336-886-3282[email protected]
Preferred Data Logo
Schedule

31% of Employees Get No AI Training: NC SMB Playbook 2026

Help Net Security: 31% of employees get no AI training. Learn the AI use policy NC small businesses must implement now. Call (336) 886-3282.

Cover Image for 31% of Employees Get No AI Training: NC SMB Playbook 2026

TL;DR: A May 2026 Help Net Security report found 31% of employees who use AI at work receive zero employer training, while one-fifth to one-third of workers use AI tools outside any IT governance. Organizations with high shadow AI usage now incur breach costs averaging $4.63 million, roughly $670,000 more per breach than low-shadow-AI peers. For North Carolina small businesses, the gap between employee AI adoption and employer governance is the single largest unmanaged risk of 2026.

Critical takeaway: Banning AI does not work; 98% of organizations report unsanctioned AI use regardless of policy. The win is a clear, simple AI use policy paired with practical training and a sanctioned set of approved tools. NC small businesses that get this in place in 2026 protect client data, satisfy emerging compliance, and unlock the productivity gains AI actually delivers.

Need an AI use policy and training program for your NC business? Preferred Data Corporation builds AI governance frameworks tailored to small businesses across North Carolina. Call (336) 886-3282 or request an AI policy consultation.

What Is the "AI Training Gap" Affecting NC Small Businesses?

The AI training gap is the distance between employee AI adoption and employer-provided governance, training, and sanctioned tools. Help Net Security's May 1, 2026 report, based on Lenovo's Work Reborn Research Series 2026 survey of 6,000 full-time employees, quantified the gap precisely.

Key findings:

  • 31% of employees who use AI receive no employer training
  • 20-33% of workers use AI outside IT governance
  • 98% of organizations report unsanctioned AI use
  • 49% expect a shadow AI incident within 12 months
  • High shadow-AI organizations face breach costs averaging $4.63 million
  • 74% of employees say better cybersecurity training on AI risks would reassure them

The gap is wider in smaller organizations. Many SMBs have neither AI tools nor AI training, while their employees use ChatGPT, Claude, Gemini, Copilot, and free LLMs from personal devices and browsers anyway. The result is unmonitored data exfiltration, ungoverned prompts, and no audit trail.

For NC small businesses across the Piedmont Triad, Charlotte, and Raleigh, the practical question is no longer "do our employees use AI?" but "do we know what they are doing with it and what data is leaving?"

Why Is Employee AI Use a Material Risk for NC SMBs?

Employee AI use is risky in ways that traditional security training does not address. Five risk categories dominate the 2026 landscape.

1. Data exfiltration through prompts. When an employee pastes a customer contract, source code, financial statement, or proprietary process into a consumer AI tool, that data may be retained, used to train future models, or exposed through later prompt injection. Free and personal-tier AI tools generally do not provide enterprise data protections.

2. Inaccurate outputs treated as authoritative. Employees often accept AI-generated content (legal contracts, technical specifications, financial calculations, marketing claims) without verification. NC professional services firms have already been embarrassed by AI-fabricated citations in client deliverables.

3. Compliance and confidentiality breaches. Pasting PHI into a public LLM violates HIPAA. Sharing CUI with an unsanctioned AI tool breaches CMMC and ITAR. Including client financial data violates GLBA. These violations carry real penalties under existing law.

4. Intellectual property leakage. Manufacturing process details, product designs, and trade secrets pasted into AI tools may end up in training data. Once leaked, the IP cannot be recovered.

5. Prompt-based social engineering. Employees increasingly receive AI-generated phishing, deepfake voice, and synthetic video messages. Without AI-aware security training, even technically savvy staff fall for the new generation of attacks.

AI RiskLikelihood Without TrainingTypical NC SMB Cost
Customer data pasted into free LLMHigh (monthly occurrences)$50,000-$200,000 if regulated data
AI-fabricated content in client deliverableModerateReputation + contract loss
HIPAA/GLBA/CMMC violation via AI toolModerate$25,000-$1.5M penalty + notification
IP leak via promptModerateVariable, often unmeasurable
AI-enabled social engineering successHigh$100,000-$1M per incident

What Does a Practical AI Use Policy for NC SMBs Look Like?

An AI use policy for a NC small business does not need to be 40 pages. The policies that actually work are 2-3 pages, written in plain language, and tied to a list of approved tools. PDC develops policies with NC clients that follow this structure.

1. Purpose and scope.

A one-paragraph statement of why the policy exists, who it applies to (employees, contractors, interns), and what AI use it covers (generative AI, embedded AI features in SaaS apps, AI-powered automation).

2. Approved tools.

A short list of AI tools the business has vetted, configured for enterprise data protection, and supports. Examples might include Microsoft Copilot under the business M365 license, ChatGPT Enterprise or Team, Claude Team, and one or two specialty tools. Employees are expected to use approved tools for work tasks.

