Q&A
How SMBs Can Embrace AI Without Inviting Chaos
Tricia Diamond explains why shadow AI is already a problem for most organizations, how smaller businesses can build practical AI governance without enterprise budgets, and where AI is delivering its biggest business value.
We've spilled plenty of digital ink over AI's promised productivity gains, but for many SMBs, the first hurdle to adoption is figuring out how to adopt, deploy and manage it with an eye toward practicality.
Tricia Diamond, director and founder of Diamond PMO Solutions, believes organizations need to think about AI governance and readiness before they think about AI-driven productivity. At this September's AI Pivot conference, taking place Sept. 25 in Anaheim, Calif., Diamond will present sessions on both practical AI applications for document work and reporting, as well as governance strategies tailored specifically for SMBs. In this Q&A, Diamond discusses the growing risks of shadow AI, explains why enterprise governance models don't translate directly to smaller organizations, and shares practical frameworks for evaluating AI vendors and platforms:
Pure AI: In “AI Risk, Readiness & Governance for SMBs,” you say that shadow AI is already inside most organizations. What's the most surprising, damaging or concerning real-world example of shadow AI you've encountered? (Without naming names, of course!)
Diamond: The most concerning example I encountered involved a federally funded debt relief initiative where staff were using unsanctioned AI tools to process all project documentation. The records contained protected health information tied to medical debt forgiveness, including billing details that revealed diagnoses, treatment histories, and financial hardship data belonging to some of the most vulnerable members of the community being served. By pasting documentation into various free consumer AI accounts, staff had transmitted protected health information outside any Business Associate Agreement framework, creating a direct HIPAA violation and a significant audit liability for a program already operating under federal oversight.
No one involved had malicious intent. Most shadow AI behavior is driven by employees trying to work more efficiently but even well-intentioned experimentation with unsanctioned tools can create serious security and compliance risks, particularly where patient data and HIPAA are involved.
More than 40 percent of healthcare professionals report encountering unauthorized AI tools in their organizations while nearly one in five admit to personally using them for in their mind offering productivity improvements or a lack of approved alternatives as their rationale. At the organizational level, a 2025 IBM study found that 97 percent of organizations which had experienced an AI-related security incident lacked proper AI access controls and 63 percent lacked AI governance policies entirely.
There are structural governance failures when there’s not an acceptable use policy, data classification guidance, or way for employees to ask whether a tool was approved before using it. Entering protected health information into AI tools without a signed Business Associate Agreement is a HIPAA violation regardless of intent, because consumer AI platforms are not designed for healthcare use and typically do not offer BAAs. Sorry, but that’s a liability you can’t brush off because an employee meant well or wants to increase productivity because it’s too expensive to clean up on the back in in terms of damage to real people’s health information and your professional reputation.
Many SMBs assume AI governance is something only large enterprises need. What are the biggest risks facing smaller organizations that don't put guardrails in place early?
The assumption AI governance is an enterprise problem is one of the most dangerous misconceptions I encounter in my work with smaller organizations. The risks facing SMBs which skip guardrails can’t be minimized by categorizing them as smaller versions of enterprise risks. In several important ways they’re more acute since lean teams have less capacity to absorb a compliance failure, data breach, or discrimination lawsuit.
There are four risk categories every SMB needs to understand starting with the regulatory patchwork is already here and it applies to you too. Following the January 2025 executive order revoking the previous federal AI safety framework, AI compliance obligations shifted entirely to the state level, meaning no unified federal standard exists and small businesses must navigate individual state requirements based on where their customers live and where their employees work. Colorado passed comprehensive AI governance legislation in 2024, and states including California, Illinois, New York, and Washington are advancing similar measures, creating a complex compliance matrix for SMBs trying to standardize their practices nationally.
Most employees are using AI without organizational guidance. A June 2025 Gallup survey found that while 44 percent of employees reported their organization had started integrating AI, only 22 percent said their organization had communicated a clear plan or strategy for doing so. your liability rests in this gap.
Vendor AI risk flows downstream to you if a key vendor or partner uses AI in ways that affect your data or your customers, making their governance failures your liability, which means vendor risk assessments must now include questions about how partners use AI and what controls they have in place. Confidence isn’t equal compliance. A 2025 UpGuard report found a positive correlation between employees who reported understanding AI security requirements and those who regularly used unapproved tools, meaning telling employees to be careful with AI is not a governance strategy.
The good news is right-sized governance doesn’t need an enterprise legal team or a six-figure compliance budget. A one-page acceptable use policy, data classification rule, or a five-question vendor checklist close the most significant exposure immediately.
You've translated governance practices from managing large federal portfolios into frameworks for SMBs. Which governance principles scale down most effectively, and which don't?
