AI Security Consulting
AI Agent Security Review
The bottom line
AI now touches your email, your client files, and your accounting platform — and nobody holds the full list. Your firm adopted AI the way most growing businesses do: one useful tool at a time, each wired up by whoever needed it. We found 11 AI tools and automations running; leadership knew about 4. Two can act on the outside world (send email, write to the books) with no human checkpoint and no record of what they did. None of this requires a clever attacker — these are settings and missing guardrails, and the major baselines (CIS, NIST, OWASP) treat several of them as non-optional. Your clients' financials sit behind these doors.
Findings, ranked by what matters
Our inventory found 11 AI tools and automations: the 4 known ones, plus a client-intake chatbot, three Zapier automations built by a former office manager, two browser AI extensions with file access, and staff personal ChatGPT use (finding 06). You can't put guardrails on tools you don't know exist — and three of these were built by someone who no longer works here, meaning nobody currently understands or owns them.
Fix: the inventory in Appendix A becomes a living document with one named owner; nothing new connects to email, files, or the accounting platform without landing on the list first.
Your website's client-intake chatbot connects through an automation to the shared office mailbox with full send rights — it can email anyone, as the firm, with no human seeing the message first. Chatbots take instructions from whoever types at them, and "prompt injection" (a visitor talking the bot into doing something it shouldn't) is the #1 risk on OWASP's industry list for AI applications. A bot that strangers can talk to should never hold unsupervised send authority.
Fix: the bot drafts, a human sends — route outbound messages to a held-for-review folder; cut its mailbox scope from "send as firm" to draft-only. Both are settings, not rebuilds.
The bookkeeping automation talks to your accounting platform using an administrator-scope API key — it can read, write, and delete anything, though the automation only posts invoice entries. That key sits in plaintext in the automation's notes, a shared "How-To" doc, and three other spots listed in Appendix B. Anyone who finds that key holds your books. Your accounting platform supports scoped tokens; this one was just never narrowed.
Fix: revoke the key today; issue a new token scoped to invoice-write only; store it in a password manager, nowhere else. Repeat the pattern for every automation on the inventory.
The AI assistant connected to your file storage can read the entire drive — including the payroll folder and the partners' M&A correspondence — because it inherited the access of the admin account that set it up. Any staff member who can ask the copilot a question can effectively read what the copilot can read. This is the "oversharing" problem the vendor's own deployment guidance warns about.
Fix: reconnect the copilot under a least-privilege account; explicitly exclude payroll, HR, and partner folders; re-test what it can see by asking it.
If the chatbot sent a wrong email or the automation posted a bad entry last Tuesday, there is currently no log that proves what happened. Automation run-history expires quickly on your current plan, the chatbot keeps no action log, and nothing is collected centrally. The day something goes wrong, the difference between a quick fix and a crisis is being able to show exactly what the AI did and when — to a client, an insurer, or a regulator.
Fix: turn on and retain action logs for every tool on the inventory that can act (send, write, post); export monthly to a folder you own. Where a tool can't log, that's a reason to gate it (finding 02).
Several staff paste client documents into personal free-tier AI accounts to summarize or draft. Personal tiers carry no business agreement, and depending on settings, inputs may be used to train models — client financial data shouldn't ride on an individual's consumer account settings.
Fix: a business workspace for the tools staff actually use (training off, admin controls on), a one-page acceptable-use note, and a named place to request new AI tools so the answer isn't "sneak it."
What's already working
- MFA on Microsoft 365 and the accounting platform — the fundamentals are solid.
- The automation account uses MFA and a strong unique password.
- You asked for this review before an incident, not after — that ordering is rarer than it should be.
Your 30 / 60 / 90 plan
| When | Action | Outcome |
|---|---|---|
| This week | Adopt the inventory · gate the chatbot's email · revoke and re-scope the API key | The AI layer can no longer act unsupervised |
| 30 days | Copilot least-privilege reconnect · action logs on and retained for every acting tool | What AI reads is chosen; what AI does is recorded |
| 90 days | Business AI workspace + acceptable-use note · monthly inventory review on the calendar | AI adoption keeps its guardrails as it grows |
Appendix A — AI inventory (point-in-time, June 2026)
Every AI tool and automation we identified, what it can touch, and what authority it holds. Highlighted rows can act on the outside world (send, write, post) — those carry the most exposure. One named owner keeps this list current (15 min/month); nothing new connects to email, files, or the books without landing here first.
| # | Tool / automation | What it does | Can it act? | What it can access | Owner | Known? |
|---|---|---|---|---|---|---|
| 1 | Microsoft 365 Copilot | Drafting & answers across office files | No — reads only | Entire drive incl. payroll & partner folders → finding 04 | IT (managed) | Yes |
| 2 | Bookkeeping automation | Posts invoice entries to the accounting platform | Yes — writes to the books | Admin-scope API key (read/write/delete everything) → finding 03 | Office manager (role vacant) | Yes |
| 3 | AI meeting notetaker | Joins client calls, transcribes, summarizes | No — records | Client call audio + calendar | Partners | Yes |
| 4 | Practice-software AI summarizer | Built-in document summaries | No — reads only | Client documents within the practice system | Vendor-managed | Yes |
| 5 | Website intake chatbot | Answers visitor questions, collects intake info | Yes — sends email as the firm → finding 02 | Shared office mailbox (full send rights) | None — former office manager | No |
| 6 | Zap: chatbot → mailbox bridge | Connects the chatbot to the shared mailbox | Yes — the send path for #5 | Shared mailbox credentials | None — former office manager | No |
| 7 | Zap: new-client folder setup | Creates client folder structure on intake | Yes — writes folders | Drive (write access at root level) | None — former office manager | No |
| 8 | Zap: books → chat notifier | Posts daily revenue summary to team chat | No — reads books, posts internally | Accounting platform (read) — same shared key as #2 | None — former office manager | No |
| 9 | Browser ext: AI email writer | Drafts replies inside webmail | No — drafts; human sends | Mailbox content of the 6 staff who installed it | Individual staff | No |
| 10 | Browser ext: page/PDF summarizer | Summarizes open documents | No — reads only | Any file opened in the browser, incl. client PDFs | Individual staff | No |
| 11 | Personal ChatGPT accounts (≥5 staff) | Ad-hoc drafting & summaries | No | Whatever staff paste in — observed: client financials → finding 06 | Individual staff | No |
Read of the table: 4 of 11 were known. 4 of 11 can act. 3 of 11 have no living owner. The overlap of those last two — acting tools with no owner (#5, #6) — is where finding 02 lives, and it's the pattern this review exists to catch.
Appendices B (credential locations) and C (per-tool logging steps) are produced per-engagement and omitted from this sample.
Scope, method & standards
Settings and configurations reviewed against published industry baselines — CIS Controls v8, the NIST AI Risk Management Framework, the OWASP Top 10 for LLM Applications, and vendor security documentation — cited on each finding. Severity grades come from a fixed rubric (distance from baseline × breadth of exposure), not ad-hoc judgment.
Plain-English drafting is AI-assisted; configuration facts and every remediation step are verified by a security engineer before delivery. Point-in-time advisory review — not a penetration test, audit, compliance certification, or forensic investigation.