Insider misuse of AI: when approved tools help dishonest work

← Series introduction Article 13 of 13

The risky moment can look like a clean handoff.

A sales manager asks the company's approved AI assistant to summarize active accounts, renewal dates, pricing history, decision-makers, objections, and open follow-ups. The request sounds normal. Sales leaders prepare handoff notes all the time.

The same summary can also become a portable client playbook.

Insider risk existed before AI. What changes is the amount of effort required. AI can turn scattered CRM entries, emails, proposal notes, pricing sheets, and customer history into a clean package in minutes. The tool may be approved, the user may have legitimate access, and the work may look like normal productivity until the business understands the intent.

What the risk is

This risk is staff using approved AI tools to take company information out of the business, fabricate records, impersonate people, bypass business controls, inflate activity, or create a plausible cover story for misconduct.

The approved AI tool already supports legitimate work:

Summarizing accounts.
Drafting client emails.
Cleaning up CRM notes.
Preparing handoff documents.
Reviewing expense details.
Rewriting messages into a more professional tone.
Turning scattered information into a clear plan.

That is what makes this risk hard to spot. The audit log may show an approved user, using an approved AI tool, against data the user could normally access. The difference is intent, and intent is usually invisible in the tool log.

Common patterns include:

Exit theft: a departing employee uses AI to summarize client lists, pricing, renewal dates, and decision-maker relationships into portable form.
Fabrication: AI helps create fake receipts, references, resumes, delivery notes, customer approvals, or other business records.
Impersonation: AI drafts messages that sound like a manager, vendor, customer, or colleague.
Control evasion: AI rewrites questionable activity into softer, more legitimate-sounding language.
KPI inflation: AI generates plausible customer notes, follow-ups, or support interactions to make activity metrics look better than they are.
Cover for misconduct: AI drafts the CRM update, customer note, follow-up email, or internal explanation that makes the activity look routine.

This is separate from Phishing and payment fraud and Voice and video impersonation, where an external attacker uses AI to deceive the business. Here, the person is inside the business and has legitimate access.

It is also separate from confidential data entering AI and When AI sounds right but is wrong. Those articles cover accidental data exposure into AI and wrong AI output. This article covers intentional misuse of an approved tool.

How it happens in a normal SMB

A sales manager at a 60-person Alberta industrial services company has accepted a job with a competitor. She has not resigned yet.

Her access still looks normal. She can open the CRM, shared proposal folders, pricing sheets, customer email history, and renewal trackers. She needs that access for her role, and nothing about it looks unusual by itself.

The company has approved an AI assistant for productivity work. Staff use it to summarize account history, draft customer emails, clean up CRM entries, and prepare internal handoff notes.

The manager starts with a reasonable request:

Prepare transition notes for my active accounts, including open issues, renewal timing, pricing history, key contacts, decision-maker preferences, and likely next steps.

The AI assistant turns scattered CRM fields, old email threads, proposal notes, renewal dates, and service complaints into clear account briefs. The output is useful. It is also much cleaner than the raw data.

The manager keeps going. She asks the AI to group accounts by renewal window, pricing sensitivity, relationship strength, and competitor mentions. She asks it to identify customers that may be open to a new provider. She asks it to turn the summaries into a territory plan.

The AI has no way to know the purpose changed. It is doing approved summarization work against data the manager can access.

The manager also uses AI to make the activity look ordinary. It drafts CRM updates that sound like pipeline cleanup. It writes short internal notes explaining why files were exported. It prepares polite handoff messages that make the account summaries look like responsible transition work.

A week later, she resigns.

The outreach lands close to renewal dates, references service frustrations that were never public, and shows unusual awareness of pricing pressure. The owner asks how the competitor knew so much.

The investigation is frustrating. There is no malware, no strange login from overseas, and no obvious compromised account. The logs show the former manager using approved systems and the approved AI assistant before resignation. They show account summaries, CRM updates, and file access from a user whose job required customer access.

The business can see activity. It struggles to prove purpose, scope, and whether the AI summaries were used outside the company.

The failure path

The failure path looks like this:

A staff member has legitimate access to company information.
The business has approved AI for normal productivity work.
The staff member's intent changes because of resignation, conflict, pressure, fraud, or personal gain.
The staff member uses AI to summarize, repackage, rewrite, fabricate, impersonate, or explain activity.
The output looks like ordinary work product: account briefs, CRM notes, expense explanations, customer messages, or handoff material.
The audit trail shows approved users, approved tools, and data the person could normally access.
The business discovers the issue through client loss, record mismatch, suspicious timing, a complaint, or a later investigation.
The investigation has to separate legitimate productivity work from preparation for theft, fabrication, impersonation, or cover-up.

