AI Is Already Inside Your Building

Published by Nate Olson. Founder | Fractional IT Director & Virtual CIO, N.O. IT Strategy LLC

Table of Contents

Two things happening in AI right now that every business owner needs to understand.

One is already deployable in your environment today, and one just had its blueprints leaked to the entire internet.

Last week was a significant one in AI. Anthropic, the company behind Claude, had not one, but two major security incidents in the span of a few days. Internal documents, draft blog posts, and eventually the source code for one of their most important products all ended up publicly exposed.

Headlines followed. Stocks moved. And if you run a business, you may be wondering what any of this actually means for you.

Here’s the honest answer.

What Happened – The Short Version

Incident one:  A misconfigured content management system left thousands of Anthropic’s internal files publicly accessible, including a draft blog post announcing a new AI model called Claude Mythos, described internally as the most powerful AI they’ve ever built, with “unprecedented cybersecurity risks.“.

Incident two: A few days later, Anthropic pushed a software update to Claude Code, their AI-powered coding tool and accidentally bundled nearly 2,000 internal source files and over 512,000 lines of code into the package. The full architectural blueprint of the product, sitting in a public software repository. A security researcher caught it within hours. It was viewed over 30 million times on X before Anthropic scrambled to issue takedown requests.

Their statement both times: human error, not a security breach.

That’s technically accurate. And it’s exactly the problem.

Threat One: The Tool Already on Your Network

Claude for Desktop will attempt to install with full features, but if a user denies or lacks admin rights, it offers to install anyway, just without the desktop automation layer. The core AI tool still lands on the machine. No IT ticket required. They can have it running in about three minutes.

Once installed, it can access local files, connect to local applications, and execute tasks autonomously. It’s not spyware. It’s not malware. But it is a powerful AI agent operating on your network with whatever access that user has.

Most IT environments have no visibility into this. No alert fires. No approval gets triggered. It just runs.

This is shadow IT at a new level and it’s happening right now in businesses across every industry.

Threat Two: What’s Coming

The leaked Anthropic documents describe Claude Mythos as a “step change” dramatic improvements in coding, reasoning, and cybersecurity. Their own draft warned it poses “unprecedented cybersecurity risks.”

We don’t know exactly what that means yet. Neither does anyone else outside Anthropic. But we do know that the source code for their current flagship AI coding tool is now sitting in the hands of every competitor, researcher, and bad actor who downloaded it before the takedown requests went out.

That’s not a theoretical risk. That’s the current state of play.

What This Means for SMBs Right Now

You don’t need to panic. You do need to pay attention.

Here’s where to start:

Know what’s running on your network. If your team has personal or company machines without endpoint visibility, you may already have AI tools operating that you don’t know about. That’s a governance gap, not a technology gap.

Have an AI usage policy. Not a 20-page document. A clear, simple statement of what your team can and can’t put into AI tools; trade secrets, client data, financial information, personal information. If you don’t have one, your employees are making that call on their own.

Understand your MFA posture. This is where it gets practical.

One Thing You Can Do Right Now

Most businesses are running SMS-based MFA, a text message with a code. It feels secure. It’s better than nothing. But it’s interceptable, it’s phishable, and as AI-assisted attacks get more sophisticated, it’s increasingly the weakest link.

There’s a better option available right now, at most price points.

Phishing-resistant authentication: Windows Hello for Business, hardware security keys like YubiKey, ties your login to a physical device or biometric. There’s nothing to intercept. There’s no code to steal. Even a sophisticated AI-assisted attack can’t phish something that was never transmitted.

This isn’t a futuristic upgrade. It’s available today. And it’s one of the most meaningful security improvements most SMBs can make.

The Bottom Line

The most safety focused AI company in the world just had two major human-error exposures in one week. Not because they were hacked. Because humans make mistakes, even at companies with the best intentions and billions in funding.

Your business runs on humans too. The question isn’t whether AI is coming. It’s whether you have the governance and security posture in place when it arrives.

If you want to know where your business stands, let’s talk.

N.O. IT Strategy LLC | Nate Olson, Fractional IT Director & vCIO | noitstrategy.com Strategic Briefings are published for informational purposes. Content reflects the author’s independent analysis.