Topic · AI security for small teams
Practical agent security without an IT department — non-human identity, shadow-AI audits, kill-switches, and tool-memory hygiene for small teams.
What survives review
- AI-generated fraud is now aimed at small businesses, and the defense is procedural, not technical — Holding · OPS-104
- Calendar phishing and ClickFix: the June advisory, read for small teams — Holding · OPS-097
- Your AI coding tool can hand over your keys: the 15-minute check after TrustFall and SymJack — Holding · OPS-088
- If You Vibe-Coded an App, Assume the Database Is Public — Holding · OPS-082
- The kill-switch for a 5-person team: how to turn off an AI agent when it goes wrong, with no IT department — Holding · OPS-078
- Agent memory for small teams: what your AI tools remember across clients, and the 30-minute hygiene routine — Holding · OPS-079
- Your AI assistants already have identities. They just don't have yours. A 5-step NHI starter kit for 5-15 person teams — Holding · OPS-074
- Three signs your small team has approved-tool, unapproved-capability shadow AI. Plus the 60-minute audit that catches it — Holding · OPS-075
- Picking an agent protocol when you are a 6-person agency: MCP, A2A, Llama Stack, and the rule that keeps your tool inventory portable — Holding · OPS-076
- Windsurf and MCP advisories hit the IDEs your team already runs: the May 2026 small-agency playbook — Holding · OPS-067
What has broken
Nothing has moved to Partial or been retired in this topic yet.
Spoke articles
- AI-generated fraud is now aimed at small businesses, and the defense is procedural, not technical
Voice cloning, deepfake video calls, and convincing fake-supplier emails have moved fraud from a spray-and-pray nuisance to a targeted threat a small business without an IT or finance team is squarely exposed to. The defenses that work are not tools. They are two habits: verify any payment or bank-detail change by calling a number you already had, and require a second person to approve money movements.
- Calendar phishing and ClickFix: the June advisory, read for small teams
Google's 8 Jun advisory names two scam patterns aimed at exactly the surfaces small teams automate: calendar invites and browser pop-ups. The fixes are free and take an afternoon.
- Your AI coding tool can hand over your keys: the 15-minute check after TrustFall and SymJack
In May 2026 researchers showed that opening the wrong code repository in Claude Code, Cursor, Gemini CLI, or GitHub Copilot can hand an attacker your SSH keys and cloud credentials, in some cases from a single approval tap. If you are a solo developer or a small agency that runs an AI coding assistant on the same laptop that holds your client deploy keys, this is your problem more than the enterprise's, because you have no security team standing between the booby-trapped repo and your secrets. Here is the 15-minute check to harden your setup this week.
- If You Vibe-Coded an App, Assume the Database Is Public
Security researchers spent the spring scanning apps built with no-code AI tools. One scan of roughly 380,000 publicly reachable apps found around 5,000 actively leaking sensitive data. If you built a customer-facing app by describing it to an AI and never had the security checked, the safe assumption this weekend is that your database is reachable from the open internet until you prove otherwise. Here is the 30-minute check.
- The kill-switch for a 5-person team: how to turn off an AI agent when it goes wrong, with no IT department
When your self-built or vendor agent does something wrong on a Friday, can you actually stop it before Monday? For most 1-15 person teams, no. There is a pause button somewhere and a revoke step somewhere else, and almost no team has written down where they are before they need them. This is the no-IT-department containment routine: the per-tool runbook, the 30-minute Friday drill, and the rule that pause is not the same as revoke.
- Agent memory for small teams: what your AI tools remember across clients, and the 30-minute hygiene routine
The memory features in ChatGPT, Claude, Notion AI, and your customer-service bot can carry context from one client into work for another. Most small teams have never checked what their tools retain across engagements. The 30-minute routine below uses settings the tools already ship, no new software required, to bring the team to a defensible client-confidentiality posture on memory.
- Your AI assistants already have identities. They just don't have yours. A 5-step NHI starter kit for 5-15 person teams
If your small team is running Claude Code, Cursor, Windsurf, a customer-service bot, or any internal automation that calls a SaaS API, each of those is a non-human identity acting in your environment. Most 5-15 person teams have one personal API key per founder being shared across three or four AI tools, no rotation cadence, and no plan for what happens when someone leaves. The five-step starter kit below brings the team to a defensible posture in three hours of work, no CyberArk budget required.
- Three signs your small team has approved-tool, unapproved-capability shadow AI. Plus the 60-minute audit that catches it
You approved Notion for the team last year. You did not separately approve Notion AI agents reading from every page anyone on the team has access to. You approved Slack. You did not separately approve Slack AI summarising channels containing client conversations. You approved Microsoft 365. You did not separately approve Copilot Studio letting any team member build an agent against the tenant data. Three signs your 1-10 person team has this kind of shadow AI, and a 60-minute audit that catches it without buying new tools.
- Picking an agent protocol when you are a 6-person agency: MCP, A2A, Llama Stack, and the rule that keeps your tool inventory portable
If your small agency builds agentic features on paid client work, you are picking an agent protocol whether or not you call it that. MCP, A2A, and Llama Stack do not converge in 2026. Pick a default by reading the client's existing stack, not by picking the protocol you find most interesting. The rule that keeps your tool inventory portable across clients: build every tool as a plain HTTP service first, wrap it to the chosen protocol second. The wrapper is the disposable layer; the HTTP service is the asset.
- Windsurf and MCP advisories hit the IDEs your team already runs: the May 2026 small-agency playbook
Three CVE classes against AI-augmented IDEs landed in two weeks of May 2026. If your agency uses Cursor or Windsurf for paid client work, do this on Monday morning: pin the version, inventory the MCP servers, write the allowlist, disclose the AI use, set a 30-day check-in. Five steps, no IT team required, defensible to a client who asks how you handled it.
What we're watching next
Forthcoming content and open questions for this pillar will appear here on the next quarterly refresh.
Primary sources we trust for this topic
A curated list of primary research, regulator guidance, and vendor documentation for ai security for small teams. Populated on the quarterly refresh — not a link dump, not competitors.
This pillar page is refreshed quarterly. Last refresh: 19 Apr 2026. Next refresh: 18 Jul 2026.