My governance experience comes from directing the nearly $400 million ARPA Implementation PMO for a Gulf Coast municipality, where I oversaw more than 100 concurrent capital projects and achieved 100 percent federal audit compliance using AI-integrated tracking systems. That environment was heavily regulated, documented, and resourced accordingly. Translating those practices into frameworks a ten-person SMB can actually use required being ruthless about what travels and what can’t.
What scales down effectively is the first principle that transfers almost perfectly is risk tiering. In federal portfolio management, you don’t apply the same scrutiny to a $50,000 maintenance contract as you do to a $40 million infrastructure project and that same logic applies to AI governance. The NIST AI Risk Management Framework, which federal agencies and their contractors are already required to follow, organizes governance around four core functions of Govern, Map, Measure, and Manage. Its July 2024 Generative AI Profile extends that structure specifically to large language models and AI tools most SMBs are already using. A three-tier risk classification covering low, medium, and high risk is something any SMB can implement in an afternoon without outside counsel.
The second principle which scales beautifully is the human verification checkpoint. In federal project management, no AI-assisted output becomes an official record without a credentialed human reviewing and signing off. That same rule, applied to any AI output that becomes a business decision, closes the accountability gap which gets SMBs into trouble. It doesn’t require technology, budget or a legal team.
The third is documentation as protection rather than bureaucracy. Lean governance principles drawn from portfolio management establish that governance should enable rather than gate, replacing stage-gate approvals with guardrails and bureaucratic review cycles with cadence. A one-page acceptable use policy and a simple incident log are the SMB expression of the same discipline that produces a federal audit trail.
What does not scale down is thinking centralized AI oversight committees wont work in lean organizations. Enterprises can staff a dedicated AI governance function while a 10-person professional services firm can’t. Attempting to replicate that enterprise structure creates what compliance professionals call compliance theater, meaning the appearance of governance without the substance. Limited resources, including budget constraints and lack of skilled compliance staff, are among the most common reasons governance frameworks fail in smaller organizations. Continuous monitoring systems also can't translate directly. Federal portfolios use automated dashboards and real-time telemetry so the SMB equivalent is a monthly prompt audit and a standing question in team meetings asking whether any AI output became a decision that week and whether a human verified it. The principle is identical at zero infrastructure cost.
The core insight is federal governance is not smarter than SMB governance because federal is more resourced. Strip it down to the underlying principles of risk tiering, human verification, and documentation, and those principles are actually more powerful in a small organization because everyone can see and own them.
What are the most common mistakes companies make when evaluating AI vendors, particularly around training data, privacy, and cybersecurity protections?
Most organizations approach AI vendor evaluation the same way they evaluate any software purchase: they review the feature list, check the pricing, and ask a few general security questions. That approach is dangerously inadequate for AI tools, because the risks are categorically different. Here are the four most common and consequential mistakes I see.
1. Accepting claims without requiring evidence. In 2024, multiple organizations suffered breaches because their vendors claimed to have strong security but never provided documentation. A vendor that cannot document training data provenance should score lower than one with full data lineage documentation, and model training on customer data without explicit consent is an immediate red flag. The question is never whether a vendor says they protect your data. The question is whether they can prove it
2. Failing to ask what your data is being used for after you submit it. This is the single most underasked question in AI vendor evaluation. Many consumer and prosumer AI tools use customer inputs to improve their models by default. Research published in 2025 identifies a tendency in AI systems to memorize and reproduce personally identifiable information from their training data, meaning data your employees submit today can surface in another organization’s AI output tomorrow. Every vendor evaluation must include the explicit question of whether your data trains their model and whether you can opt out.
3. Treating vendor AI risk as a one-time assessment. An AI vendor’s risk profile can change with every new model update or change in training data, which means point-in-time reviews are insufficient and organizations must move toward continuous monitoring of vendor AI practices. A vendor that was compliant when you signed the contract may not be compliant after their next model release.
4. Ignoring the gap between awareness and action. According to Stanford’s 2025 AI Index Report, AI-related incidents jumped 56.4 percent in a single year, with 233 documented cases in 2024 spanning privacy violations, bias incidents, and algorithmic failures. While 64 percent of organizations cited concerns about AI inaccuracy and 60 percent identified cybersecurity vulnerabilities, far fewer had implemented comprehensive safeguards. Knowing the risk exists and building a vendor checklist that addresses it are two entirely different things.
The five questions every organization should require an AI vendor to answer in writing before signing anything are, where does your training data come from and is it licensed? Does our data train your model? What is your Business Associate Agreement or data processing agreement status? What is your incident response timeline if our data is breached? Who within your organization is accountable for AI governance? If a vendor cannot answer all five in writing, that is your answer.