3. Prohibited inputs.

A clear list of data categories that must never be pasted into AI tools, including:

  • Customer or patient personally identifiable information (PII) and protected health information (PHI)
  • Financial account numbers, credit cards, and Social Security numbers
  • Trade secrets, proprietary formulas, and unreleased product information
  • Controlled unclassified information (CUI) for defense contractors
  • Confidential third-party information governed by NDA
  • Source code containing credentials or business logic restricted by contract

4. Verification requirements.

A standard that AI-generated content used in business work products must be verified for accuracy by a human before delivery, especially for legal, financial, technical, and marketing claims.

5. Disclosure expectations.

When and how to disclose AI use to customers, vendors, and regulators. Many enterprise clients now require vendors to disclose AI involvement in deliverables; some state laws require disclosure when AI makes automated decisions about consumers.

6. Incident reporting.

A simple path for employees to report accidental AI policy violations (pasted regulated data, accepted inaccurate AI output, suspected AI-generated phishing) without fear of immediate discipline.

7. Acknowledgment and renewal.

All employees sign annually. Material changes trigger re-acknowledgment. Documented acknowledgment becomes part of cyber insurance and audit evidence.

Key takeaway: A working AI policy is short, specific, and pairs prohibitions with approved alternatives. Long policies with vague language get ignored. Short policies tied to clear tools change behavior.

What Should AI Training Cover for NC SMB Employees?

Training that closes the AI gap is short, hands-on, and updated frequently. PDC delivers AI awareness training to NC SMB clients in 30-45 minute modules with the following structure.

Module 1: Why we have an AI policy.

  • The data, the regulators, the contracts, and the incidents that drove the policy
  • The cost of a shadow AI breach (concrete numbers, not abstract risk)

Module 2: Approved tools and how to use them.

  • Live walkthroughs of the company's approved AI tools
  • How to verify enterprise data protection is in place
  • Where to find help when an approved tool does not solve the problem

Module 3: What never goes into an AI tool.

  • Real examples of regulated data (PII, PHI, CUI, financial information)
  • Common patterns of accidental data exfiltration
  • How to redact or de-identify before using AI

Module 4: Spotting AI-generated threats.

  • AI phishing examples (real samples scrubbed for training)
  • Deepfake voice and video patterns
  • Verification procedures for unusual requests

Module 5: When to disclose AI use.

  • Customer communications and deliverables
  • Compliance reporting (CCPA, sectoral AI rules)
  • Internal documentation

Module 6: How to report problems.

  • The non-punitive incident reporting process
  • Who to call, what to capture, what to expect

Training is delivered annually with quarterly micro-modules (5-10 minutes) tied to new threats, new tools, and lessons from sanitized internal incidents. NC SMBs that combine policy and training in this way reduce AI-related incidents by 60-80% in the first year.

How Do NC SMBs Roll Out an AI Policy in 30 Days?

A practical 30-day rollout works for most NC small businesses. PDC has guided clients across the Piedmont Triad through versions of this plan.

Days 1-7: Discover and decide.

  1. Survey employees about which AI tools they currently use for work
  2. Identify the regulatory data the business holds (PII, PHI, CUI, financial)
  3. Pick 2-4 approved AI tools that cover the most common employee use cases
  4. Configure enterprise data protection on the chosen tools (Copilot, ChatGPT Team, Claude Team)

Days 8-15: Draft and review.

  1. Draft the 2-3 page AI use policy using the structure above
  2. Review with HR, legal counsel (if available), and the leadership team
  3. Build the acknowledgment form and tracking mechanism
  4. Develop the training modules (or engage a managed IT partner)

Days 16-22: Train and acknowledge.

  1. Deliver Module 1-2 training to all employees in small groups
  2. Walk through the approved tools live
  3. Collect signed policy acknowledgments
  4. Address common questions in a follow-up communication

Days 23-30: Monitor and reinforce.

  1. Begin monitoring for unsanctioned AI tool use (browser monitoring, SaaS app discovery)
  2. Send a follow-up communication highlighting common policy questions and answers
  3. Schedule the quarterly micro-training calendar
  4. Document the program for cyber insurance and audit evidence

Key takeaway: NC small businesses do not need a year-long initiative to fix the AI training gap. They need 30 focused days, the right approved tools, and a maintenance rhythm that keeps the program alive.

How Do NC SMBs Pick Approved AI Tools That Protect Business Data?

Tool selection drives most of the risk reduction. NC SMBs should evaluate AI tools on five criteria.

1. Data residency and retention. Confirm where prompts and outputs are stored, who has access, and how long data is retained. Enterprise tiers of major AI tools (Microsoft Copilot under M365, ChatGPT Enterprise/Team, Claude Team) provide contractual data protection that consumer tiers do not.

2. Training opt-out. Verify the tool does not use customer prompts to train future models. The enterprise tiers of leading providers contractually exclude customer data from training.

3. Audit logs and admin visibility. Choose tools that provide administrators with visibility into who used the tool, when, and (where appropriate) what was queried. Visibility is essential for both compliance and incident response.

4. SSO and access control. Integrate AI tools into the same identity platform (Entra ID, Okta, Google) used for other business apps. Avoid stand-alone passwords and accounts tied to personal emails.

5. Compliance alignment. Confirm the tool's compliance certifications match the business need: SOC 2 at minimum, HIPAA if relevant, FedRAMP or CMMC if applicable.

