Evidence for Small Businesses
AI security for small businesses.
Clear AI security checks for small businesses using assistants across documents, customer work, repositories, operations, and connected services.
A small business can adopt AI faster than it documents ownership, permissions, retention, and incident steps, leaving important access decisions invisible.
CapitalGuard Security Research · Updated July 14, 2026 · Primary sources only
10
AI surfaces
10
Exposure types
100
Evidence guides
connected assistant
ChatGPT
Ordinary chat does not automatically expose an entire device or account. Scope expands only through what the user submits, enables, connects, or authorizes.
connected assistant
ChatGPT
Ordinary chat does not automatically expose an entire device or account. Scope expands only through what the user submits, enables, connects, or authorizes.
Private file access
ChatGPT Private file access for Small Businesses
Uploads, projects, synced apps, and file-search connections can make selected documents available as context.
Open evidence guideCredential exposure
ChatGPT Credential exposure for Small Businesses
Credentials can arrive through pasted configuration, uploaded source files, screenshots, or connected Drive content.
Open evidence guideClient confidentiality
ChatGPT Client confidentiality for Small Businesses
A personal ChatGPT account can mix client prompts, files, memories, and app context unless the user separates work deliberately.
Open evidence guidePrompt injection
ChatGPT Prompt injection for Small Businesses
Retrieved webpages, uploaded documents, and app results can contain instructions that should be treated as untrusted content.
Open evidence guideConnector permissions
ChatGPT Connector permissions for Small Businesses
ChatGPT apps may search connected sources, sync content, or perform write actions within granted scopes.
Open evidence guideCommand execution
ChatGPT Command execution for Small Businesses
Standard conversation is text-only, but custom apps, workspace agents, or connected action tools can change external systems when enabled.
Open evidence guideUnsafe generated code
ChatGPT Unsafe generated code for Small Businesses
ChatGPT may suggest code, dependencies, shell commands, and configuration that still require independent verification.
Open evidence guideHistory and sharing
ChatGPT History and sharing for Small Businesses
History, memories, projects, Temporary Chats, and shared links follow different controls and should be reviewed separately.
Open evidence guideAccidental oversharing
ChatGPT Accidental oversharing for Small Businesses
Large pastes, screenshots, uploads, and connected-app retrieval can include more information than the visible question requires.
Open evidence guideAutonomous actions
ChatGPT Autonomous actions for Small Businesses
Apps can be configured to read automatically or take actions with different approval levels, including elevated persistent choices where available.
Open evidence guideconnected assistant
Claude
Claude does not receive blanket access by default. The practical boundary is the content submitted plus the connectors, permissions, projects, and account controls the user enables.
connected assistant
Claude
Claude does not receive blanket access by default. The practical boundary is the content submitted plus the connectors, permissions, projects, and account controls the user enables.
Private file access
Claude Private file access for Small Businesses
Files, project knowledge, Google Workspace connections, and other connectors can make selected work retrievable in Claude.
Open evidence guideCredential exposure
Claude Credential exposure for Small Businesses
Secrets can enter through code uploads, pasted logs, project knowledge, Drive documents, or connector results.
Open evidence guideClient confidentiality
Claude Client confidentiality for Small Businesses
Client files can persist in conversations or project knowledge and may be retrievable through connectors inherited from the user account.
Open evidence guidePrompt injection
Claude Prompt injection for Small Businesses
Documents, webpages, connector output, and MCP resources may contain instructions that conflict with the user’s goal.
Open evidence guideConnector permissions
Claude Connector permissions for Small Businesses
Claude connectors can inherit access from services such as Drive, Slack, or Linear and may expose both read and write tools.
Open evidence guideCommand execution
Claude Command execution for Small Businesses
Ordinary Claude chat is not a local shell, but connectors and computer or coding surfaces may expose action tools.
Open evidence guideUnsafe generated code
Claude Unsafe generated code for Small Businesses
Claude can generate code and installation instructions that may be plausible but incomplete, outdated, or unsafe for the user’s environment.
Open evidence guideHistory and sharing
Claude History and sharing for Small Businesses
Claude chats are private by default but can be shared as snapshots; projects and uploaded files have separate visibility rules.
Open evidence guideAccidental oversharing
Claude Accidental oversharing for Small Businesses
Artifacts, screenshots, long documents, and connector retrieval can surface details beyond the line the user intended to discuss.
Open evidence guideAutonomous actions
Claude Autonomous actions for Small Businesses
Connectors may retrieve data or take actions such as creating issues, sending messages, or changing records when the tool is permitted.
