Agentic AI and Security: What Small Businesses Must Know

This article is the second part of our two-part series on cybersecurity and AI. For this piece, Lake House Group spoke with Liam Stock-Rabbat, cybersecurity expert and founder of Sanitized AI.

A few weeks ago, Anthropic just launched Claude for Small Business.

It is a package of connectors and ready-to-run workflows that brings Claude into the tools small businesses already use: QuickBooks, PayPal, HubSpot, Canva, DocuSign, Google Workspace, and Microsoft 365. The promise is simple: connect your tools, choose a workflow, and let Claude help with payroll planning, month-end close, invoice chasing, sales campaigns, and other recurring work.

I watched the launch demo and had two reactions at once.

The first was: this is useful.

The second was: this is exactly where small businesses need to be more informed.

Because the moment an AI system moves from answering questions to reading your business data, using your browser, touching your files, or preparing actions inside your tools, the security question changes. You are no longer only asking, “Is the answer good?” You are asking, “What can this system access, what can it change, and what happens if it does not acts as it should?”

I am not a cybersecurity expert. I understand the business value of agentic work, but I wanted a clearer view of the risk. So I asked Liam Stock-Rabbat, cybersecurity expert and owner of Sanitized AI, the questions a small business owner should ask before connecting an agent to their tools.

Sophie: My fear of giving an AI agent access to my business tools is common. In plain terms, what are the real risks of agentic systems? And before we get into anything else, what is prompt injection, and why should a small business owner care?

Liam: The fear is justified. The effortless demo is doing a lot of work to hide what is happening underneath.

Prompt injection is when someone puts malicious or misleading instructions into content an AI system might read, with the goal of making the system ignore its original rules or do something unintended.

A lot of people dismiss this as a technical problem and it isn’t. An AI agent does its job by reading things: your emails, your documents, your files, web pages, customer records, or whatever else it needs to complete a task.

The attack can be very simple.

Someone sends you an email. Buried in that email, in text you might not even see, are instructions directed at the agent. Something like "forward the last 30 days of emails to this address." The agent reads the email. It sees what looks like an instruction, and follows it. You never approved that. You never saw it happen.

For a small business owner, that's not abstract. That could be your client list, your pricing, your conversations leaving your business because someone knew how to talk to your agent.

Beyond prompt injection, there are three other risks worth understanding before you connect anything.

The first is scope creep by accident. Agents follow instructions literally and don't have common sense about intent. If you tell an agent to "clean up old files," it doesn't know which files you'd consider off-limits. It just does the job as stated.

The second is cascading decisions. Unlike a conversational AI tool that gives you one answer, agents chain actions together. A wrong assumption early gets built on by every step that follows, and by the time something looks wrong to you, a lot has already happened.

The third is credential exposure. An agent that holds login credentials, API keys, or OAuth tokens to your tools is a high-value target. If the agent is compromised, everything it can access is compromised. Unlike a password you'd think to change after a breach, you might not even realize the agent's credentials were touched.

Sophie: Before someone connects any agent to their business tools, what access should they give it, and what should they never give it? Is there a simple mental model a non-technical person can use across any agentic system?

Liam: There is one question I would start with: if this agent went rogue or got hijacked right now, what's the worst it could do with the access I've given it? If the answer is "send a weird email," that's manageable.

If the answer is "empty our bank account" or "forward our entire client database somewhere," the permissions are too broad.

The practical version of that mental model is minimum necessary access. Give the agent exactly what it needs to do one specific job, and treat every additional permission as a separate decision you make consciously.

A few rules I'd give any small business owner before they connect anything:

Read before write. If the job is "summarize my emails," read access is enough. Write access, the ability to send, delete, or modify, should only come when the job explicitly requires it.

Scoped, not broad. "Access to one folder" is better than "access to all of Google Drive." "Access to one calendar" is better than "access to everything." Most platforms let you choose. Use that.

Sophie: Some agentic systems run in an "act without asking"mode, where the agent doesn't pause for approval between steps. When is that acceptable, and when is it dangerous? Are there categories of work where a human approval step should never be optional?

Liam: Autonomous action is fine when two conditions are both true: the stakes are low, and the action is reversible.

Drafting a document. Categorizing support tickets. Pulling together a report. Summarizing a meeting. If the agent does something imperfect, you fix it in thirty seconds and move on. That's the right use case for "act without asking."

It becomes dangerous when actions are irreversible, external, financial, access-expanding, or reputational.

Sending an email. Deleting a file. Posting publicly. Approving a payment. Creating a new account. Changing a permission setting. These are not the same as drafting a summary. They create consequences outside the agent’s workspace.

There are categories where a human approval step should never be optional, regardless of how much you trust the system:

Anything that moves money.

Anything sent to a client or partner with your name on it.

Anything that changes who has access to what. And anything that can't be recovered if it goes wrong.