Tool approval answers one question: whether the software belongs in the business. Intent, authorization, and role fit still have to be judged from access, behaviour, timing, and business context.

Business consequence

The first consequence is loss of business control over client intelligence.

In the sales-manager example, the customer list is only one part of the value. The useful material is the interpretation: renewal timing, relationship history, price sensitivity, decision-maker preferences, open complaints, service weaknesses, and likely next pitch. AI makes that interpretation easier to create, cleaner to carry, and harder to distinguish from legitimate handoff work.

Other consequences depend on the misuse:

Customer loss when a departing employee uses AI to prepare a competitor-ready account playbook.
Pricing damage when renewal dates, discount history, margin pressure, or negotiation weaknesses are summarized for outside use.
Record integrity problems when AI-generated CRM updates, delivery notes, approvals, receipts, references, or activity notes enter business systems.
Internal confusion when managers cannot tell whether records were created from real activity or generated after the fact.
Fraud exposure when AI helps fabricate expense details, supplier explanations, applicant material, or customer approvals.
Impersonation harm when staff use AI to draft messages that appear to come from a manager, customer, vendor, or colleague.
Investigation cost when the business has to reconstruct intent from logs that show ordinary access and approved AI usage.

The evidence problem is serious. The business may know that an employee summarized accounts, exported documents, or drafted messages while still lacking the details that matter: which AI outputs were copied elsewhere, which drafts became external messages, which records were fabricated, or whether the employee used personal devices or personal accounts after creating the summaries.

That ambiguity matters in disputes with former staff, new employers, customers, insurers, and lawyers. The company may believe misconduct occurred and still struggle to show exactly what happened.

Controls that interrupt the failure path

The first control is to treat AI approval as a software decision, then govern use through access, behaviour, and records.

An approved AI tool still needs access rules, behaviour monitoring, record controls, and exit procedures. The tool can be legitimate while a specific use violates company rules.

Start here

Define prohibited AI uses plainly: removing company information, fabricating records, impersonating people, bypassing controls, inflating activity metrics, or creating cover for misconduct.
Limit bulk export and mass summarization of client, pricing, HR, payroll, finance, legal, and confidential business data to roles with a clear need. Mass summarization includes requests such as summarizing all active accounts, all renewal opportunities, all payroll records, or all pricing files.
Review unusual patterns: many account summaries in a short period, access outside normal accounts, bulk exports before resignation, after-hours file activity, or AI prompts that package large sets of business records.
Make notice-period access review a written procedure. When someone resigns or moves out of a high-risk role, review their access, exports, sharing links, AI usage, and recent activity.
Separate read access from export authority where the system allows it. Staff may need to read customer records without having broad ability to export, summarize, or share entire account sets.
Preserve logs early when insider misuse is suspected: AI activity, CRM changes, file access, sharing links, mailbox activity, downloads, and device activity.
Verify critical records at the source. Receipts, customer approvals, references, delivery confirmations, and HR documents should be checked against the original system or person when the consequence is material.

Add where needed

Use DLP or alerting for outbound client lists, account summaries, pricing files, renewal trackers, and other high-value business records.
Monitor high-risk roles more closely: sales, finance, payroll, HR, executive support, operations leadership, and staff with broad client access.
Require manager approval for mass account summaries, bulk exports, or AI-generated handoff packages that cover many customers.
Review access by territory, client assignment, matter, or department so role changes remove broad historical access.
Disable personal cloud sync, unmanaged file sharing, and personal email forwarding on devices that handle confidential business records.
Use consistent naming for AI-generated summaries so legitimate handoff work is easier to identify later.
Include AI-generated records in ordinary audit checks for expenses, CRM activity, delivery notes, approvals, and customer communications.

The control should focus on behaviour and access. A tool log may show that a sales summary was created; the surrounding pattern shows whether it was normal handoff work or part of a competitor move. Timing, volume, access scope, export path, role change, and later customer activity all matter.

Because most staff use AI honestly, added review should follow the company's written procedure and attach to role risk, access level, notice periods, unusual volume, or specific investigation triggers.