Open evidence guideconnected assistant
Gemini
Gemini access is shaped by what the user shares, device permissions, connected apps, Gemini Apps Activity, and other Google settings that may remain active independently.
connected assistant
Gemini
Gemini access is shaped by what the user shares, device permissions, connected apps, Gemini Apps Activity, and other Google settings that may remain active independently.
Private file access
Gemini Private file access for Small Businesses
Gemini can receive files, screens, photos, page context, and information from connected apps when those features are used.
Open evidence guideCredential exposure
Gemini Credential exposure for Small Businesses
Tokens or passwords can appear in uploaded screenshots, browser page context, code files, Drive content, or copied logs.
Open evidence guideClient confidentiality
Gemini Client confidentiality for Small Businesses
Client content may enter through uploads, connected Google services, live screen sharing, or a work account whose policies differ from a personal account.
Open evidence guidePrompt injection
Gemini Prompt injection for Small Businesses
Web content, connected-app results, emails, documents, and shared screens can contain text that should not become trusted instructions.
Open evidence guideConnector permissions
Gemini Connector permissions for Small Businesses
Connected Google and third-party apps can expose account information according to their permissions and retain shared data under their own policies.
Open evidence guideCommand execution
Gemini Command execution for Small Businesses
Consumer Gemini chat is not automatically a shell, but device actions, extensions, or connected services may perform operations.
Open evidence guideUnsafe generated code
Gemini Unsafe generated code for Small Businesses
Gemini-generated code or commands may omit environment-specific constraints or suggest dependencies that need verification.
Open evidence guideHistory and sharing
Gemini History and sharing for Small Businesses
Gemini Apps Activity, public links, saved information, connected-service data, and reviewed content follow different retention rules.
Open evidence guideAccidental oversharing
Gemini Accidental oversharing for Small Businesses
Live screen, camera, audio, uploaded files, and browser page context can capture background information outside the intended question.
Open evidence guideAutonomous actions
Gemini Autonomous actions for Small Businesses
Gemini may use connected apps or device-assistant capabilities to take actions based on available permissions.
Open evidence guideconnected assistant
Microsoft Copilot
The correct risk assessment starts by naming the exact Copilot product, account, app, and connected service; consumer and managed-work settings are not interchangeable.
connected assistant
Microsoft Copilot
The correct risk assessment starts by naming the exact Copilot product, account, app, and connected service; consumer and managed-work settings are not interchangeable.
Private file access
Microsoft Copilot Private file access for Small Businesses
Copilot may use uploaded files, the active Microsoft 365 document, recent files, or connected-service content depending on the surface.
Open evidence guideCredential exposure
Microsoft Copilot Credential exposure for Small Businesses
Credentials may appear in uploaded files, screenshots, recent documents, synced browser data, code, or copied support logs.
Open evidence guideClient confidentiality
Microsoft Copilot Client confidentiality for Small Businesses
Client data can enter a consumer Copilot chat or a managed Microsoft 365 context with different controls and retention.
Open evidence guidePrompt injection
Microsoft Copilot Prompt injection for Small Businesses
Connected service results, documents, email, webpages, and shared files may contain untrusted instructions.
Open evidence guideConnector permissions
Microsoft Copilot Connector permissions for Small Businesses
Connections can make files, email, contacts, calendar events, and other service data retrievable through Copilot.
Open evidence guideCommand execution
Microsoft Copilot Command execution for Small Businesses
Most consumer interactions are not a general shell, but connected services and Microsoft 365 features can create or modify external content.
Open evidence guideUnsafe generated code
Microsoft Copilot Unsafe generated code for Small Businesses
Copilot can generate code, formulas, scripts, and commands whose safety depends on the user’s environment and review.
Open evidence guideHistory and sharing
Microsoft Copilot History and sharing for Small Businesses
Consumer history, Microsoft 365 activity, uploaded files, and organizational records may be controlled in different locations.
Open evidence guideAccidental oversharing
Microsoft Copilot Accidental oversharing for Small Businesses
Recent files, full documents, screenshots, and connected services can surface more context than a short prompt suggests.
Open evidence guideAutonomous actions
Microsoft Copilot Autonomous actions for Small Businesses
Connected Copilot experiences may draft, create, change, or communicate within Microsoft services when the feature permits.
