I want to be direct about something. AI creates tremendous opportunity, but it also changes the risk picture. Small businesses and NonProfits cannot afford to treat AI like a toy. And they cannot afford to treat cybersecurity like an IT side project.

AI makes security tools better. It also makes attackers better. The same technology that can help detect threats faster will also help criminals write better phishing emails, create convincing impersonations, and scan for weaknesses at scale. The answer is not to avoid AI. The answer is to use it thoughtfully and defend against it seriously.

The Threat Picture Has Changed

Cybersecurity has always changed quickly. AI has increased that speed dramatically. Attackers no longer need to be experts in every industry. They can use AI to research your organization, mimic your writing style, create fake invoices, and craft messages that feel familiar because they have learned how you communicate.

That creates a real problem for leaders because yesterday's awareness training may not be enough for tomorrow's attacks. The old guidance - look for misspellings, odd formatting, weird wording - that is largely out the window. AI-generated phishing can be polished, specific, and emotionally convincing. It can reference real people, real events, and real business processes. It can sound like someone your team knows, likes, and trusts.

Being small does not make your organization invisible. In many cases, it makes you attractive. Attackers know that Small Businesses and NonProfits often have weaker controls, smaller teams, and less formal processes in place. They also know that many small organizations run on trust. In a team where many people know each other by name, a convincing message from a familiar-sounding sender is less likely to be questioned. That trust - which is a genuine strength in your mission and culture - becomes a vulnerability in cybersecurity.

The Struggle of Love Foundation lost $60,000 to a social engineering attack.
The executive director received a text about suspicious bank activity, followed by a call from someone posing as the bank. The money was moved under pressure. It felt urgent and legitimate. One simple protocol could have stopped it - call the bank directly using a known official number before moving any funds. Not the number in the text. Not the number the caller gives you. The number on your bill, your statement, or the bank's direct website.

AI-Generated Phishing and Deepfakes

Phishing used to be easier to spot. Today AI-generated phishing can be polished, targeted, and emotionally convincing. People are already using AI to write emails, draft responses, and power chatbots. It is not surprising that phishing - which is human psychology being weaponized - can now be just as convincing.

Deepfake audio and video are no longer science fiction. A convincing voice message from a leader, a board member, a vendor, or a donor can be enough to pressure someone into taking action. The control here is not to be suspicious of everything - that is not practical. The control is to have verification procedures in place that do not depend on trust alone.

Your staff needs to slow down and verify, especially when a message involves urgency, money, passwords, gift cards, payroll, or any other kind of sensitive data. Those are the places where your guard needs to be highest. And build a culture where staff are praised for verifying, not criticized for delaying. That five-minute pause can save five years of reputational damage.

One of our clients recently sent a communication to their own clients defining exactly how they would communicate about financial matters. That is the right move. Establish the rules of engagement so that your clients, donors, and partners know what to expect from you - and can recognize when something does not match.

The Basics Still Matter - More Than Ever

AI does not eliminate the fundamentals of cybersecurity. It makes them more important. Multi-factor authentication, password management, endpoint protection, backups - not just on your server but on SharePoint, Google Workspace, and every system where your data lives - patching, least privilege access, logging, and staff training. These are not old tech. They still matter today.

Security is not what you bought. It is what is actually working. We once found a prospect who had experienced a ransomware attack. When we reviewed their network setup, someone had turned off the intrusion detection and prevention system on their firewall because a staff member had complained that the internet was too slow. The IT provider turned it off instead of upgrading the hardware. That organization was paying for protection they did not have. They did not know the protection had been disabled.

Before you expand AI use in your organization, make sure those fundamentals are in place. AI will not fix a weak foundation. In fact, it may increase your exposure if your data and permissions are already messy.

AI can help with monitoring, threat detection, email filtering, identity protection, and incident response.
But tools alone are not the strategy. A tool has to be configured, monitored, updated, and tied into a response plan. Otherwise it becomes another dashboard nobody looks at.

Data Privacy Starts With Knowing What You Have

Data privacy starts with inventory. Where is your sensitive data stored? Who has access to it? Is it in email, SharePoint, Dropbox, a donor database, an EHR, a CRM, QuickBooks, a case management system, someone's desktop? You cannot protect what you have not identified.

This is especially important before you connect AI tools to your systems. If you install an AI assistant on a workstation, it has access to everything that logged-in user has permission to access. That can be powerful. It can also be a serious problem if permissions have grown messy over time.