In “AI for Document Work, Reporting, and Internal Knowledge,” you describe unstructured data analysis as an underrated AI use case. Can you share a real-world example where analyzing text data uncovered insights that would have been missed in a spreadsheet or dashboard?
The most powerful example I can share comes directly from my work directing the nearly $400 million ARPA Implementation PMO for a Gulf Coast municipality, where I oversaw more than 100 concurrent capital projects spanning economic development, housing, employment, and social services. Each of those projects had sub-recipients submitting timesheets. On the surface those timesheets were structured documents containing rows, columns, hours, and totals. Every dashboard showed submissions were coming in on time and the numbers were adding up. From a traditional reporting standpoint, everything looked compliant.
What the dashboards could not see were the narrative fields. Every timesheet contained free-text descriptions of work performed, and that unstructured text told a completely different story. When AI analyzed those narrative fields across the entire sub-recipient portfolio simultaneously, it surfaced a pattern no human reviewer team could have detected at that volume: the work being described in the timesheet narratives was not aligned with the approved scope of work for which federal funding had been received. Submissions were inaccurate. The noncompliance was systemic, and it was invisible to every structured reporting tool in use.
This is precisely the insight gap that makes unstructured data analysis so consequential. AI can extract meaning from unstructured data such as free-text fields, turning qualitative inputs into searchable, actionable signals, and can uncover fraud, errors, and emerging risks by scanning millions of records for patterns and outliers that are entirely invisible in manual review. In a portfolio of more than 100 projects with diverse sub-recipients operating under different programmatic requirements, no human review team reading documents sequentially would catch a cross-portfolio pattern. AI reading every narrative field across every submission simultaneously is what made the noncompliance visible.
The research community is arriving at the same conclusion about public sector applications. Anti-corruption bodies and audit institutions have identified the greatest promise of large language models in investigations and audits, specifically their ability to process vast volumes of documents, reports, and records to identify irregularities, extract relevant information, and flag suspicious patterns that would otherwise go unnoticed. Federal prosecutors now wield AI capabilities that can isolate suspicious billing patterns and flag anomalies across millions of transactions, fundamentally changing the detection calculus for organizations receiving public funds.
The lesson for SMBs is that you do not need a nearly $400 million portfolio to justify this capability. A 20-person professional services firm with a CRM full of client notes, a support inbox full of customer feedback, or a set of contractor deliverables containing narrative descriptions of work performed has the same unstructured data problem at a smaller scale. A spreadsheet will never read those fields. AI will, and what it finds will surprise you.
Your session includes a decision matrix for Copilot, Gemini, ChatGPT and Claude. What criteria should IT use when deciding which platform is best suited for a particular task?
The single biggest mistake IT makes when evaluating AI platforms is treating it as a horse race to find one winner. The right question is never which platform is best but which platform is best suited for a specific task in a specific workflow context. My decision matrix maps four tools to four use cases, and the criteria IT should apply follow directly from that framework.
Start with your existing productivity ecosystem, not the platform features. The decision turns on three specific factors: your existing productivity ecosystem, your primary AI use cases, and your total cost of ownership tolerance. If your organization runs on Google Workspace, Gemini offers native integration across Gmail, Docs, Sheets, and Meet. If you are Microsoft-first, Copilot is embedded where your employees already work and inherits your existing compliance infrastructure. Attempting to run a platform that fights your existing stack creates friction that erodes adoption and accelerates shadow AI.
Match the tool to the task type, not the benchmark leaderboard. The four criteria IT should apply are in-flow speed for tasks performed inside existing applications without context switching; structured data analysis; unstructured data and document work; and numerical reporting. Copilot is built to leverage Microsoft’s corporate infrastructure and inherently meets compliance standards including FedRAMP and HIPAA through Azure. Claude’s competitive advantage is in extended reasoning, document analysis, and ingesting proprietary knowledge bases. Gemini positions itself as the connective layer across Google Workspace, Microsoft 365, Salesforce, and other enterprise data sources.
Apply the code execution rule for any numerical reporting task. This is the criterion most IT decision frameworks completely omit. Standard chat-based AI across all four platforms can generate inaccurate numbers with complete confidence. ChatGPT’s Advanced Data Analysis and Claude’s analysis tool both execute Python code rather than generating text responses, which makes them significantly more reliable for any output that becomes a reported figure. If the answer is a number you will share with a stakeholder, the selection criterion is not which platform has the best interface. It is which platform uses code execution rather than text generation to produce that number.
Evaluate governance posture alongside capability. Gartner estimates that 47 percent of enterprise employees were using at least one unsanctioned AI tool as of late 2025, and the platform that employees are forced to use through unsatisfying official channels is the platform that drives the most shadow AI. IT should evaluate not only what a platform can do, but whether employees will actually use the sanctioned version, because governance that drives workarounds is not governance at all.
