The AI risks most businesses aren't pricing in

Most businesses worry about the wrong AI risk. They picture something dramatic, a system making one catastrophic decision. The real exposure is quieter and far more ordinary: the risks that sit invisible on the books until, one day, they turn out to be very expensive.

Consider one that barely registered two years ago. In 2025, courts around the world recorded more than 700 legal decisions involving AI-fabricated content, lawyers citing cases that never existed, with roughly 90% of them in that single year (per the AI Hallucination Cases database maintained by the lawyer Damien Charlotin). In one, attorneys for the founder of MyPillow were fined over a filing full of citations an AI had simply invented (NPR). These weren't reckless outsiders. They were professionals who trusted a confident tool and didn't check.

That is the true shape of AI risk: not science fiction, but everyday over-trust, at scale. Here are the ones most businesses haven't priced in.

Confidently wrong

AI does not know when it is wrong. It produces fluent, plausible, incorrect answers with precisely the same confidence as the correct ones. The danger isn't the obvious howler that anyone would catch. It's the small fabrication that slips into a contract, a client report or a board paper because it looked right. Pricing this in means deciding, in advance, where a human has to check before AI output goes anywhere that matters.

The tools you can't see

Your team is already using AI you never approved, and you cannot manage what you cannot see. Unsanctioned AI is now behind roughly one in five data breaches (IBM, 2025), and the exposure runs from leaked customer data to confidential files sitting in a consumer chatbot's training set. We covered this one in full in Shadow AI: what your team is already using.

Compliance you've quietly taken on

Under the Australian Privacy Act, you are accountable for the personal information your business handles, including anything an employee pastes into a public model. More AI-specific regulation is coming, here and abroad. The businesses that wait until the rules are actively enforced before giving them a thought are the ones who will be scrambling when they are.

Vendor lock-in

Building your processes around a single provider's tool, pricing and roadmap is a risk that compounds quietly. Prices rise, models get retired, terms change, and the more deeply one vendor is woven into how you work, the less choice you have when they do. A little deliberate independence early keeps your options, and your leverage, open.

Cost sprawl

AI spending creeps, because nobody owns the total. A licence here, a per-seat fee there, a few subscriptions that overlap, and no single view of what it all costs or returns. Left alone it becomes a real line item that nobody can quite account for, which is its own kind of risk the moment the budget gets scrutinised.

Pricing them in

None of this is an argument against adopting AI. It is an argument for adopting it deliberately. Every risk here is cheaper to handle early than to clean up later, and most are straightforward once someone is actually looking for them. That is exactly why risk and governance is part of the groundwork we do with a business, not an afterthought: we would rather find the exposure while it is still cheap to fix.

If you're not sure which of these you are already carrying, that is worth knowing now rather than later. The free AI Maturity Assessment gives you a read on where you stand, risks included.