Data Leaks from AI Tools, OpenAI's Nonprofit Control, and Duolingo's AI Transition: A Governance Crisis

[00:00:01] It's Wednesday, May 7th, 2025, and I'm Dave Solt with four things to know today. AI tools are leaking data while most organizations lack basic policies and get your signal to lead on governance. Business leaders want generative AI gains but aren't ready, highlighting a need for data strategy services. OpenAI claims mission over money, but the numbers say otherwise. And a government messaging scandal rolls on, weakening the case for cybersecurity compliance just as you're trying to enforce it. This is the Business of Tech.

[00:00:32] A new report from Methtomic reveals that 68% of organizations have experienced data leaks related to employees using artificial intelligence tools. Despite a high level of confidence among security leaders – 90% believe their security measures are effective – more than half reported regular malware and phishing incidents directly tied to improper AI implementation.

[00:00:54] The report, which surveyed over 400 chief information security officers and security leaders in the US and UK, indicated a significant disconnect between confidence and actual security threats. Only 23% of organizations have established comprehensive AI security policies, highlighting the urgent need for tailored security protocols as AI technologies become increasingly integrated into daily operations.

[00:01:18] Methtomic's co-founder emphasized that effective cybersecurity requires a cultural shift within organizations, focusing on human behavior and leadership commitment to tackle the unique risks posed by AI integration. According to a recent report, 60% of business leaders expressed uncertainty regarding their organization's readiness for data and artificial intelligence. This lack of confidence poses a significant barrier to progress as AI adoption accelerates.

[00:01:45] The report, conducted by the Business Performance Innovation Network, Growth Officer Council, and Encompass, surveyed 170 global decision-makers. While 79% expect a competitive advantage from generative AI within the next 18 months, only 13% feel extremely confident in their organization's data and AI maturity. Key challenges identified include data accuracy and reliability, AI integration issues, and ethical concerns surrounding governance and trust.

[00:02:15] Small businesses report that artificial intelligence has not met their expectations, according to a recent survey conducted by American Express. The survey, which involved over 1,000 decision-makers from US-based small businesses, revealed that while 56% of these businesses have implemented AI, more than two-thirds anticipated a greater impact on their operations than what they've experienced so far.

[00:02:35] Furthermore, about half of the respondents indicated that they believe their businesses adopted AI prematurely, nearly all acknowledging that they're still learning how to effectively utilize the technology. Despite these concerns, those who've embraced AI have reported some benefits, including reduced error rates and increased operational efficiency. According to a January report from JPMorgan Chase, approximately half of small businesses plan to incorporate more AI applications in 2025, signifying continued interest. Why do we care?

[00:03:05] These three reports collectively highlight a growing reality. AI adoption is outpacing organizational readiness in data infrastructure, cybersecurity, and leadership maturity. While the hype continues around generative AI, the operational reality is risk-heavy and results light for many organizations, particularly smaller ones. Many SMBs now feel burned by AI promises. Pushing more AI solutions may backfire if the foundational issues – data quality, process fit, and training – aren't addressed first.

[00:03:36] MSPs that rush to resell AI tools without a maturity roadmap risk damaging trust. MSPs should not assume AI enthusiasm equals readiness. There's demand, but not for raw AI tools. The real opportunity is to deliver structure, guidance, and policy-driven implementation, especially in the realms of security and data integrity. Help clients crawl before they run. This episode is supported by Flexpoint.

[00:04:06] Managing cash flow can be tough for managed service providers. Flexpoint's working capital solution is designed to bridge the gap between invoicing and payment, giving providers access to funds when they need them. With quick approvals and flexible terms, it helps cover expenses, invested growth, and maintain financial stability. Keep your operations running smoothly with Flexpoint. Visit getflexpoint.com slash MSP dash radio to learn more.

