Employees at small and medium-sized businesses across Canada are already using AI tools to boost productivity and handle day-to-day tasks – and in most cases, nobody at the company has approved it, governed it or assessed what data is being exposed, according to Ahmed Javaid (pictured right), regional manager for cyber risks at Beazley Canada.
"The lack of governance and the challenges around shadow AI create this bottom-up adoption, which creates a bit of a gray area as to where the risks actually lie within your environment," Javaid said.
Javaid said employees are using third-party LLM models without fully contemplating the risks associated with the data that they are sharing with these tools. The lack of governance creates an opportunity for sensitive corporate or customer information to get into the wrong hands.
"It's not governed, it's not restricted, and they're potentially exposing private customer information, financial information," he said. "It's not been adopted on an enterprise level."
The problem is not that employees are using AI. It is that the businesses they work for have no visibility into what tools are being used, what data is being entered or where that data ends up. Denis Panariti (pictured left), head of financial lines at Beazley Canada, said the risk extends across the vendor chain.
"Third-party vendor risk – it's a blind spot," Panariti said.
Javaid said SMEs are the most exposed segment because they were already behind on cyber readiness before AI entered the picture. The federal government's push to scale AI adoption from 12% to 60% is accelerating a process that most small businesses do not have the infrastructure to manage.
"The AI adoption across SMEs is essentially accelerating adoption amongst businesses that are already underprotected, underinsured and largely underprepared," he said.
He said each new AI tool, each new integration and each new employee using an ungoverned model widens the attack surface – and the exposure is accelerating.
"The exposures are not going to increase linearly," Javaid said. "It's going to compound on SME businesses."
Javaid said the perception problem in the SME segment has kept cyber insurance adoption persistently low.
"There's a mentality around 'too small to be attacked' within the SME sector," he said. "We see that all the time."
He said some businesses cannot access cyber coverage at all because they lack the minimum security controls required to qualify – basic measures like multi-factor authentication, endpoint protection and security awareness training that have become standard underwriting requirements.
The incentive to adopt AI quickly is strong. Javaid pointed to Beazley's own risk and resilience report, which found that 82% of respondents believe AI will have a positive impact on their bottom line. That optimism creates pressure to move fast, and in the SME segment, moving fast usually means moving without governance.
The systemic dimension makes the exposure harder to contain. Javaid said when SMEs adopt the same third-party AI models as larger organizations, they can become the weakest entry point into a much broader attack surface – not just a risk to themselves, but to everyone connected to them.
"You might be doing all the right things, but somebody else isn't," he said. "And now you're potentially vulnerable because these models have gotten compromised or your data has gotten into the wrong hands because you don't know where that's being housed."
AI is also changing the threat landscape from the other direction. Javaid said threat actors are using AI to identify software vulnerabilities faster than many businesses can patch them, and the success rate of attacks is climbing as a result. SMEs with weak patching policies – which he said is one of the most common gaps Beazley sees – are especially exposed.
He said the reputational consequences are real too. Even a routine AI deployment like a customer-facing chatbot can generate misinformation or inaccurate responses that damage a company's brand.
"There is a risk of disinformation or misinformation that could potentially be disseminated through those tools that could create a very negative brand reputation risk," Javaid said.
