You are a security leader at a small or medium-sized business (SMB), and your organization has decided to adopt Claude. If you are like me, after the initial “surprise” wears off, you probably want to quickly get your arms around what adopting Claude means for the business, and for security specifically. Below are some lessons I learned, witnessed as a bystander or heard from fellow security leaders in the SMB space. The business wants to move fast, and Security is tasked with keeping up with that velocity.
Know what you are buying and accept that things are changing fast
Make sure you really understand what the organization is trying to achieve and which Claude plan you are buying. Understanding the Claude plan you are on, or planning to purchase, is important because most security necessities do not become available until the Team plan or higher. For example, while the Team plan provides SSO, the Compliance API is available only on the Enterprise plan. Claude Code (“Code”), Cloud Cowork (“Cowork”) and Claude Chat (“Chat”) are different products with different use cases and outcomes. The strategy here is to manage the blast radius. Most likely, every user will ask for “Claude” without knowing which plan or product they need to accomplish the task. I have found that an analogy works well here: Finance probably has a low appetite for giving everyone in the organization a corporate credit card with unlimited spending and no expense policy.
Along those same lines, it might not be necessary to equip everyone with a Claude license, and while some users might have a business case for using Cowork, not everyone will need Code. Provisioning these products is not always clear-cut. My recommendation is to stand up an agile approval process to determine who needs a Claude license in the first place, which products they need and how to initially control the blast radius that way. A word of warning, though: while it might seem that the user with the Claude license is now riskier than the one without it, that might not actually be true. Unless you can tightly control shadow AI use, the unlicensed user might be using Claude’s free plan or a different AI product altogether. Roughly half of employees are using shadow AI tools, while some other surveys say it could be even higher (in the 80th percentile).