[00:04:35] Select, heard it on the business of tech or MSP radio. You'll get 10% off. OpenAI has announced that its nonprofit organization will continue to control its for-profit division, even as it transitions to a public benefit corporation. This decision follows feedback from civic leaders and discussions with the Attorney's General of California and Delaware, emphasizing OpenAI's commitment to its original mission of ensuring that artificial general intelligence benefits all of humanity.

[00:05:03] The company, which has raised a record $40 billion in private funding, is responding to the need for significant capital to develop its artificial intelligence technologies. OpenAI CEO Sam Altman stated that the nonprofit's control will allow for a simpler capital structure and ensure that the benefits of AI are distributed broadly across society. Why do we care? OpenAI says it's committed to broadly beneficial AGI, yet it's raised billions in private capital and is burning through cash at unsustainable rates.

[00:05:32] Reports suggest that OpenAI is losing billions annually, largely due to compute costs and aggressive R&D. That makes this nonprofit-controlled structure more of a branding move and moving back to the way they were than a true governance shift. OpenAI wants to have it both ways, mission-first narrative with a venture-fueled engine. For IT services firms, this reinforces the importance of vendor diversification, clear SLAs, and platform risk assessments.

[00:06:00] If you're building client strategies around OpenAI's tools, have contingency plans. And watch how governance evolves when financial gravity asserts itself. Following the recent statements by Spotify, Duolingo, the popular language learning platform, has announced plans to transition to an AI-first model, gradually replacing contract workers with artificial intelligence for tasks that can be automated.

[00:06:24] Co-founder and CEO, Louis van Aan, emphasized that this shift is not about replacing human employees, but rather about removing inefficiencies to enable them to focus on more creative and complex tasks. In a recent All Hands email, van Aan stated that the company will implement changes in hiring practices and performance evaluations to incorporate AI. He highlighted that AI is crucial for scaling content creation, which is essential for Duolingo's mission of expanding its educational offerings.

[00:06:52] The move aligns with a broader trend in the tech industry, where companies are increasingly leveraging AI to enhance productivity and efficiency. Why do we care? Duolingo's decision to move to an AI-first model isn't just about internal productivity. Part of a growing pattern among tech firms like Spotify, Dropbox, and Klarna, leaning hard into AI as a cost-cutting and scalability lever, particularly in content-heavy businesses.

[00:07:16] While the rhetoric is about enhancing human creativity, the underlying reality is automation, replacing contract and repetitive labor. IT service firms advising clients on digital transformation need to go beyond deployment. What roles, metrics, and org chart changes change when AI is central? While positioned as freeing employees from more creative work, these moves often reduce headcount while increasing performance expectations. That tension is already visible across tech.

[00:07:44] Companies touting AI-first strategies may undermine morale or over-promise on productivity if transitions are not paired with re-skilling and clear internal communications. The opportunity lies in helping clients adopt AI, which is often synonymous with automation, with purpose and policy, not just speed. We have to talk about Pete Hedgeseth some more.

[00:08:06] In a troubling development for United States Secretary of Defense Pete Hedgeseth, new reports reveal that he used an unsecured internet connection to install the messaging application signal on Pentagon devices in his office. This action raises significant security concerns, particularly given that Hedgeseth's personal phone number was also easily accessible online, particularly exposing him to espionage threats.

[00:08:29] According to a report by the Washington Post, Hedgeseth installed signal on a desktop computer to circumvent poor cell service at the Pentagon, despite the military's ban on personal devices in classified spaces. This on top of the fact that Hedgeseth reportedly shared sensitive information through Signal, including military plans, prompting investigations into his digital practices.

[00:08:51] The use of Signal, which automatically deletes messages after 30 days, may also put Hedgeseth and federal agencies in violation of the Federal Records Act, raising alarms about the preservation of government records. The Pentagon inspector general is expanding its inquiry into Secretary Hedgeseth to include a second chat that may have involved the transfer of classified information from a secure government computer to his personal devices.

[00:09:14] According to reports from the Wall Street Journal, the inquiry is focusing on how classified data was shared shortly after being sent from government systems. Hedgeseth, who previously downplayed the significance of the first chat linked to discussions about military action in Yemen, has remained silent on the details of the second chat, which included family and friends. Michael Waltz, recently removed as national security advisor, was photographed using a modified version of the Signal messaging app during a cabinet meeting.

