AI Adoption for SMBs - What we Recommend and What We Don't

We’ve been refining our point of view on responsible AI adoption for SMBs. The goal isn’t to adopt every new AI tool. It’s to introduce AI in ways that improve productivity, protect business data, and create long-term operational value.

That usually means sanctioned AI by role, governance built into integrations, human review for client-facing work, and clear policies around acceptable use.

It also means avoiding the common traps: shadow AI, unmanaged integrations, and assuming one tool fits every use case.

What We Recommend

AI works best when it’s introduced intentionally – with clear governance, defined use cases, and measurable outcomes.

√ Sanctioned AI, defined by role. Copilot is the right foundation for the broad employee population - it’s governed, integrated with Microsoft 365 identity and security, and predictable to license. Some roles need more than the default. That can mean reaching another model through Copilot – Copilot Studio can run agents on non-Microsoft models while keeping everything inside your goverend tenant – or, where a tool’s native capabilities are the point (Claude Code, Claude Design for developers, for example) sanctioning that tool directly for a specific business unit. The deciding question is whether you need the model or the whole product.  

√ Governance that lives in the connectors. Use Copilot connectors - including custom ones - to control what AI can access, what it can do with that access, and who’s allowed to ask. Governance belongs in the integration layer, not in the chat window.  

√ Human-in-the-loop for anything client-facing or decision-bearing. AI drafts, people approve. Especially for financial, legal, regulatory, or client communications.  

√ A written AI use policy, even a short one. Define what’s sanctioned, what’s not, and what data is off-limits. Clarity prevents most missteps before they happen.  

√ Pilot with a small group, then expand. Three to five power users, real measurement of what saved time, then broaden the rollout. Skips the guesswork.  

√ Treat AI as a capability layer, not a product. The value comes from how it’s woven into the tools and workflows already in use - Teams, SharePoint, line-of-business systems - not from buying a separate “AI tool” for every problem.  

What We’d Be Careful About

Most AI problems in SMBs don’t come from the technology itself. They come from unclear governance, unmanaged access, and rushed adoption.

⚠ Free versions of consumer AI for business work. Free tiers typically lack enterprise data protection, contractual privacy guarantees, and audit trails - and prompts may be used to train the model. Convenient, but the wrong tool for business data.  

⚠ Ungoverned, decentralized integrations to business systems. Some AI tools make it easy for individual users to connect directly to Microsoft 365, SharePoint, or other systems on their own terms. Frictionless for the user, invisible to the business - and impossible to answer ”what data did AI touch and who saw it?”  

⚠ Assuming one AI engine will serve every role equally. Copilot is the recommended foundation for the broad employee population, but specific roles - marketing, development, systems integration - often benefit from a second sanctioned tool chosen deliberately. Forcing one tool to do everything tends to push people toward shadow AI.  

⚠ Replacing judgment with AI output. AI is a research assistant and a drafting partner, not a decision-maker. Financial decisions, hiring, regulated work, and client deliverables all require a human to make the final call.  

⚠ Training custom models when you don’t need to. For most business use cases, prompting and retrieval against an existing model beats fine-tuning in terms of cost, time, and accuracy. Reach for it only when the simpler path genuinely doesn’t work.  

⚠ Skipping governance because the business is “too small.” Smaller businesses are exactly the ones that can’t easily absorb a data leak or a misinformed AI-generated client deliverable.