Policy rule this creates

Rule 13 of 13

Staff are prohibited from using AI tools to remove company information, fabricate records, impersonate staff, vendors, or customers, bypass business controls, inflate activity metrics, or create misleading explanations for business activity. AI usage by staff in notice periods, role transitions, or high-risk roles will be reviewed where required under the company's written access and activity-review procedures. Bulk export, mass summarization, unusual record creation, and unusual access patterns must be reviewed regardless of which tool was used. Company rules for confidentiality, records, access, and honest conduct continue to apply when AI is involved.

Common questions about insider AI misuse

The questions that come up most often when a business starts working out how to keep the AI tools it has approved from becoming a packaging tool for departures, fabrication, or impersonation.

We trust our people. Isn't 'insider AI misuse' just paranoia we don't need?

Most staff use AI honestly, and the controls in this article are not about treating any individual employee as a suspect. What has changed is the effort required: turning scattered CRM entries, pricing history, customer notes, and renewal dates into a portable client playbook used to take hours of manual work, which was an implicit barrier that no longer exists once AI can do the packaging in minutes. Small businesses are exposed because they have no dedicated investigations team and usually discover misuse months later through customer reports or unusual competitor activity, with per-incident impact that can be severe because a competitor-ready customer playbook in the hands of a departing salesperson is rarely a recoverable loss for a small services firm. The shift the business needs is from trust in individuals to controls that attach to role, timing, and pattern, because the prior 'this would take too long to do manually' barrier no longer applies in the same way.

What does insider AI misuse actually look like in a small company?

Insider AI misuse falls into four conceptual buckets that owners can hold in mind: taking, making things up, pretending, and bending the rules. Taking covers exit theft, where AI summarizes the customer list, pricing history, renewal dates, decision-maker preferences, and account context into portable form for a departing employee. Making things up covers fabricated receipts, manufactured customer approvals, AI-drafted reference letters for nonexistent suppliers, and CRM notes generated to look like real activity; pretending covers AI drafting messages that sound like a manager, vendor, customer, or colleague, which is the internal counterpart to voice and video impersonation by external attackers. Bending the rules covers AI rewriting questionable activity into innocuous-sounding language, inflating activity metrics with plausible-looking notes, or generating the explanation that makes a misstep look routine.

How do we tell legitimate handoff work from someone preparing to leave with our customer list?

Intent is invisible in any individual AI interaction, so the differentiator is the pattern of signals over time. The four cues that can justify a closer review are: unusual volume of AI summarization activity, scope expansion into accounts the person is not actively handing off, timing relative to role-change or performance context, and prompt-language evolution from 'summarize this account' to 'which customers might be open to a new provider' or 'group accounts by switching likelihood'. One of the sharpest signals is the last one: summarization prompts evolving into competitor-targeting language. None of these cues is conclusive on its own, but together they give the business enough signal to ask whether the AI activity still matches a clean transition or has expanded into competitor-targeting territory.

What's the difference between read access and export authority, and how does it help?

Many business systems can distinguish three different permissions that small businesses often grant as a single bundle: viewing an individual record, exporting a large set of records, and summarizing or analyzing a broad data set with AI. Read-only roles can do their day-to-day work (opening one account at a time, answering customer questions, updating notes on what they touch) without ever being granted broad export or bulk-summarization. Concrete places this distinction shows up include Salesforce role permissions, HubSpot user permissions, QuickBooks Online user roles, and the role-based controls in most CRM, accounting, and HR systems. Broad export and bulk-summarization is the permission that turns an ordinary role into a packaging tool for someone preparing to leave, so limiting it to roles with a clear need is the highest-leverage access control the business can apply.

When someone resigns or moves out of a high-risk role, what should we actually review?

Notice-period review should run as a written procedure on every departure or high-risk role transition, because making it standard practice for all leavers is what keeps the control compatible with honest staff dignity. The review covers what the person accessed during the notice period, what they exported or downloaded, what sharing links or external collaborators they added, what AI activity they generated (volume, scope, prompt patterns), and what mailbox-forwarding rules or auto-export rules they configured. The review also covers unusual after-hours or weekend activity preceding the change, because legitimate transition work typically happens during business hours alongside handoff conversations with managers and colleagues. The output is a documented summary the business retains in case something specific later turns up, kept on file for every leaver as part of standard procedure.

How do we watch the high-risk roles without making honest employees feel surveilled?