[00:09:41] The app, known as TM Signal, is designed to archive messages to comply with presidential record-keeping requirements, which some officials have criticized for potential compromising national security. During the cabinet meeting, visible messages on Waltz's phone indicated communications with notable officials, including Secretary of State Marco Rubio and Vice President J.D. Vance. And that app?

[00:10:04] Well, a recent security breach has exposed customer data from TeleMessage, a company that provides modified messaging apps, including a clone of Signal, to the U.S. government for archiving communications. The hacker accessed sensitive information, including direct messages and group chats from high-ranking officials, highlighting vulnerabilities in the app's security measures. The breach raises concerns about the encrypted protocols used by TeleMessage, as archived chats were not end-to-end encrypted, allowing unauthorized access.

[00:10:32] The leaked data includes information related to Customs and Border Protection and major financial institutions like Coinbase. TeleMessage has suspended operations. Why do we care? The unfolding scandal involving Secretary Hegseth and the broader misuse of Signal and its derivatives within high-level government communications is not just a national security embarrassment. It's a glaring example of cybersecurity governance failure at the highest levels.

[00:10:58] And it has ripple effects that directly undermine efforts by IT service providers to drive cybersecurity accountability in the private sector. When the Secretary of Defense bypasses secure channels to install a private messaging app on Pentagon systems, it sends a dangerous message. Cybersecurity is optional, even in the most sensitive environments. This makes it harder for IT services firms to push clients, especially SMBs, to take policy enforcement and compliance seriously.

[00:11:26] If the Pentagon can't follow its own rules, why should anyone else? TeleMessage was designed to bridge the gap, signal-style messaging with record compliance. But the breach shows that modifying secure apps for policy needs can introduce new vulnerabilities, especially when encryption is weakened. IT leaders should take note. Compliant doesn't mean secure, unless proven through transparent testing and oversight. The Hegseth saga isn't just a security lapse.

[00:11:53] It's a systematic governance failure that puts U.S. cybersecurity credibility at risk. For IT services firms, this is both a warning and an opportunity. Double down on executive accountability, sell governance as strategic risk mitigation, not just compliance, and reinforce that tech choices without policy backing creates more exposure, not less. Today's episode is supported by Huntress.

[00:12:20] Most cybersecurity solutions are built for massive enterprises with big budgets. Not Huntress. They're the fully managed cybersecurity platform built for all businesses, not just the 1%. Huntress purposely builds security solutions like EDR, ITDR, SIM, and security awareness training to equip their team of elite threat hunters to handle the heavy lifting of security for you. When threat actors strike, Huntress' 24x7 Global Sock shuts them down

[00:12:48] before they're even on anyone else's radar. But they do more than just chase alerts. They lead the charge in industry research and knowledge, bringing expert protection and peace of mind. That's why users on G2 rate their EDR number one for growing businesses. To see how their expert threat hunting team gets the job done, visit Huntress.com slash MSB Radio. Thanks for listening.

[00:13:14] Today is National Tourism Day, National Cosmopolitan Day, and National Homebrew Day. The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech. If you've enjoyed the show, make sure you've subscribed or followed on your favorite platform. It's free and helps directly. Give us a review, too. If you want to support the show, visit patreon.com slash MSB Radio, and you'll get access to content early.

[00:13:50] If you have a question you want answered, we take listener questions, send them in, ideally as a voice memo or video to question at MSB Radio.com. I answer listener questions live on our Wednesday live show on YouTube and LinkedIn. If you've got a comment or a thought on a story, put it in the comments if you're on YouTube or reach out on LinkedIn if you're listening to the podcast. And if you want to advertise on the show, visit MSB Radio.com slash engage.

[00:14:17] Once again, thanks for listening, and I will talk to you again on our next episode. Part of the MSB Radio Network.