Open evidence guideconnected assistant
Perplexity
The risk depends on what is searched, uploaded, retained, shared, or connected. Consumer and Enterprise data controls are materially different and should not be assumed equivalent.
connected assistant
Perplexity
The risk depends on what is searched, uploaded, retained, shared, or connected. Consumer and Enterprise data controls are materially different and should not be assumed equivalent.
Private file access
Perplexity Private file access for Small Businesses
Perplexity can work with session uploads, project files, personal repositories, organizational files, and connected storage depending on plan.
Open evidence guideCredential exposure
Perplexity Credential exposure for Small Businesses
Secrets can enter through uploaded code, configuration, screenshots, search queries, or files synchronized from storage.
Open evidence guideClient confidentiality
Perplexity Client confidentiality for Small Businesses
Client files may persist in projects or repositories, and sharing can expose responses that reference connected material.
Open evidence guidePrompt injection
Perplexity Prompt injection for Small Businesses
Search results, webpages, uploaded documents, and connected files can carry instructions that should not control the assistant.
Open evidence guideConnector permissions
Perplexity Connector permissions for Small Businesses
Enterprise connectors can include cloud storage and knowledge sources whose permissions determine what files can be searched.
Open evidence guideCommand execution
Perplexity Command execution for Small Businesses
Perplexity search and chat are not a general local shell, although generated commands or connected capabilities can still influence external actions.
Open evidence guideUnsafe generated code
Perplexity Unsafe generated code for Small Businesses
Generated code and cited technical answers can still contain vulnerable patterns, obsolete APIs, or unsafe commands.
Open evidence guideHistory and sharing
Perplexity History and sharing for Small Businesses
Sessions, projects, uploaded files, Pages, and Enterprise repositories have different retention and visibility rules.
Open evidence guideAccidental oversharing
Perplexity Accidental oversharing for Small Businesses
Search queries and uploads can include confidential terms, full documents, account details, or source material beyond the research need.
Open evidence guideAutonomous actions
Perplexity Autonomous actions for Small Businesses
Search and answer generation are usually advisory, but enterprise connectors and future action surfaces should be reviewed for actual write authority.
Open evidence guidecoding assistant
GitHub Copilot
The relevant scope is not only the open file. Repository indexing, workspace context, agent tasks, organizational policy, and connected GitHub permissions can widen what Copilot can use or change.
coding assistant
GitHub Copilot
The relevant scope is not only the open file. Repository indexing, workspace context, agent tasks, organizational policy, and connected GitHub permissions can widen what Copilot can use or change.
Private file access
GitHub Copilot Private file access for Small Businesses
Editor context, local workspaces, and repository indexes can expose more than the file currently visible to the developer.
Open evidence guideCredential exposure
GitHub Copilot Credential exposure for Small Businesses
Secrets can appear in repository history, local untracked files, configuration, actions logs, test fixtures, and editor context.
Open evidence guideClient confidentiality
GitHub Copilot Client confidentiality for Small Businesses
Agency and freelancer workspaces can mix multiple client repositories and local folders inside one editor context.
Open evidence guidePrompt injection
GitHub Copilot Prompt injection for Small Businesses
Issues, pull requests, comments, documentation, code, and repository instructions can contain untrusted text that influences an agent.
Open evidence guideConnector permissions
GitHub Copilot Connector permissions for Small Businesses
Copilot agents operate within GitHub permissions and may interact with repositories, issues, pull requests, and workflows.
Open evidence guideCommand execution
GitHub Copilot Command execution for Small Businesses
Agent workflows may run tools or propose changes beyond ordinary inline completion, depending on the product surface.
Open evidence guideUnsafe generated code
GitHub Copilot Unsafe generated code for Small Businesses
Copilot suggestions and agent pull requests can introduce vulnerable logic, unsafe dependencies, or incomplete tests.
Open evidence guideHistory and sharing
GitHub Copilot History and sharing for Small Businesses
Chat logs, pull requests, issues, comments, and agent artifacts may preserve sensitive context in different GitHub surfaces.
Open evidence guideAccidental oversharing
GitHub Copilot Accidental oversharing for Small Businesses
Opening a broad workspace or attaching repository context can expose unrelated code, comments, logs, and configuration.
Open evidence guideAutonomous actions
GitHub Copilot Autonomous actions for Small Businesses
Copilot agents can create changes and workflow artifacts that move through GitHub’s collaboration system.
Open evidence guidecoding agent
Cursor
Privacy Mode affects data use and retention, but it is not the same as a repository access boundary. Users still need to control workspaces, indexing, ignored paths, extensions, tools, and commands.
coding agent
Cursor
Privacy Mode affects data use and retention, but it is not the same as a repository access boundary. Users still need to control workspaces, indexing, ignored paths, extensions, tools, and commands.