Successful AI adoption matches platform strengths to specific business workflows rather than chasing benchmark leaderboards or hype cycles, and organizations that clearly define their use cases before platform selection achieve significantly higher adoption rates and return on investment.
Looking ahead, how do you see AI changing the role of business analysts, project managers, and reporting professionals over the next three to five years?
The most important thing I can tell business analysts, project managers, and reporting professionals about the next three to five years is the threat is irrelevance for those who refuse to evolve, and significant opportunity for those who do.
The research is unambiguous on the direction of change. A peer-reviewed study published in the Journal of Innovation and Knowledge examining the PM2030 horizon found that by 2026, the demands of the project management role will require at least two-thirds of current skill sets to be redesigned, and that by 2030, AI-driven predictive insights and modeling capabilities are expected to significantly enhance efficiency while raising critical questions about the evolving role of human judgment. A separate peer-reviewed study published in ScienceDirect found that rather than focusing on job replacement, the more accurate frame is the transformation of existing roles through AI augmentation, with continuous upskilling and AI literacy becoming essential workforce priorities.
From my work directing a nearly $400 million portfolio for a Gulf Coast municipality, the shift I observed firsthand was from execution to interpretation. These roles are moving away from producing outputs and toward validating, contextualizing, and advising on AI-generated outputs. A business analyst who previously spent 60 percent of their time pulling and formatting data will spend that same time asking better questions of AI-generated analysis, catching errors a dashboard cannot catch, and translating findings into decisions. A project manager who previously spent significant time on status reporting and schedule updates will spend that time on stakeholder relationships, risk interpretation, and the judgment calls AI is not equipped to make. A reporting professional who previously built dashboards will increasingly govern the data pipelines and governance frameworks that make those dashboards trustworthy.
The data supports the scale of efficiency gains already underway. A 2025 Georgia Institute of Technology study of 217 project management professionals found that early AI adopters reported project efficiency gains of up to 30 percent, with success depending less on the technology itself and more on how leadership governs its use. New specialized roles are already emerging at the intersection of these disciplines, including AI Project Coordinators who manage AI-driven scheduling systems and Data Analytics Project Managers who apply AI-generated insights to resource optimization and timeline management.
The professionals who will thrive are those who develop three new core competencies: AI literacy, meaning the ability to understand what a tool or environment can and can’t do reliably; critical validation, meaning the ability to catch what AI gets wrong before it becomes a decision; and domain authority, meaning the deep subject matter expertise that gives AI-generated output its meaning. AI can produce a report but it can’t tell you whether the story that report tells is true in context so you will need to be an even better business analyst, project manager or coordinator and have strategic alignment capabilities. Cognition still belongs to the human in the room and they will need to be sharper at detecting errors and strategic thinking, positioning themselves as analytical information officers.
If an attendee can only take one action during the following week, what would you recommend as the highest-impact first step toward AI adoption?
Think of AI as an environment, an ecoculture, and not as a tool before selecting which AI or LLM. The single highest-impact action any organization can take in the week following this conference is a structured assessment of where they actually stand before spending a dollar on any AI platform or writing a single policy. Most organizations skip this step entirely, selecting a tool first and discovering later their data is inconsistent, workflows are unclear, and employees are not prepared to adopt the change. For SMBs, those delays carry a disproportionate cost because budgets and teams are more constrained. A stalled AI initiative does not just waste money but damages leadership confidence and makes the next attempt harder.
The research is unambiguous on why readiness matters. According to Deloitte’s 2025 AI Readiness Index, organizations that achieve an AI readiness score above 70 percent are three times more likely to implement AI successfully within twelve months. The World Economic Forum’s 2025 Digital Transformation Report found that companies with documented processes implement AI tools 40 percent faster than those without. Gartner confirms the readiness gap directly: only 14 percent of low-maturity organizations report that their business teams are ready to adopt AI solutions, compared to 57 percent of high-maturity organizations.
A readiness audit for an SMB does not require an expensive consulting engagement. The average cost of a formal third-party AI readiness assessment runs between $8,000 and $25,000 depending on scope, but the foundational version can be completed internally in a single afternoon with five questions. What AI tools are employees already using, sanctioned or not? What data does the organization collect and how is it classified? Which workflows are currently documented versus living in people’s heads? Who in the organization will be accountable for AI governance? Where would a compliance failure carry the most serious consequence?
The answers to those five questions tell an organization exactly where to start, which tool is actually appropriate, and what must be addressed before any adoption effort will succeed. Small business leaders who invest in AI are nearly twice as likely to report year-over-year growth compared to non-adopters, and 91 percent of SMBs using AI report that it directly boosts revenue. The organizations achieving those outcomes are not the ones who moved fastest but the ones who started with the clearest picture of their own readiness or sought out consultants like myself before purchasing.