Someone on your team finds an AI tool that will sit in meetings and write up the notes, or summarize a thread, or draft replies. It asks for access to your calendar, your email, your files. There's a friendly Allow button. They click it. Done in four seconds.

That click did something bigger than it looked. It handed an outside piece of software standing access to your business — the same kind of access you'd think hard about before giving a new hire. We've written before that every AI tool is effectively a user on your network; this is the companion question. Before you let one in, how do you tell the safe ones from the rest?

You don't need a security team to do this well. You need a short, repeatable checklist and a habit of running it before the click, not after.

"Approved" is not the same as "reviewed"

The most dangerous assumption is that if a tool shows up in an official marketplace — a Copilot extension, an AI "skill," an app in the Microsoft or Google store — somebody vetted it for safety. Mostly, nobody did. A security firm recently built a deliberately malicious AI agent skill, ran it past every scanner they tested, and reportedly saw it reach 26,000 agents, some inside companies (The Hacker News). Marketplace approval means the listing met the store's rules. It does not mean the code is safe with your data.

This is the same trust gap browser-extension stores had a decade ago, except adoption is moving much faster. Treat "it's in the official store" as a starting point, not a clearance.

The meeting assistant that reads your whole mailbox

The fastest-growing version of this is the AI notetaker. An employee brings their own, it requests access to calendars, email, and drives, and suddenly a third-party service is reading everything those accounts can see. IT forums are full of these approval requests right now, and most small businesses have no rubric for answering them — so they either rubber-stamp everything or ban everything. Both are the wrong answer. A blanket ban just pushes people to personal accounts you can't see; a rubber stamp is how you end up with a dozen tools quietly reading the company inbox.

A short approval step beats both.

When the tool brings its own malware

If anyone on your team writes code, there's a sharper edge. AI coding assistants — Copilot, Cursor, Claude Code, Amazon Q — will happily clone a repository, "trust" the workspace, and run setup steps. Researchers showed this month that a clean-looking repo can hide instructions that get executed through the AI agent, including a now-patched flaw in Amazon Q Developer (BleepingComputer, The Hacker News). The developer never ran anything by hand — the assistant did it for them. If AI coding tools are in your shop, "don't open repos you don't trust" now extends to "don't let the AI open them unattended either."

The five-minute vetting checklist

Before you approve any AI tool that wants into your systems, run these five questions. None of them require a security background.

  • Who's actually behind it? A real company with a real address and a privacy policy you can read, or an anonymous listing? If you can't tell who you're trusting, that's your answer.
  • What is it asking to reach — and does it need that? A tool that drafts replies doesn't need full mailbox and drive access. Grant the least it can do the job with, and be suspicious of anything asking for everything.
  • Did anyone review it, or just "approve" it? Store approval isn't a security review. For anything touching real data, look for an independent assessment, not just a star rating.
  • Who owns it, and can you switch it off? Every approved tool needs an owner on your side and an off switch. A tool nobody owns becomes the orphaned login nobody remembers — exactly the access risk that bites later.
  • Were you expecting this? A surprising number of "join our AI workspace" invites are now outright phishing — attackers spinning up lookalike tenants to harvest whatever your staff paste in (BleepingComputer). An unexpected invite is a stop sign, not a click.

If a tool clears all five, approve it, write down who owns it, and move on. If it stumbles on even one, that's the conversation worth having before it's inside.

Key takeaways

  • An AI tool that asks for calendar, email, and file access is asking to become a user on your network — vet it like one.
  • Marketplace "approval" is not a security review; a malicious skill recently sailed past scanners to 26,000 agents.
  • Don't rubber-stamp or blanket-ban AI notetakers — a five-question checklist beats both.
  • If your team uses AI coding tools, a clean-looking repo can run code through the assistant; don't let it open untrusted repos unattended.
  • Run the five questions before you click Allow: who's behind it, what it can reach, who reviewed it, who owns it, and whether you expected it.

How we help

At Amoeba Networks we help small businesses across the New York metro and the Puget Sound area bring AI in on purpose instead of by accident — setting a simple approval rubric, tightening what each tool can reach, and keeping a list of what's actually connected so nothing becomes the login nobody remembers. It's the practical layer under our AI for Business and using AI safely work.

If AI tools are showing up on your team faster than anyone is vetting them — and for most teams they are — that's a good conversation to have.

Ready to talk it through?

Reach Amoeba Networks whichever way is easiest:


contact Contact