Private file access
Cursor Private file access for Small Businesses
Cursor can use open files, workspace context, codebase indexes, agent tools, and local project data to answer and act.
Open evidence guideCredential exposure
Cursor Credential exposure for Small Businesses
Environment files, local configuration, terminal output, logs, and indexed code can place credentials near AI context.
Open evidence guideClient confidentiality
Cursor Client confidentiality for Small Businesses
A single Cursor workspace can contain client code, local files, indexes, chat context, and model-provider requests.
Open evidence guidePrompt injection
Cursor Prompt injection for Small Businesses
Repository instructions, documentation, issues, web results, and MCP tool output can influence Cursor agents.
Open evidence guideConnector permissions
Cursor Connector permissions for Small Businesses
MCP servers, extensions, model providers, and web search widen the systems and data Cursor can interact with.
Open evidence guideCommand execution
Cursor Command execution for Small Businesses
Cursor agents can propose or execute terminal commands with the user’s local environment and project context.
Open evidence guideUnsafe generated code
Cursor Unsafe generated code for Small Businesses
Agent-generated multi-file changes can introduce insecure logic, dependencies, workflows, or configuration at high speed.
Open evidence guideHistory and sharing
Cursor History and sharing for Small Businesses
Chat history, memories, indexes, code metadata, and model-provider handling depend on settings and feature use.
Open evidence guideAccidental oversharing
Cursor Accidental oversharing for Small Businesses
A broad workspace, selected files, terminal output, and indexed code can provide more context than a short question suggests.
Open evidence guideAutonomous actions
Cursor Autonomous actions for Small Businesses
Background or agent features can make edits and run tools with less continuous attention than inline assistance.
Open evidence guidecoding agent
Claude Code
Claude Code only has the permissions granted to it, but broad read access, bypass modes, unsandboxed commands, or overpowered MCP servers can make that boundary much wider than expected.
coding agent
Claude Code
Claude Code only has the permissions granted to it, but broad read access, bypass modes, unsandboxed commands, or overpowered MCP servers can make that boundary much wider than expected.
Private file access
Claude Code Private file access for Small Businesses
Claude Code can read project files and, depending on permissions, may read beyond the working directory even when writes are narrower.
Open evidence guideCredential exposure
Claude Code Credential exposure for Small Businesses
Environment variables, .env files, shell credentials, SSH material, cloud configuration, logs, and MCP tokens can enter context.
Open evidence guideClient confidentiality
Claude Code Client confidentiality for Small Businesses
A local session can read client code and nearby files under the developer’s account, while account terms and API transport still matter.
Open evidence guidePrompt injection
Claude Code Prompt injection for Small Businesses
Repository files, web content, dependencies, issues, and MCP output may contain instructions that attempt to redirect the agent.
Open evidence guideConnector permissions
Claude Code Connector permissions for Small Businesses
MCP servers and hooks can expose local commands, files, APIs, tokens, and external services to the agent.
Open evidence guideCommand execution
Claude Code Command execution for Small Businesses
Claude Code can execute Bash commands, and bypass or unsandboxed modes materially reduce protection.
Open evidence guideUnsafe generated code
Claude Code Unsafe generated code for Small Businesses
Claude Code can apply multi-file edits, install dependencies, run tests, and modify configuration within its granted scope.
Open evidence guideHistory and sharing
Claude Code History and sharing for Small Businesses
Local and cloud sessions, account privacy choices, logs, and exported output may preserve code context in different places.
Open evidence guideAccidental oversharing
Claude Code Accidental oversharing for Small Businesses
Starting in a home or monorepo directory can expose far more readable context than the intended project.
Open evidence guideAutonomous actions
Claude Code Autonomous actions for Small Businesses
Non-interactive, auto, background, or bypass modes can continue work with fewer prompts inside the configured boundary.
Open evidence guidecoding agent
OpenAI Codex
Codex behavior depends on the environment, sandbox profile, approval policy, network access, connected services, and task scope. A protected default can still be widened by explicit authorization.
coding agent
OpenAI Codex
Codex behavior depends on the environment, sandbox profile, approval policy, network access, connected services, and task scope. A protected default can still be widened by explicit authorization.
Private file access
OpenAI Codex Private file access for Small Businesses
Codex can read repository and workspace files within the environment supplied to the task, with scope varying by local or cloud setup.