Many organizations grow organically. Staff come and go. Vendors are connected and later removed - or not removed. Programs change. Over time, permissions accumulate. Connecting AI to that environment does not create a new problem. It makes the existing problem faster to exploit. AI can collapse hours of searching into seconds. If it is pulling in the wrong things, you need to know that before it starts.

The Governance Question Worth Asking

Here is a practical test. If an employee asks an AI assistant to summarize all the documents they can access about payroll, client issues, employee discipline, donor relationships, contracts, or health information - would the answer only include what that person should legitimately see for the purpose of their work?

If you are not sure, that is the answer. And it is the right question to ask before AI has broad access to your environment.

AI does not magically know what is confidential, sensitive, restricted, or for leadership only. It relies on the permissions and controls already in place. We run a security check on Microsoft 365 environments against common AI models to find out whether it is safe to connect. In every environment we have tested, it was not safe out of the box. Every single one needed work first.

The real governance question is not just whether the AI tool is secure. It is whether your data environment is ready to be searched, summarized, and automated by AI.

Start Read-Only Before You Allow AI to Act

When organizations adopt AI, there is excitement about automation - update the CRM, create tickets, change records, send emails, move files, trigger workflows. Those may be useful eventually. But the safer starting point is read-only access. Not having AI create or change things, but having it give you information.

Read-only does not mean no risk. If AI can read sensitive information that a staff member should not see, that still matters. But read-only does reduce the chance that a mistake, a hallucination, a bad prompt, a compromised account, or a poorly designed workflow sends the wrong message, deletes data, or exposes information to the wrong audience.

A good first phase is to let AI help people find information, summarize documents, draft internal notes, answer policy questions, or prepare reports from data they already have permission to access. Then review the outputs, review the logs, and confirm that the tool is respecting role-based access. Only after that should you consider allowing AI to write back to systems or take action. And you may never need to go that far - business intelligence is often enough.

Compliance Is Not Optional

If your organization operates in a regulated environment - healthcare, legal, financial services, education, government contracting - AI adds another layer to your compliance obligations. You need to understand what data goes into the tool, where it is stored, how it is used, and whether it can be retained or trained on.

For healthcare organizations, AI tools that touch patient data must be evaluated carefully. A vendor brochure saying HIPAA compliant is not enough. You need the right agreements, access controls, auditability, and workflow design.

If you are in Connecticut, new AI and data privacy laws went into effect on July 1st. Be educated. Data obligations follow the data - not your intentions, and not the size or mission of your organization.

Never assume a vendor's compliance claim means what you think it means. Ask what data they collect, where it is stored, whether your data trains their model, whether logs are retained, what security certifications they hold, and whether they will sign the agreements your industry requires. Marketing language is not a control.

A Practical Checklist Before You Connect AI to Anything

Identify the systems that hold sensitive data - email, cloud storage, accounting, payroll, HR, donor systems, client databases, case notes, contracts, board materials, and anything sitting on desktops or in line of business applications.

Clean up permissions before giving AI broad visibility. Look at who has access, what groups exist, what external sharing is enabled, and whether former employees, vendors, interns, volunteers, or inactive accounts still have access. Old sharing links are a particular problem - they are easy to create and easy to forget.

Classify your sensitive information. Know what is public, internal, confidential, regulated, or restricted. Those classifications will save you later.

Verify how each AI vendor handles your data. Does the tool train on your data? Where is data stored? Are prompts retained? Can admins view usage? Are logs available? Will the vendor sign required agreements?

Start with controlled, read-only use cases, known users, limited data access, clear rules, and reviewable activity. Review who actually has access to your core systems right now - not who should have access in theory, but who has it today. Then do the rest.

The Takeaway

AI makes security more important, not less. It can help protect your organization, but only if it is implemented with controls, oversight, and the right partners. You do not need to become a cybersecurity expert. But as a leader, you do need to ask better questions and demand clear answers.

The goal is not fear. The goal is readiness. Knowing who already has the keys is the starting point. Because once you know that, you know what the situation actually is - and you can start from there.

Want to know if your environment is ready for AI?
I-M Technology serves NonProfits and Small Businesses across Connecticut and Rhode Island. We can run a security check on your Microsoft 365 environment against common AI models to find out where you stand. Schedule a free discovery call or call (866) 755-4486.

This post is part of our AI Leadership for NonProfits webinar series. All sessions are available at i-mtechnology.com/blog.

I-M Technology · info@i-mtechnology.com · i-mtechnology.com · (866) 755-4486