AI 2026

"Which AI should we use?" is the most common question we field from business owners right now. It is closely followed by, "and how do I know it is safe?"

The market has gone from a handful of recognisable names to hundreds of tools in two years. ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, and a long tail of niche products. Each has a free tier, a paid plan, a "business" plan, and an enterprise version. Each one claims to be the right answer. For a business owner without time to evaluate every one, the noise is genuinely overwhelming.

This article is a guide to cutting through it. The conclusion up front: the question is less about which AI and more about who decides for your business, because if you do not decide, your team already has.

The risk of doing nothing

If your business has not set an AI strategy, your team almost certainly has, informally, and probably without telling you.

Tech-savvy staff do not wait for permission. They sign up for a free ChatGPT account with their work email, or a personal one, and they start pasting in things: draft client proposals, financial extracts, meeting notes, contracts, sometimes whole spreadsheets. They do it because the tool is good and it makes their work easier. They are not trying to do anything wrong.

The problem is structural, not personal:

  • Free tools usually train on your prompts. Most consumer-grade AI tools have an "opt out of training" setting buried in their privacy options. Default is opt-in. Whatever your team pastes in becomes part of the future training corpus unless that setting is changed.
  • Personal paid subscriptions hide the data from you. If a staff member pays for ChatGPT Plus or Claude Pro on a personal account and uses it for work, the prompts and outputs live in that personal account. You cannot see them, you cannot audit them, and you cannot recover them.
  • When the staff member leaves, the data leaves. Every prompt they put through their personal account walks out the door with them. So does any insight, summary, draft, or playbook they built up over months of use. From the business's perspective, that work product never existed.

This pattern has a name in the industry: shadow AI. It is the AI version of the old "shadow IT" problem, staff using unsanctioned tools because the sanctioned ones do not exist or are too slow to arrive. It is one of the fastest-growing data leakage vectors of the last two years.

Take the lead, then choose the tool

The instinct of many business owners, when faced with shadow AI, is to ban it. "No AI tools until we have a policy." This is well-intentioned and almost always counterproductive. Staff find workarounds. You lose the productivity opportunity. And you teach the team to hide what they are doing from you, which is a worse outcome than what you were trying to prevent.

The right move is the opposite. Give your team a sanctioned, safe option before they reach for an unsanctioned one. Strategy first, tool second.

A workable AI strategy for a 10-to-40 staff business does not need to be a 40-page document. It needs to answer five questions:

  1. Who can use AI? Everyone, or specific roles? Reviewed approvals or self-service?
  2. What data is allowed? Public information only? Internal documents? Client data? Financial information? Be specific.
  3. Which tools are sanctioned? Pick one or two, get business-grade subscriptions, deploy them. Everything else is out of scope.
  4. What gets reviewed? AI-generated client communications? Code? Contracts? Define the checkpoint.
  5. What is explicitly prohibited? Personal AI accounts for work data. Pasting client information into free tools. Specific use cases that need a human in the loop.

Document it. Communicate it. Review it quarterly. That is the whole strategy. The hard part is not writing it, the hard part is choosing to actually do it instead of waiting for the picture to settle (it will not settle).

The right AI depends on the job

There is no single "best" AI tool. The right tool depends on what you are trying to do:

  • General writing and research assistance, ChatGPT, Claude, and Gemini are all credible. Pick one with a business plan and standardise.
  • Working with your own files and data, Microsoft 365 Copilot if you are on M365. It can read your SharePoint, OneDrive, Teams chats and emails (subject to your existing permissions). External tools generally cannot do this safely.
  • Customer-facing chatbots or automations, Microsoft Copilot Studio, Azure OpenAI, or similar business-grade options. Not a consumer chatbot.
  • Code generation and developer tools, GitHub Copilot, Cursor, or similar. Different category, different risk profile.
  • Specialised tasks (transcription, image generation, legal research), purpose-built tools per job, evaluated individually.

The fit between the job and the tool matters more than picking the "best" AI overall. A business that picks the right tool for its most common use case, locks in a business-grade subscription, and trains its team on it will outperform a business that has every tool available but no clear sanctioned path.

Why Copilot for Microsoft 365 is the obvious starting point

If your business is already on Microsoft 365, and most professional services businesses we work with are, Microsoft 365 Copilot is almost always the right first sanctioned tool. Not because it is the most capable model on every benchmark (it is not), but because of how it handles the things that matter to a business:

  • It works inside your existing tenant. Prompts and outputs stay within the same Microsoft 365 environment that already holds your email, files, and Teams chats. No new platform to vet.
  • It respects your existing permission model. If a user cannot see a file in SharePoint, Copilot cannot reference that file in its answer for them. The security boundary you already have is the security boundary Copilot uses.
  • Your data is not used to train the foundation models. Microsoft's enterprise data protection commitments apply to Copilot for M365. The data your team puts in stays your data.
  • It is integrated with the apps your team already uses. Outlook, Word, Excel, Teams, PowerPoint. Most use cases need no new tool to learn, just a Copilot button inside an app the team opens every day.
  • You retain audit and governance. Microsoft Purview gives you visibility into Copilot interactions, the same way it does for the rest of M365.

For most of the businesses we work with, the right pattern is: sanction Microsoft 365 Copilot as the default. Allow a second sanctioned tool (often ChatGPT Team or Claude for Business) for use cases Copilot does not cover well. Prohibit everything else for work data. Train the team. Review in six months.

What "safe" actually means

When clients ask "is it safe?", four things sit behind that question. Worth being precise about each:

  • Data residency and retention. Where does your prompt and the response live? Who controls how long it is kept? With a business subscription on your tenant, you decide. With a personal account, the vendor does.
  • Training data use. Is your data used to improve the model? Enterprise plans almost always say no. Free plans almost always say yes, unless you opt out (and the opt-out is buried).
  • Permission inheritance. Does the AI know who in your business is allowed to see what? Copilot does, because it inherits your Microsoft 365 permissions. Most external tools have no way to know.
  • Audit and logging. Can you see who asked what, and what came back? For regulated industries this is non-negotiable. For everyone else it is best practice once a tool is deployed at scale.

A practical first move

If this article has surfaced more questions than answers, you are in the same place as most business owners we talk to. The practical first move is small and useful:

  1. Audit current AI use. Ask your team, no judgement, what tools they are using and what for. You will likely be surprised by both the variety and the volume.
  2. Pick one sanctioned tool for your most common AI use case. For M365 customers, that is usually Copilot for Microsoft 365.
  3. Write a one-page AI use policy. Who, what, which tools, what gets reviewed, what is prohibited. One page.
  4. Roll it out, train the team, monitor, iterate. The strategy is a living document, not a final answer.

The businesses that are getting the most out of AI right now are not the ones with the most tools. They are the ones who decided early, picked deliberately, and gave their teams a clear sanctioned path. That is a choice you can make in the next 30 days. The longer it is left, the more shadow AI fills the gap.

The takeaway: the question is not "which AI is best?" It is "which AI have we chosen, why, and what do we do about the rest?" Decide before your team does.