TL;DR: The FTC has moved from warnings to enforcement against deceptive AI marketing. In March 2026 it banned Air AI and its owners from marketing business opportunities after they misled small businesses, part of a broader crackdown on overstated AI claims. With 82% of small businesses now investing in AI tools and a median of five tools per business, NC owners need a repeatable way to separate real capability from "AI washing." This guide gives you a vendor vetting framework covering claims, data handling, security, and ROI.
Key takeaway: The FTC's enforcement signal is that "it uses AI" is now a marketing claim regulators police, not a guarantee of value. The defense for a small business is a short, consistent vetting process applied before every AI purchase.
Evaluating an AI tool or vendor? Contact Preferred Data Corporation at (336) 886-3282 for vendor-neutral AI transformation guidance, including AI vendor due diligence, data-handling review, and ROI modeling. Serving High Point, Greensboro, Charlotte, Raleigh, and Winston-Salem businesses for 37+ years.
What is the FTC's 2026 crackdown on deceptive AI vendors?
The FTC's 2026 crackdown is active enforcement against companies that overstate AI capabilities or use AI claims to sell business opportunities and services. The most prominent action: in March 2026 the FTC settled charges that resulted in Air AI and its owners being banned from marketing business opportunities, after the agency found the company misled many entrepreneurs and small businesses.
This follows the FTC's earlier "Operation AI Comply" posture and actions such as the case against Rytr, whose service could generate fake reviews. The pattern the FTC is policing has a name in the market: "AI washing," where a product's AI capability is exaggerated or fabricated to justify price and urgency. For small businesses, the practical consequence is that an AI sales claim now carries the same scrutiny risk as any other deceptive marketing claim, and buyers cannot treat "AI-powered" as a quality signal.
Why are NC small businesses especially exposed to AI vendor risk?
NC small businesses are especially exposed because AI adoption has outpaced AI procurement discipline. According to SBE Council's 2026 small business technology research, reported across industry coverage:
- 82% of small businesses have invested in AI tools
- The typical small business uses a median of five AI tools and plans to add more
- 65% are using or planning AI-supported pricing tools, a high-stakes, data-sensitive category
Most small businesses buy these tools without a security team, a procurement function, or contract review. That combination (rapid adoption, sensitive data, no gatekeeper) is exactly the environment where AI washing and weak data handling cause damage: overpaying for thin wrappers around public models, exposing customer or pricing data to vendors with poor controls, or building a workflow on a tool that cannot deliver the demonstrated result. For Piedmont Triad manufacturers and Triangle professional services firms handling proprietary or regulated data, an unvetted AI vendor is also a third-party data risk, not just a wasted subscription.
How should an NC small business vet an AI vendor before buying?
An NC small business should vet an AI vendor with a consistent five-area review applied before purchase. The goal is to convert vendor marketing into verifiable answers.
| Vetting area | Key question | Red flag |
|---|---|---|
| Capability claims | Can the vendor demonstrate the result on your data, not a canned demo? | Refuses a scoped pilot or proof of concept |
| Data handling | Where does your data go, is it used for training, and can you delete it? | Vague answers or training on customer data by default |
| Security posture | SOC 2 or equivalent, encryption, access controls, subprocessors? | No documentation, no DPA, unknown subprocessors |
| ROI and total cost | What measurable outcome, over what baseline, at what all-in cost? | Only testimonials and "efficiency," no measurable baseline |
| Contract and exit | Data export, termination, uptime, liability, and price escalation terms? | Lock-in, auto-escalating price, no data export |
A practical sequence for an owner or office manager:
- Demand a scoped pilot on your data. Real capability survives a small, time-boxed test against your actual workflow. AI washing usually does not.
- Get data handling in writing. Require a data processing agreement, confirm whether your inputs train the vendor's models, and confirm deletion on termination.
- Request security documentation. Ask for SOC 2 Type II or equivalent and a subprocessor list. "We take security seriously" is not documentation.
- Model ROI against a baseline. Define the current cost or time of the task before the tool, then measure the tool against it. No baseline means no ROI.
- Read the exit terms. Confirm you can export your data and leave without penalty before you depend on the tool.
For North Carolina businesses without internal procurement or security depth, a vendor-neutral AI transformation partner runs this diligence as a service, which is the structural defense against both AI washing and AI-driven data exposure.
What AI vendor red flags should NC owners treat as disqualifying?
Several AI vendor behaviors should be treated as disqualifying, not negotiable, because they predict either deception or data risk. Treat the presence of any of these as a stop.
- Refusal to run a scoped pilot on your data. Real products demonstrate; AI washing avoids verification.
- Training on your data by default with no opt-out. Your customer, pricing, or proprietary data becoming vendor training data is rarely acceptable for an SMB.
- No data processing agreement or security documentation. For regulated NC businesses this also creates a compliance exposure.
- Pressure tactics and urgency. Limited-time pricing, "AI is replacing your competitors this quarter," and pushback on diligence mirror the patterns in FTC enforcement actions.
- Outcome claims with no baseline or methodology. "10x productivity" with no defined measurement is a marketing claim, not a result.
These map directly to the conduct the FTC has targeted. A consistent rule (no pilot, no purchase; no DPA, no purchase) protects a small business better than evaluating each vendor's pitch on its own terms.
Frequently Asked Questions
What did the FTC do to AI vendors in 2026?
The FTC moved to enforcement against deceptive AI marketing. In March 2026 it settled charges resulting in Air AI and its owners being banned from marketing business opportunities for misleading small businesses, part of a broader crackdown on overstated or fabricated AI claims ("AI washing").
What is "AI washing"?
AI washing is exaggerating or fabricating a product's AI capability to justify price, urgency, or differentiation. It ranges from thin wrappers around public models marketed as proprietary AI to claims of automation the product cannot actually deliver. The FTC treats material AI claims as policeable marketing claims.
How can a small business tell if an AI vendor is legitimate?
Require a scoped pilot on your own data, written data-handling terms (including whether inputs train the vendor's models), security documentation such as SOC 2, an ROI model against a real baseline, and clear exit and data-export terms. Legitimate vendors meet these; AI washing typically fails the pilot or the documentation request.
Is it risky to put business data into AI tools?
It can be, depending on the vendor. Risks include your data being used to train the vendor's models, weak vendor security, and unknown subprocessors. For regulated or proprietary data this is a third-party data risk requiring a data processing agreement and security review before use.
How many AI tools does a typical small business use?
Industry research for 2026 indicates the typical small business uses a median of about five AI tools, with 82% of small businesses having invested in AI and many planning to add more. This sprawl increases both spend and data-exposure surface, which is why per-tool vetting matters.
Does Preferred Data sell AI tools or evaluate them?
Preferred Data Corporation provides vendor-neutral AI transformation guidance. We help NC businesses define use cases, run diligence on AI vendors (capability, data handling, security, ROI, contract terms), and implement the tools that pass, rather than pushing a single product.
How does Preferred Data Corporation help NC SMBs vet AI vendors?
We run structured AI vendor due diligence as a service: scoped pilots, data-handling and security review, ROI modeling against a baseline, and contract risk review, integrated with managed IT and cybersecurity. We support manufacturers, contractors, and professional services firms across High Point, the Piedmont Triad, Charlotte, Raleigh, and Winston-Salem.