NC SMBs in regulated industries should additionally favor providers with US-based data centers, breach notification commitments, and BAA (HIPAA business associate agreement) availability.

How Does the AI Training Gap Relate to NIST and CCPA Requirements?

The AI training gap also creates compliance exposure. Two frameworks are most relevant for NC SMBs in 2026.

NIST AI Risk Management Framework (AI RMF). NIST's AI RMF 1.0 and the Generative AI Profile explicitly call out workforce training, governance documentation, and incident response as control expectations. Documented AI policy and training are increasingly the evidence vendors must produce to win and keep enterprise contracts.

California CCPA amendments (effective January 1, 2026). California's updated rules on automated decision-making technology (ADMT) and AI require businesses to maintain documentation about how AI processes consumer information and to provide opt-out rights in specific contexts. NC businesses serving California consumers must have demonstrable internal controls, including training records.

Colorado AI Act. Colorado's algorithmic discrimination audits become enforceable June 30, 2026 for high-risk AI systems in hiring, lending, and insurance. NC businesses serving Colorado consumers in these categories face documentation and audit requirements that begin with workforce training.

PDC tracks these regulatory updates and builds the documentation expectations into AI transformation programs and managed cybersecurity for NC clients.

How Does PDC Help NC SMBs Close the AI Training Gap?

Preferred Data Corporation supports NC small businesses across the AI policy, training, and tool selection journey.

  • AI policy development tailored to the business's industry, regulatory exposure, and existing tool stack
  • Tool selection and configuration for Microsoft Copilot, ChatGPT Enterprise/Team, Claude Team, and specialty tools
  • Annual and micro-training delivery with NC-relevant examples and industry-specific scenarios
  • Compliance documentation for cyber insurance, customer questionnaires, NIST AI RMF, and emerging state laws
  • Monitoring and discovery of unsanctioned AI tool use via managed cybersecurity
  • Incident response support when AI-related events occur

NC SMBs that engage PDC for AI governance typically close the training gap within 60-90 days and reduce AI-related security incidents materially within the first year.

Close the AI training gap in your NC business this quarter. Call Preferred Data Corporation at (336) 886-3282 or request an AI policy consultation. 37+ years of experience, BBB A+ rated, serving the Piedmont Triad and all of NC.

Frequently Asked Questions

How long does it take to develop an AI use policy for a small business?

A focused effort takes 2-4 weeks with leadership engagement. The policy itself is 2-3 pages; most of the time is spent picking approved tools, configuring enterprise protections, and aligning with existing HR and security policies. NC SMBs working with a managed IT partner often complete the policy in 10-15 business days.

Do I need a separate AI policy or just an updated acceptable use policy?

Either works, but a dedicated AI use policy is easier to communicate, train, and update. Most NC SMBs that PDC works with maintain a short AI policy alongside their existing acceptable use policy, with cross-references where appropriate.

What if employees keep using unsanctioned AI tools after the policy is in place?

Persistent shadow AI use signals one of three problems: the approved tools do not cover the actual job, training was insufficient, or enforcement is missing. PDC works with NC SMB clients to identify root cause and adjust. Discipline alone rarely fixes shadow AI; better tools and training usually do.

Can NC small businesses block AI tools at the network level?

Yes, but blocking alone is ineffective. Employees switch to mobile devices or personal browsers. The combination of network controls, identity-based blocks for non-approved tools, sanctioned alternatives, and training reduces shadow AI use far more than blocking.

Coverage is evolving rapidly. Most 2026 cyber insurance policies cover AI-related incidents under existing data breach and business interruption sections, but exclusions are appearing for "willful policy violations" and "use of unsanctioned tools." Documented AI policy, training, and approved tools are increasingly required to maintain coverage.

How does AI policy relate to HIPAA, CMMC, and other compliance frameworks?

AI policy intersects with most modern compliance frameworks. HIPAA covers PHI used with AI tools. CMMC covers CUI sharing with AI. GLBA covers financial data. The AI use policy becomes the operational document auditors review to confirm the business actually enforces the data restrictions the higher framework requires.

What is the cost of AI policy development for a NC small business?

NC SMBs typically invest $3,000-$15,000 in initial AI policy and training development, depending on regulatory exposure and number of approved tools. Annual maintenance runs $1,500-$6,000 including quarterly micro-training and document updates. Compared to the $4.63 million average breach cost for high-shadow-AI organizations, the investment is a fraction of one percent of avoided risk.

Will AI training requirements become mandatory in 2026?

Some sector-specific requirements are already mandatory. NIST AI RMF aligns with federal procurement expectations, California CCPA includes AI-related documentation obligations, and Colorado's AI Act requires documented controls for high-risk systems. NC small businesses serving customers in these jurisdictions effectively face mandatory baseline training in 2026.

Get an AI policy and training program in place for your NC small business. Preferred Data Corporation provides AI transformation services, managed cybersecurity, and managed IT for North Carolina businesses since 1987. Call (336) 886-3282 or contact us. Serving High Point, Greensboro, Winston-Salem, Charlotte, Raleigh, and all of NC.

Support