An AI audit is a structured analysis of your business workflows, tools, and operations to identify where artificial intelligence can create the most value. It includes a discovery call, review of current processes, a written report with prioritized AI opportunities, and an AI readiness score.

How long does AI implementation take?

Implementation timelines vary by scope. A quick win implementation takes 1-4 weeks for a single workflow. Full multi-workflow implementations typically take 4-12 weeks. Most clients see measurable results within the first month.

Do I need technical knowledge to use AI in my business?

No. Dragonfly AI handles all the technical setup. We work with business owners who know their operations but don't have technical teams. You don't need to understand AI to use it — you just need the right setup, and that's what we provide.

What types of businesses does Dragonfly AI work with?

We primarily work with service businesses with 2-50 employees, including real estate, legal, financial services, healthcare, marketing agencies, home services, insurance, staffing, and consulting firms.

How much does AI consulting cost?

Pricing depends on scope. Strategy calls start at $350. AI audits range from $750-$1,500. Quick win implementations are $1,000-$3,500. Full implementations range from $3,500-$15,000+. Advisory retainers start at $1,000/month.

← Back to Blog

April 15, 2026·8 min read·Jake Lee

What Your AI Tools Do With Your Business Data (And How to Protect It)

AI SecurityData PrivacyAI ToolsSmall BusinessAI Strategy

Earlier this month, Anthropic accidentally published the internal system prompt for Claude Code — 512,000 lines of instructions — on a public website. They called it human error. It was.

But here's the question I want you to sit with: if a company that builds AI for a living can accidentally expose its own internal data through a simple mistake, what does that say about how carefully you should think about what your team is feeding into AI tools every day?

This isn't about Anthropic's mistake. It's about yours — the ones you probably don't know you're making.

Most small businesses using AI are sitting in one of two places: their teams are pasting sensitive business information into consumer AI products without thinking about it, or they're avoiding AI entirely because they're nervous about data exposure. Neither position is right. Here's what actually happens to your business data when it goes into an AI tool — and a simple framework that lets you protect what matters without giving up the productivity gains.

What Your Team Is Actually Doing

Here's a scene I've seen at least a dozen times: a marketing coordinator at a 12-person agency pastes a client's full contact list into ChatGPT to draft personalized outreach emails. An ops manager at a construction company uploads subcontractor agreements to get a summary. A bookkeeper sends client financial data to Claude to help format a monthly report.

None of these people are being reckless. They're doing what makes intuitive sense when you have a powerful AI tool available and work to get done. The problem is that most of them have no clear picture of where that data goes after they hit submit — and most business owners haven't given them one.

That gap — between what your team is doing and what your business needs to protect — is where real risk lives.

Consumer Plans vs. Business Plans: The Actual Difference

This is the part that matters most, and most people skip it entirely.

When your team uses a free or personal ChatGPT subscription — Plus, not Business — OpenAI's default data policy allows conversations to be used for model training unless the user explicitly opts out. That means the client proposal someone asked it to polish, the internal memo they had it rewrite, the contract summary they generated — that content can become training data for future versions of the model.

Claude and Gemini have similar default terms on consumer plans.

When you upgrade to a business or enterprise plan, the terms change materially. ChatGPT Business — now $20 per seat per month after OpenAI's recent price cut from $25 — explicitly provides zero data retention by default, no use of conversations for training, and a formal data processing agreement. Claude for Work and Google Workspace with Gemini offer equivalent protections at comparable price points.

The cost difference between a consumer plan and a business plan is often $10 to $15 per month per seat. The difference in data handling is not small. For any business that uses AI for actual business work — which is most businesses at this point — the upgrade is not optional. It's a basic operating decision, the same way you'd decide what goes in your email system vs. what you text from a personal phone.

A Simple Framework: Three Categories of Business Data

Not all data needs the same treatment. Here's a framework that takes about five minutes to explain to a team and actually sticks:

Category 1: Open — safe for any AI tool. Generic questions, publicly available information, non-sensitive drafts. Helping write a LinkedIn post about a new service. Generating five email subject line options. Summarizing a publicly available industry report. Brainstorming names for a promotion. None of this needs special handling. Use whatever tool works best on whatever plan you have.

Category 2: Confidential — business plan only. Anything that would be awkward if a competitor saw it. Proposals, pricing structures, internal communications, business strategy, client feedback, team performance issues, financial projections. This content is often fine to run through AI — that's where a lot of the real productivity gains live — but only on tools with signed data protection agreements. If someone on your team is using a personal AI account for any of this, that's a policy problem worth fixing this week.

Category 3: Restricted — never into AI tools without specific legal clearance. Regulated data. Client personally identifiable information — full names, addresses, Social Security numbers. Health records. Attorney-client privileged communications. Financial credentials. Anything governed by HIPAA, GDPR, professional conduct rules, or your industry's specific compliance requirements. A business plan doesn't make this category safe — it just makes a potential incident less legally catastrophic than a consumer plan would. The correct default for Category 3 data is that it doesn't go into AI tools. If you think there's a legitimate reason to change that, get a specific answer from your attorney or compliance advisor first, not from a blog post.

When I walk business owners through this framework for the first time, the reaction is almost always the same: they realize they've been running Category 2 content through Category 1 tools, and sometimes Category 3 content too. Not out of carelessness — out of never having thought through the distinction.