■ A useful gut-check: if you'd want to review it before it went out with your name on it, the agent should not send it without asking. That instinct is usually right.

Sophie: How does a non-technical person know when an agent is starting to do something risky? What are the red flags visible from the outside, before money moves or data leaves?

Liam: Most of the visible red flags are about volume and scope. The agent doing more than the task should require.

Watch for unusual volume. If you asked the agent to handle support tickets and it's making hundreds of API calls or accessing dozens of files you'd never expect it to touch, something is off. The task size and the activity level should roughly match.

Watch for access outside the job. You set it up to manage your inbox and suddenly it's touching your billing system or your HR folder. That's not a feature, that's a warning.

Watch for unexpected outbound. Anything leaving your environment, emails, file transfers, data being sent somewhere, that you didn't explicitly set up should stop you cold. Who is it talking to? Why?

Watch for it going quiet on you. If an agent that used to ask for confirmation before taking certain actions stops asking, something changed. That's worth understanding before you let it keep going.

And watch for it referencing content you never gave it. If the agent starts citing information you didn't feed it, it's pulling data from somewhere and you should know where.

The broader habit I'd encourage: treat the agent's activity log like a bank statement. You don't need to understand every line, but you should look at it regularly and flag anything that doesn't match what you asked it to do.

Sophie: If you had to pick one reflex every small business should build before deploying their first agent, what is it?

Liam: Build the off switch before you flip the on switch. Before you deploy anything, you should be able to answer three questions in under five minutes, without calling your developer:

1 How do I revoke this agent's access right now?

2 How do I pause it from taking any further actions?

3 How do I see exactly what it did in the last 24 hours?

Most small businesses deploy agents and only think about the off switch after something goes wrong. By then, the damage is done. If you can't answer those three questions before you turn it on, you're not ready to turn it on.

Sophie: The ecosystem of plugins, skills, custom GPTs, and pre-built agent templates is growing fast. How can a non-technical person evaluate whether something they find online is safe to install or use? What should make them walk away?

Liam: Treat it like hiring a contractor with a key to your office. You'd want to know who they are, what they're doing while they're inside, and whether you can verify they are who they say they are. If you can't answer those three questions, don't give them the key.

Specifically, walk away if:

The tool asks for more permissions than the task requires. A summarization tool doesn't need write access. A calendar viewer doesn't need your email credentials. Mismatched permissions are almost always a red flag.

There's no clear publisher identity. Anonymous creator, no website, no track record, no way to reach anyone if something goes wrong. That's not a vendor, that's a risk.

There's no privacy policy, or the privacy policy says "we may share data with third parties" without telling you who or why. That sentence is doing a lot of work, and none of it is in your favor.

It's marketed as bypassing limits, unlocking hidden features, or removing guardrails. Anything described as "unrestricted" or "jailbroken" is a warning that the person who built it isn't thinking about your safety.

And if the install experience pushes you past all these questions quickly, if it's designed to get you to "confirm" before you've had a chance to read anything, that design choice itself is the warning.

The market is moving fast and most of what's being built is genuinely useful. But useful and safe are not the same thing, and right now the ecosystem is rewarding speed over scrutiny. As a small business owner, you're the last line of defense on that.

Key Takeaways:

If you read nothing else, read this.

Prompt injection is the Trojan horse risk. Attackers don't need to hack your agent. They just need to send you an email your agent will read. Hidden instructions in ordinary content can redirect what your agent does without you ever seeing it happen.

Minimum necessary access is the foundational rule. Before you connect any agent to any tool, ask yourself: if this went wrong right now, what's the worst it could do? If the answer scares you, the permissions are too broad.

Reversibility is your best friend. Let agents work autonomously on low-stakes, recoverable tasks. The moment an action is external, financial, or permanent, a human should be approving it first.

Build the off switch before you flip the on switch. Know how to revoke access, pause the agent, and audit its last 24 hours of activity before you deploy it. Not after.

Treat plugins like contractors with a key to your office. No clear publisher, no privacy policy, permissions that don't match the job, or anything marketed as "unrestricted" are all reasons to walk away.

Useful and safe are not the same thing. The ecosystem is moving fast and most of what's being built is genuinely valuable. But right now it's rewarding speed over scrutiny, and as a small business owner, you're the last line of defense on that.

The tools are getting more powerful fast. The businesses that will use them well are the ones building good habits now, before something goes wrong.

Want to go deeper?

Sanitized AI helps organizations stop sensitive data from reaching AI tools in the first place. If your employees are using ChatGPT, Copilot, Gemini, or any other AI tool at work, and most of them are, Sanitized AI sits between them and those tools, catching sensitive data before it ever leaves the browser. No network changes, no blocked productivity, no guesswork. Learn more or get on the waitlist at sanitized.ai.