Open evidence guideCredential exposure
OpenAI Codex Credential exposure for Small Businesses
Environment variables, repository config, shell output, cloud secrets, and local credential files can become reachable if included in scope.
Open evidence guideClient confidentiality
OpenAI Codex Client confidentiality for Small Businesses
Client repositories and files may be processed locally or through connected cloud environments under different account and access controls.
Open evidence guidePrompt injection
OpenAI Codex Prompt injection for Small Businesses
Repository instructions, issues, webpages, dependency content, plugins, and MCP output can attempt to influence agent behavior.
Open evidence guideConnector permissions
OpenAI Codex Connector permissions for Small Businesses
GitHub connections, plugins, MCP servers, and external tools can widen Codex access beyond the local repository.
Open evidence guideCommand execution
OpenAI Codex Command execution for Small Businesses
Codex can run commands under the configured sandbox and approval policy, with escalation requiring explicit authorization.
Open evidence guideUnsafe generated code
OpenAI Codex Unsafe generated code for Small Businesses
Codex can patch code, run tests, and propose multi-file changes that still require repository-specific review.
Open evidence guideHistory and sharing
OpenAI Codex History and sharing for Small Businesses
Tasks, terminal output, patches, cloud runs, and exported artifacts may preserve code context beyond the immediate prompt.
Open evidence guideAccidental oversharing
OpenAI Codex Accidental oversharing for Small Businesses
A task rooted too high in the filesystem or connected to a broad repository set can expose unrelated context.
Open evidence guideAutonomous actions
OpenAI Codex Autonomous actions for Small Businesses
Long-running or cloud tasks can continue across multiple steps inside the permissions and integrations granted at launch.
Open evidence guideconnected assistant
MCP-Connected AI Assistants
MCP is a protocol, not a security guarantee. The effective boundary depends on the client, server implementation, transport, scopes, tokens, local process privileges, consent, and downstream systems.
connected assistant
MCP-Connected AI Assistants
MCP is a protocol, not a security guarantee. The effective boundary depends on the client, server implementation, transport, scopes, tokens, local process privileges, consent, and downstream systems.
Private file access
MCP-Connected AI Assistants Private file access for Small Businesses
A local or remote MCP server can expose files, databases, knowledge bases, or APIs as resources and tools.
Open evidence guideCredential exposure
MCP-Connected AI Assistants Credential exposure for Small Businesses
MCP server configs, environment variables, OAuth tokens, local process credentials, logs, and tool results can expose secrets.
Open evidence guideClient confidentiality
MCP-Connected AI Assistants Client confidentiality for Small Businesses
An agency MCP setup can bridge one assistant to multiple client systems if servers, credentials, and sessions are reused.
Open evidence guidePrompt injection
MCP-Connected AI Assistants Prompt injection for Small Businesses
Tool descriptions, resource content, server responses, and resumed session events can carry malicious instructions.
Open evidence guideConnector permissions
MCP-Connected AI Assistants Connector permissions for Small Businesses
MCP authorization can bridge an AI client to broad third-party API scopes and downstream resources.
Open evidence guideCommand execution
MCP-Connected AI Assistants Command execution for Small Businesses
Local stdio MCP servers run processes on the user’s machine and may inherit local filesystem and network privileges.
Open evidence guideUnsafe generated code
MCP-Connected AI Assistants Unsafe generated code for Small Businesses
MCP tools that generate, install, or execute code can combine model output with downstream system authority.
Open evidence guideHistory and sharing
MCP-Connected AI Assistants History and sharing for Small Businesses
Stateful MCP sessions, logs, resumed streams, tool results, and client histories can preserve sensitive data across requests.
Open evidence guideAccidental oversharing
MCP-Connected AI Assistants Accidental oversharing for Small Businesses
A broadly defined resource or tool can return entire records, directories, mailboxes, or databases when the task needs one field.
Open evidence guideAutonomous actions
MCP-Connected AI Assistants Autonomous actions for Small Businesses
An MCP client may chain multiple tools across systems, allowing one instruction to create side effects in several services.
Open evidence guideThe useful outcome
Make access explainable.
The business has a named owner, a minimal approved scope, a repeatable review, and evidence it can use with staff, clients, and suppliers.
Review CapitalGuard LicensesHow this collection is built
Every page combines one documented AI surface, one concrete exposure type, and one visible working context. A page is published only when it has a unique access scenario, a safe check, practical controls, and at least three primary references.
Read the publication method