Effective monitoring attaches to role, timing, and pattern: the business watches for volume thresholds, unusual scope of access, after-hours or weekend activity, and bulk-export patterns. The high-risk roles to monitor more closely are sales, finance, payroll, HR, executive support, operations leadership, and any staff with broad client access; the monitoring focuses on changes in their normal activity patterns. Routine monitoring should not start by reading individual prompts or chat histories, because that damages staff trust and usually misses the broader misuse pattern in volume and scope. Prompt or content review should happen only under a written procedure, with a defined investigation trigger and appropriate HR or legal involvement.

How do we tell AI-generated records (fake receipts, fabricated CRM notes, manufactured approvals) from real ones?

Proactive detection of AI-fabricated records is genuinely hard, because a well-prompted AI can produce receipts, CRM notes, references, customer approvals, and HR documents that read as real and contain plausible details. The realistic control is source verification on the records whose consequence is material: receipts checked against the merchant, customer approvals confirmed with the customer directly by a separate channel, references called, delivery confirmations matched to logistics records, and HR documents verified against the originating system. Records that nobody ever cross-checks against the source are the ones AI fabrication exploits, because the audit process accepts the document at face value. This is the same source-checking discipline that catches wrong or mixed AI output in legitimate work, because verifying high-consequence records at the source catches both intentional fabrication and unintentional error.

What should our written AI policy say about prohibited uses?

The written policy should prohibit using AI to remove company information, fabricate records, impersonate people, bypass business controls, inflate activity metrics, or create misleading explanations for business activity. The operational point that the policy carries is that existing company rules about confidentiality, records, honest conduct, and access continue to apply when AI is involved, because AI does not create a loophole in any of those rules. The policy works in practice as a written reference for HR conversations, performance discussions, and (if needed) employment decisions taken to counsel; on its own the policy does not detect anything. The access, monitoring, and review controls described elsewhere in this article are what give the policy operational effect.

We suspect someone is using AI to prepare to leave or to cover up bad activity. What do we look at?

Early log preservation is the first move in suspected insider AI misuse, because many business systems overwrite or roll their audit data after a short period and the relevant evidence may be weeks to days from disappearing depending on the system. The logs to preserve are: AI activity (prompt history, summarization volume, the systems the AI accessed), CRM access and export records, file access and download logs, sharing-link creation, mailbox-forwarding rules and auto-export rules, mailbox export activity, device activity, and identity-provider sign-ins for the suspect window. Pull a window that starts from the earliest plausible signal (the new-job conversation, the performance issue, the unusual access pattern, the customer complaint) rather than only the past few days, because preparation often begins weeks before any visible event. Coordinate evidence preservation, access changes, and any employee confrontation with HR and counsel so the business does not destroy evidence, over-collect personal information, or compromise a later employment or legal process.

We just discovered a former employee took our client information using AI before leaving. What do we do?

When the business confirms that a former employee took client information using AI before leaving, the response becomes reactive incident management with confirmed facts to act on. Preserve all relevant evidence immediately: AI activity logs, CRM access and export records, file and email activity, sharing links, mailbox-forwarding rules, device activity, and identity-provider sign-ins for the suspect window, keeping the original logs intact in case the matter becomes litigation or law-enforcement evidence. Scope what was taken (which client records, which pricing data, which contact information, which strategy notes) and determine what was actually moved out of the business (downloaded, emailed, synced to personal cloud, copied to personal devices, or shared externally) versus what only appeared in AI summaries that may not have been carried out. Contain ongoing damage by closing the former employee's remaining access (any forgotten accounts, shared credentials, third-party integrations they could still reach, vendor portals where they were a contact), and consider whether client outreach should accelerate to put the business in front of the situation with affected customers. The same confidentiality exposure covered in confidential data entering AI applies here because confidential client information left the company, and the practical response treats the AI-generated summaries as if their contents are now in the hands of an unauthorized recipient. Notification, enforcement, and legal-action decisions about affected clients, the former employee, the new employer, regulators, insurers, or law enforcement depend on what was taken and how it was used, and stay with the owner and appropriate counsel.

One of 13 rules for your AI usage policy

The rule above is one of 13 that make up a working AI Usage Policy. The SMB AI Policy Builder walks you through the full set of decisions and produces the policy, working documents, and a 90-day implementation plan.

Launching soon. Join the waitlist to be notified.