Practical thinking about technology for established businesses. No fluff, no jargon. Just things you can actually use.
Intuit's 2026 report puts US small-business AI use at 77%, up from 48% in 2024. It measures adoption, not governance. Independent data fills the gap: roughly the same 77% have no written AI policy, 8% run a formal governance program, 55% call their AI use a chaotic free-for-all. The thin three-step layer any owner can put underneath the AI they already run.
Microsoft patched a Copilot Studio prompt injection in January; by April the data exfiltrated anyway, with the safety filter flagging the attack and the agent acting on it regardless. The Semantic Kernel allowlist fix, OpenAI's Lockdown Mode concession, the cross-vendor hijack of Claude Code, Gemini CLI, and Copilot, and the four questions to ask any vendor whose AI makes tool calls for you.
Claude Cowork went GA in early May. Orbit, Anthropic's proactive briefing tool, launched May 6 at Code with Claude. It auto-reads Gmail, Slack, GitHub, Calendar, Drive, and Figma without prompting, and the audit-log gap that already shipped with Cowork is unchanged after the launch. Five questions to ask before granting Orbit access to your accounts.
CVE-2026-30623 is an architectural command-execution vulnerability in Anthropic's official MCP SDK. Anthropic's public position is that the behavior is expected. Plus CVE-2026-25536 cross-client data leak in the TypeScript SDK, and the downstream CVE cluster (Inspector, LibreChat, WeKnora, Cursor) showing the cost of that framing. Four questions to ask any vendor whose product touches MCP.
From January through February, attackers uploaded 341 to 1,184 malicious skills to OpenClaw's ClawHub marketplace, reaching ~300,000 users. Payload was Atomic macOS Stealer. Newer audits flag 7.6% of the 31,000+ catalog as dangerous. OpenClaw shipped a May 15 security roadmap in response. The trust-policy gap, the password-dialog social-engineering wrinkle, and the practical hygiene checklist.
Between April 28 and May 14: federal magistrate stayed SB 24-205, legislature passed SB 26-189 to replace it (Senate 34-1, House 57-6), Governor Polis signed it. New effective date January 1, 2027. The DOJ's first-ever intervention in a state AI case is the federal signal worth watching, and North Carolina's HB 462 / EO 24 / pending deepfake bills are unchanged.
The enterprise coverage of shadow AI assumes you have an IT department. You don't. 45% of US workers use AI at work without telling employers, 1,768 files uploaded across 20 small-business environments in a single month, only 14.4% of agents go to production with full security approval. The five-step audit any owner can run this week.
On May 4, Anthropic announced a $1.5 billion AI services joint venture with Blackstone, Hellman & Friedman, and Goldman Sachs to embed engineers inside mid-size companies. The trade-offs that don't show up in the press release, and the five questions any owner should ask before signing with anyone.
On April 4, Anthropic re-priced how third-party AI tools consume subscriptions. The real cost multiple (5x to 25x per Anthropic's own framing), the carve-out that matters, the PwC study most vendors are ignoring, and the five-step response for small businesses.
A weekend reliability trial of 9 hosted LLMs running a real operator shift. Seven passed. Zero hallucinations. Three came out Tier 1. Full scorecard, three measurement axes that matter more than latency, and a reproducible methodology bundle.
Microsoft's MCP server shipped with no auth. Claude Code's safety rails turned out to be bypassable. Prompt injection attacks are up 340%. Here's what April 2026 told us about AI agent security, and what a small business should do about it.
Gartner says 40% of SMBs will have at least one AI agent by end of 2026. Microsoft and MYOB just signed a 5-year deal to put agents into small-business accounting. Here's the five common mistakes, and the five-step playbook that separates the deployments that pay for themselves from the ones that don't.
AI voice tools are powerful, but the FCC ruled AI-generated voices are "artificial" under federal law. One wrong campaign could cost your business thousands. Here's what's legal, what's not, and how to use AI voice the right way.
85% of customers trust a business more when the email looks professional. Emails from free accounts are 35% more likely to be ignored. Here's what your email address is really saying about your business, and what to do about it.
OpenClaw spawned an entire ecosystem in four months. Security layers, lightweight alternatives, workflow integrations, personality tools. Here's a practical guide to what exists, what's worth using, and what's just hype.
NVIDIA sandboxes the agent at the kernel level. Cisco scans everything it touches before it runs. Both launched in the same week. Neither is production-ready. Here's what each does, where they fall short, and what it means for your business.
OpenClaw reasons. n8n executes. Together they create AI agents that are powerful, auditable, and safe, with your AI never touching a single password. Here's the "brain and hands" architecture, what it costs, and why it needs expert setup.
104 security advisories in four months. A plugin marketplace that's 20% malicious. 220,000+ instances exposed to the internet. If your business uses OpenClaw, or your employees do, here's what's at stake and what to do about it.
80% of AI projects fail. The business case is real, but doing it yourself means 80-140 hours, a 20% ChatGPT hallucination rate, and security risks that start the day you stop updating. Here's the honest math on your options.
Cloud AI APIs can cost $630-$5,000+ per month for multi-agent systems. A $2,000 Mac Mini pays for itself in 3 months. Here's the math, the quality trade-offs, and the hybrid approach that gets you 98% of cloud quality at 40% of the cost.
A $2,000 Mac Mini M4 Pro can run AI models that would cost $5,000+ in NVIDIA GPU hardware. Unified memory changes the math completely. Here's the technical advantage explained simply, and which Mac to buy for your workload.
Service businesses lose $50,000-$126,000 a year to unanswered calls. 85% of callers who reach voicemail never call back, and 62% immediately call a competitor. Here's the math, and what a $200/month fix looks like.
You're the plumber, the scheduler, the bookkeeper, and the marketing department. Here are the five tools that handle 80% of the admin, for less than $500 a month total.
AI phone answering. Google Business Profile optimization. Automated appointment reminders. Digital invoicing. Review collection. Each takes less than a week to set up and starts paying for itself immediately.
You're not a bank. You don't need a SOC. But you handle credit cards, home addresses, and financial data. Here's what actually matters, and what you can set up in an afternoon.
AI isn't just for tech companies. From answering phones and scheduling appointments to analyzing your busiest days and most profitable services. Here's what's real, what it costs, and where to start.
Spreadsheets got you here. But when customer info lives in filing cabinets, scheduling is on a whiteboard, and invoices take a week. There's a better way that doesn't require ripping everything out.
AI agents aren't chatbots. They're specialized workers with defined roles, operating 24/7 inside your business on your hardware. Here's what they cost, what they can't do, and who they're for.
More articles coming soon. Follow me on LinkedIn for updates.
Research and field guides from my cybersecurity practice, Virtus Cybersecurity, and the Virtus Cyber Academy. Chosen for this audience, hosted there, introduced here.
I write here about why patching prompt injection isn't enough. My research arm put that to the test: a layered defense run against 198 injection attempts across 22 attack types and 9 AI models, and zero got through. If you're putting an AI agent anywhere near customer data, this is the architecture that holds, and the proof that one guardrail never will.
Moore County has real manufacturing, and most small shops run equipment that was never meant to touch a network but now does. This playbook is written for that owner: grounded in 2025 incident data, light on jargon, with five things you can do this month.
Every AI tool that "connects to your systems" is asking for the keys to something. MCP is the plumbing behind those connections, and most owners grant the access without vetting what's on the other end. This playbook is the pre-flight checklist: what to inspect, in what order, before an AI integration touches production.