The Risks That Actually Affect Small Businesses

The dramatic headline risk — a hacker breaking into OpenAI and stealing your client list — is real but low. These companies have substantial security teams and infrastructure. The risks that actually hit small businesses are quieter.

Regulatory exposure. If you handle health information, financial data, or legal matters, using consumer AI tools with that data may violate HIPAA, financial regulations, or professional conduct rules. The violation doesn't require a breach. It just requires that data was handled outside compliant systems. This is a live issue for medical and dental practices, bookkeepers, accountants, insurance brokers, mortgage professionals, and attorneys. A HIPAA fine doesn't scale down because your practice has eight employees. A minor violation runs $100 to $50,000 per incident. A willful neglect finding runs $10,000 to $250,000 per incident. These numbers are not hypothetical — they're published enforcement actions.

Client trust. Most clients assume that information they share with you stays within your vetted systems. If they found out their contract details, their financial situation, or their internal communications had been processed through a consumer AI tool — even if nothing went wrong — many would have a real problem with that. The moment you have to explain it is the moment the relationship gets complicated. For a small business where every client relationship matters, that's a risk that doesn't need to be taken.

Competitive exposure. Your pricing logic, your proposal structure, your operational workflows — these represent accumulated advantage. The concern isn't that OpenAI is reading your proposals specifically. It's that treating your internal IP with the same carelessness as a generic internet search is a habit worth examining. Your business's edge lives in its processes and knowledge. The default should be to handle it accordingly.

What a Simple Team Policy Looks Like

You don't need a 20-page data governance document. Here's what a practical policy looks like for a team of 5 to 30 people — one page, plain language, enforced by habit rather than audits:

Client data never goes into consumer AI tools. Personal names, contact information, project details, financial data — none of it into free or personal subscriptions. If it's about a specific client, it requires a business account with a data processing agreement in place.
Business-confidential content requires a business account. Proposals, internal communications, pricing, strategy — these only get processed by AI tools that have signed data agreements. Employees' personal AI accounts, even paid ones, don't satisfy this requirement.
Regulated data stays out unless you've cleared it with counsel. If your business operates in a regulated industry, get a specific answer on what AI tools can legally touch before running anything through them. Don't guess, don't assume the business plan covers it, don't ask the AI itself.
When in doubt, anonymize. If you want AI help with something sensitive, strip out the identifying details first. The AI doesn't need to know the client is ABC Company to help you improve the proposal. Replace names, company names, and specific identifying numbers with generic placeholders before you paste. Same output, better protection.

One practical note on implementation: if your team is already using AI heavily, start by auditing what tools they're actually on. Many people sign up for personal AI subscriptions before their company has a policy and keep using those personal accounts even after the business gets a paid plan. The policy matters, but so does knowing what's actually happening in practice. Ask your team what they're using, not what they think they're supposed to use.

The Cost of Getting This Right

The most common pushback: "We're too small for any of this to matter."

That logic doesn't hold. A HIPAA violation doesn't scale down because you're a solo practice. A client who discovers their data was handled carelessly doesn't become forgiving because you run a boutique firm. If anything, small businesses face more exposure here because they typically don't have legal or compliance teams reviewing how tools get used. The mistakes happen quietly, and nobody catches them until they matter.

The cost of the right setup is genuinely low:

ChatGPT Business: $20 per seat per month. For a five-person team using AI regularly, that's $100 per month — $1,200 a year.
Claude for Work or Gemini Business: comparable pricing, equivalent protections.
A one-page team policy: a few hours of your time to write it, five minutes to cover at a staff meeting.

Total annual cost for a 10-person team running AI with proper data handling: roughly $2,400 to $3,600 in tool subscriptions, plus a morning of your time. Compare that to the cost of a single regulatory violation, a single client who walks because their trust was broken, or a single lawsuit. There is no version of that math where skipping the business plan makes sense.

What to Do This Week

If you haven't thought carefully about your team's AI tool usage, here's a practical starting point that takes under an hour:

First, find out what AI tools your team is actively using and whether they're on personal subscriptions or business accounts. Pull up your company credit card statement. Ask three people on your team what they used yesterday. Most business owners are surprised by how many personal accounts are running business work.

Second, run your regular workflows through the three-category framework. Which use cases involve Category 2 or Category 3 content? Are those running through tools with data protection agreements? If not, you now know exactly what to change.

Third, close the gaps before something goes wrong. Upgrade the accounts that need upgrading. Write a simple policy. Communicate it once, clearly. You don't need a formal rollout — you need clarity on what goes where, and you need your team to know it.

The Anthropic leak made headlines because it was striking — a sophisticated AI company exposed its own internal infrastructure through a simple human mistake. The quieter version of that story plays out in small businesses every day, through hundreds of small decisions about where business data goes. Most are low-stakes. Some aren't. The difference is usually knowing which is which before it matters.

If you want help auditing your AI setup — figuring out which tools belong in your stack, which data policies to put in place, and where the real risk actually sits in your specific business — book a free call here. We'll go through your current setup and give you a clear picture of what to fix and what to leave alone.

Share this article:

X / Twitter LinkedIn

← All Posts