. Anything else should be a conscious decision, not an accident.
Approving a tool doesn't need a formal procurement process. It can be as simple as the business owner deciding "we use this one for this kind of work" and writing that down somewhere the team can see it.
4. Do your staff know what the rules are?
Security guidance doesn't have to be complex. A single page covering which tools are approved, what data can be used in them, and who to ask if they're unsure is more useful than a detailed policy nobody reads.
Share it somewhere staff already look, a pinned message in your team chat, a page in your shared drive, or a line in your onboarding checklist. A rule nobody has seen isn't a rule.
UK GDPR and AI tools: what small businesses actually need to know
You don't need to be a lawyer to get this right, but UK GDPR does apply to how your business uses AI, and it's worth understanding in plain English.
If an AI tool processes personal data on your behalf, customer names, email addresses, contact details, anything that identifies a real person, the tool's provider is usually acting as a "data processor." In plain terms, that means they're handling data for you, under your instructions, rather than deciding independently what to do with it. Your business, as the "data controller," stays responsible for that data even though someone else's software is processing it.
In practice, this means three things for a small business:
- Check there's a data processing agreement (DPA) in place. Reputable AI providers, including Microsoft, Google, and OpenAI for business accounts, publish standard DPAs. If you're using a tool for work and it's the kind of tool that could see personal data, it's worth confirming a DPA exists and covers how you're using it.
- Free, personal-account versions of AI tools often carry more risk. Many free consumer AI tools use conversations to improve their models by default, and the terms covering personal accounts are often different, and weaker, than business or enterprise tiers. If staff are using personal ChatGPT, Gemini, or Claude accounts for work tasks involving customer data, that's a bigger question mark than if the business has a proper business subscription.
- Your obligations don't disappear because AI is involved. If your business already has GDPR practices in place, such as knowing what personal data you hold and why, those same principles apply when an AI tool is part of the process. The tool changes how the work gets done. It doesn't change who's accountable for the data.
None of this requires a compliance department. It requires knowing which tools touch personal data, and having a basic answer for "is there an agreement covering this" if anyone ever asks.
The numbers are blunt
43% of UK businesses reported a cyber security breach or attack in the past year, according to the UK Government's Cyber Security Breaches Survey 2025/2026. AI isn't the main cause yet, but it's creating new routes for the risks that already exist.
The good news is that basic practices, knowing what tools you use, deciding what data is acceptable, and telling your team, put you ahead of the majority of UK businesses. This isn't about perfection. It's about not being the easiest target.
Quick checklist: is your business using AI safely?
Use this as a fast recap. If you can tick all five, you're ahead of most UK small businesses.
- You've asked your team directly which AI tools they use, including personal accounts used for work.
- You've checked company card statements and browser extensions for AI subscriptions nobody flagged.
- You know, roughly, what kind of data staff put into AI tools, including whether it includes customer or financial information.
- You've chosen at least one approved AI tool and confirmed it has a proper business agreement in place, not a free personal account.
- You've written down the rules in one place your team can actually find, and told them where it is.
If any of those are unticked, that's your starting point, not a reason to worry.
Check where you stand right now
AI for Growth has built a free AI Security Healthcheck for UK small businesses. It asks you straightforward questions about how your business is using AI and gives you a practical view of where your risks are and what to do about them.
It takes less than 10 minutes and doesn't require any technical knowledge.
Common questions
Frequently asked questions
AI for Growth
National initiative helping UK businesses adopt AI