The worry is real, but it is pointed at the wrong thing
When an owner says "I do not want my data going to my competitors," the picture in their head is usually a model quietly studying their account and whispering their margins to a rival. That is not where small businesses lose data. The actual leak is far more ordinary, and far more common.
A rep is in a hurry. They paste a customer list into a free chatbot to clean up the formatting. They drop a signed contract in to summarize the terms. They feed last quarter's price sheet in to draft a proposal. The personal, free tier they used has terms that let the provider keep and learn from whatever gets typed in. No villain, no breach notice. Your most sensitive records just left the building through the front door, one helpful shortcut at a time.
So the question is worth taking seriously. It just needs to point at the habit, not the headline.
What the data this month actually says
On May 14, NTT DATA published research drawn from close to 5,000 senior decision-makers across more than 30 markets. The finding that matters for an owner reading this is the gap between knowing and doing.
More than 95 percent of those leaders said keeping AI private and under their own control matters. Fewer than one in three were giving it concrete near-term priority, and only about 38 percent had high confidence in their own cloud security. The instinct is nearly universal. The follow-through is rare.
Source: NTT DATA, 2026 Global AI Report, May 14, 2026.That research studies large enterprises, not small distributors. The lesson runs the other way, though. If companies with security teams and legal departments are mostly not acting on an instinct they all share, a 14-person business with none of that overhead is even more exposed. The advantage a small company has is speed. You can set this up right in a month, before any bad habit hardens, while a big enterprise spends a year unwinding theirs.
Meet Acme Industrial Supply
One of the most common B2B businesses there is
Acme is a regional distributor. They sell industrial and maintenance supplies to manufacturers, contractors, and facilities teams. About 14 people, roughly 8 million dollars in revenue, a sales team of five, one person who keeps the books and the CRM honest. No IT department. The owner does payroll on Fridays. This is the most ordinary B2B shape in the country, and the setup below maps onto a law firm, an HVAC installer, a packaging reseller, or a managed services provider with almost no changes.
Here is what Acme has that they do not want a competitor to ever see: the customer list and who buys what, the cost-plus margins on every line, the renewal dates and contract terms, and the win and loss notes that say exactly why a deal closed or died. That is the whole business, written down. The fear is correct that this should not leak. The work is making sure it cannot, without telling the team to avoid AI entirely, which they will ignore anyway.
Five decisions that set it up right the first time
None of these require new software you do not already have, and the first three cost nothing.
Business accounts only. No personal free accounts for company work.
The paid business and team tiers of the major AI tools carry terms that say the provider does not train on your inputs. The free consumer tiers often do not. This one switch closes the most common leak. Acme moves its five reps onto a single business plan and turns off any personal account use for customer work. Cost: a small monthly seat fee, not a project.
Write down what never goes into a prompt.
One short list, posted where the team can see it. For Acme: no full customer lists, no cost or margin figures, no signed contracts, no anything that names a specific account next to a specific price. The team can use AI on everything else freely. A clear boundary that everyone knows beats a vague fear that nobody acts on.
Keep a human above the loop on every buyer-facing move.
AI does the research, the summary, and the first draft. A named person owns every email, quote, and proposal that reaches a buyer, and every change written back to the CRM. Nothing ships because an AI produced it. You keep the speed and you keep your name on the line, which is where it belongs. This is the principle I build every client workflow on, and it is the difference between AI that helps and AI that embarrasses you.
Point AI at one system of record, not nine personal tools.
Acme decides the CRM is the single place truth lives. AI reads from it and proposes writes to it, but the writes go through the review in Decision 3. When every rep keeps their own notes in their own apps, you cannot govern what AI touches because you cannot even see it. One source makes the whole thing reviewable.
One page of policy, one named owner.
Not a binder. One page that states the rules above and names the single person accountable for them. At Acme that is the office manager who already owns the CRM. A policy with no owner is a wish. A policy with an owner is a practice. You will find a copy-paste version of that page below.
What setting this up actually looks like for a 14-person company
This is the part owners rarely get a straight answer on. It is not a quarter-long consulting engagement with a discovery phase and a steering committee. For a team of 5 to 50, it is about 30 days of light effort.
Move the team onto business accounts. Write the do-not-paste list and post it. That alone removes most of the risk.
Name the one system of record and the one review owner. Decide which buyer-facing steps always pass through a human before they send.
Stand up a single governed workflow, such as pre-call research or proposal drafting, and run it with the review gate in place. One workflow done right teaches the pattern for the rest.
Finalize the one-page policy. Walk the team through it in 20 minutes. Set a date 90 days out to add the next workflow.
That is the whole thing. A small business can be genuinely set up right, with the data protected and the team moving faster, inside a month. The reason to do it now rather than later is simple: it is far cheaper to set the habit than to break it.
Your one-page AI use policy, ready to copy
Whether or not you ever work with me, here is the page Acme posted. Change the names to yours and you have removed most of the risk this morning.
AI Use Policy (one page)
- Accounts. Company work uses our business AI accounts only. No personal or free accounts for anything involving a customer.
- Never goes in a prompt. Full customer lists. Cost and margin figures. Signed contracts. Any place that pairs a named account with a price. When in doubt, leave it out and ask.
- A human owns every send. AI can research, summarize, and draft. A named person reviews and approves every message to a buyer and every change to the CRM before it goes out. Nothing ships on AI's say-so alone.
- One place for truth. The CRM is the system of record. AI reads from it; proposed changes go through the review above.
- Owner. [Name] owns this policy. Questions go to them. We review it every 90 days.
Adapt freely.
The point
You were right to ask the question. You were just aiming it at the model when the leak lives in the habit. Set the five decisions, post the one page, and your team gets the speed of AI while your customer list, your margins, and your contracts stay yours. Do it in the first month and it is a half-day of decisions. Do it after the habits form and it is a cleanup project. The owners who win this year are the ones who set it up right while it is still cheap to do.