Uber’s CTO admitted the company had burned through its entire 2026 artificial intelligence budget by April. Microsoft canceled most of its third-party AI coding tool licenses, in part over runaway costs. At Amazon, some employees had been reportedly spinning up AI agents to complete unnecessary tasks just to inflate their token-usage statistics, which managers had started using to evaluate performance. Notoriously, a consulting firm reported that a client spent half a billion dollars in a single month after failing to set usage limits on AI licenses for employees.
The term for this frenzy of activity is “tokenmaxxing”. And the consensus, as of late May, was that tokenmaxxing is already dead.
If you run a small- to medium-sized business, the question of how to manage a multibillion-dollar R&D budget is not a problem you have. But it’s worth thinking about what the brief life and swift demise of tokenmaxxing means to “little guys.” Companies like Uber, Microsoft, and Amazon are among the most well-resourced, technically sophisticated organizations on the planet. They have dedicated AI teams, nine-figure infrastructure budgets, and direct relationships with the vendors building these tools. But they still got caught flat-footed by the economics of AI adoption.
Numerous studies have suggested that AI tools may fail to deliver the efficiencies that executives dream of. But this isn’t about tool failure at all. This is about how nobody governed how those tools were being used, by whom, on what data, and at what cost.
If the biggest companies in the world are scrambling to figure this out, what does that mean for the rest of us?
Why Should Small Businesses Care About Ungoverned AI?
Nobody at a small business is running up a $500 million monthly AI bill. The difference in scale between your organization and Microsoft may trick you into thinking you have nothing in common. Not so.
The real problem is ungoverned AI adoption. And ungoverned AI adoption creates the same categories of risk whether you have 50,000 employees or 50.
Right now, somewhere in your organization, someone is using an AI tool you haven’t approved. What that looks like is going to differ depending on your industry. But we promise you, it’s happening. Maybe a billing clerk is running customer call recordings through a free transcription service. Or an associate is feeding client documents into a summarization tool. There may be a department that purchased its own AI subscription without telling IT or procurement. These scenarios are playing out in organizations of every size, right now.
The potential cost is bigger than a surprise invoice from OpenAI. It’s an accumulation of smaller exposures that compound over time: duplicate vendor spend, unreviewed data handling, compliance gaps. The kinds of things nobody discovers until a regulator or auditor asks the uncomfortable question. By the time these problems float to the surface, fixing them will be significantly harder (and more expensive!) than preventing them would have been.
What Is the Biggest Risk of Ungoverned AI?
Most of the conversation about AI and small businesses focuses on which tools to adopt. But that’s the wrong starting point. The right questions are structural:
- Who evaluates whether a tool is appropriate for the data it will touch?
- Who reviews the vendor’s data retention and training policies?
- Who tracks what is running in the environment, what it costs, and whether it is actually delivering value?
- Who makes the deliberate decision to scale a tool into production or shut it down?
In far too many small- and mid-sized businesses, the honest answer to all of those questions is: nobody! That is how organizations end up carrying risk they can’t see. And if you can’t see it, you can’t manage it.
The volume of available AI tools is only increasing. Goldman Sachs projected that global token consumption will increase 24-fold by 2030, driven largely by the rise of AI agents that operate with less human oversight and consume far more compute per task. AI capabilities are now embedded across every major productivity platform and SaaS offering. And the proliferation is accelerating, making it that much harder to keep up.
You’ve heard about the miracle of compound interest. Welcome to the nightmare of compound AI tool adoption.
What Does AI Governance Look Like for a Small or Mid-Sized Business?
The word “governance” tends to make people think of molasses-like bureaucracy, and that’s fair, because a lot of governance frameworks deserve the reputation. But governance doesn’t need to involve an unreadable 200-page policy manual. In fact, we beg you not to go that route.
Small- and mid-sized organizations need a clear, repeatable process. And, importantly, they need to make sure that following the process is faster and easier than avoiding it would be.
Many frameworks fail because they apply the same level of scrutiny to every request. Let’s say you have two use-cases to consider: an AI brainstorming assistant and a tool that automates customer relationship management. If you apply the same level of scrutiny to both, people are going to get frustrated with the whole thing. They’ll stop submitting requests and start working around the process.
A workable model starts with a simple principle: every AI tool that touches company data or connects to company systems comes through a defined intake process before it goes live. From there, the organization classifies each use case by risk and applies a review that is proportionate to the risk. A low-risk productivity tool gets a fast track, while a tool that connects to regulated data or customer-facing systems gets a more thorough evaluation. And at the end of a defined period, someone makes a deliberate, documented decision: you’ll either keep the tool, scale it, or shut it down.
That last step, of settling on a path forward, is one most organizations skip. But without it, organizations can end up with a graveyard of half-adopted AI tools consuming budgets and accumulating risk because nobody made a formal call about their future.
When Should Organizations Start Governing AI?
Since “yesterday” isn’t a viable option, the answer is “now.” The organizations that will handle AI adoption well are the ones that have a governance plan while the problem is still manageable. Organizational habits are forming right now, which makes this the ideal time to implement a program.
Companies that wait will arrive at the same conclusion eventually. They’ll just get there with more damage to clean up and fewer good options for addressing the problems.
At TMG, we’ve spent the past year building a governance model for organizations that want to adopt AI responsibly without strangling innovation. The framework is built around the intersections between three domains that too many organizations treat as separate problems: AI, IT infrastructure, and core business systems. Every intersection among those three creates both a governance obligation and an opportunity to create real enterprise value.
The model includes a coordinating structure we call the AI Center of Excellence, or ACE, which serves as the organizational body. The ACE exists to ensure AI decisions are made deliberately and revisited when circumstances change. ACE is supported by a four-tier risk classification system that matches the depth of review to the level of exposure. Every use case follows a six-stage lifecycle, from initial intake through a formal scale-or-stop decision.
We have published the full model as a free whitepaper, “Your Company is Already Running AI Pilots. You Just Don’t Know About It.” The companion toolkit provide the implementation instruments: including an intake form, a risk-tiering matrix, a pilot charter template, a central registry structure, a scale-or-stop decision memo, and an ongoing monitoring checklist. The framework tells you why. The toolkit shows you how. We think it will change the way you think about AI adoption in your organization.
Explore more articles by Chris Moschovitis:
Cyber Insurance: From Risk Transfer to Risk Signal
The Busy Executive’s Guide to Reading Penetration Testing Reports and Spotting Red Flags
The Top 5 Questions Keeping CIOs Awake at Night
I am the founder of Technology Management Group and the author of Cybersecurity Program Development for Business (Wiley). TMG provides cybersecurity, IT governance, and AI advisory services to small and mid-sized businesses. Learn more at tmgr.com.
I am certified in Cybersecurity (CSX, CISM), Enterprise IT Governance (CGEIT), Data Privacy Solutions Engineering (CDPSE), and as a Certified Information Privacy Professional (CIPP/US). I am also an active member of organizations including ISACA, IAPP, and ISSA.
