.png?width=1816&height=566&name=brandmark-design%20(83).png "Tech Channels - IT News, Resources & Insights")
SMBs and midmarket companies are a crucial part of the economy. But, those organizations often don’t have the resources to prevent tool sprawl and staunch the proliferation of shadow AI.
Tech-Channels spoke with Robert Johnston, Chief Innovation Officer at N-able, who contends the biggest threat to SMBs and midmarket companies revolves around identity, both human and non-human. AI can help, he says, but the sector, as typically, is lagging a year or two behind the enterprise in adopting AI.
Q. Why is the SMB and mid-market segment so important in cybersecurity?
A. SMBs are an important facet of the economy. We’re talking about five million businesses globally. Statistically, an SMB business is three times more likely to get breached than an enterprise. That’s because of criminal enterprise and the perception that SMBs and mid-market companies are weak targets. Their supply chains extend into larger corporations, so they’re an important part of the overall ecosystem. It’s not just about them in isolation—they’re often a pathway into bigger organizations. And they need to operate continuously to keep the lights on and pay the bills—if they’re down, they can’t do business. That’s why resiliency becomes so critical for this segment.
Q. How is AI impacting your work and your customers?
A. We collect almost a trillion security events across our customer base every month. A very small number of those events actually represent a threat, so AI is extremely useful for finding those signals. Another major application is summarizing complex security events. You have to take a series of events across multiple systems and explain what happened, what you did, and the outcome in a way a mid-market customer can understand. AI helps us do that much faster.
And then there’s the user experience—customers want to interact with systems in natural language, to chat with their data and their platform. AI makes that possible in a way that wasn’t before.
Q. Is AI overhyped right now?
A. Everything, right? The usage in many enterprises hasn’t left production—it’s mostly in pilot or sandbox. There are technical solutions being built for problems that aren’t yet business problems at scale. That will evolve as more AI applications move into production, but today the demand is being talked about as if it’s fully there, and it’s not. The capabilities are improving quickly, but adoption will mature at different paces depending on the segment. What you’re seeing today is more early-stage experimentation than full-scale deployment.
In the enterprise, they have more resources to throw at AI. But, also the problems are more complex, and their venues to deliver the AI experience are more distributed. The enterprise seems to be where AI adoption is taking place first, because they have more need and, also, more resources to apply to the problem. SMBs historically always lag the enterprise. So, if the enterprise matures over the next 24 months then you can probably expect the SMB to mature over 36 to 48 months.
Q. What is the biggest security threat today?
A. The number one reason breaches occur still revolves around identity. It’s the AK-47 of cyberspace. Most breaches we deal with are identity-based attacks that unfold over time. It might start with someone giving up credentials, and over weeks, that turns into domain compromise and eventually ransomware. And now you also have non-human identities—service accounts and AI agents—which expand the attack surface significantly. That just increases the complexity of managing identity overall.
Q. Has AI made NHIs a security challenge?
A. NHIs are not exclusive to AI agents. Before AI agents, there were service accounts, and service accounts were used by systems. One of the very first breaches I ever investigated was a Blackberry server that tracked and inventoried all Blackberries. It was the service account for the for the BlackBerry management (BBM) server. An attacker got an identity that didn't belong to a human and used it to go to all the systems. So, service accounts and non-human identities existed long before AI agents. Now you just have a greater level of automation. But when you think about AI agents, they are a lot like service accounts, and so they look and operate in much of the same way.
Q. What has surprised you about new risks that are emerging with AI and automation?
A. Nothing has necessarily surprised me. What I’m seeing is an increased focus on shadow AI. Every hour, customers are getting new requests for AI agents—often from SaaS apps—that connect into systems like CRM or productivity tools. It’s a bit of the Wild West. People are signing up for these services and connecting them across the business, and no one can really tell them no. That’s where the real concern is—not just what’s happening on the endpoint, but all these AI-driven integrations happening across systems without visibility or control. That lack of visibility is what creates risk.
The pain I think customers are feeling is a lack of observability or confidence that they can see what's going on. You have to ask yourself where shadow AI coming from? It's coming from a variety of different locations—from MCP, desktop applications that people can install, cloud, or whatever else. It’s coming from, certainly, the browser. I do not think that the endpoint problem is the worst problem.
Q. How are organizations handling the complexity of modern security?
A. Every time you have a new security attack surface, you get a new tool and it’s never ending, So, you end up with tool sprawl. There are two approaches: consolidate into platforms or use services like managed detection response to orchestrate the tools as a service. That need, especially in the midmarket and among SMBs won’t go away because they don’t have the resources to handle all these tools they are being asked to manage and monitor. What will help with this complexity across endpoints, networks, and cloud is AI, which will assist in the monitoring and management of all the various security tools and applications from the endpoint through the network and into the cloud.
For SMBs and midmarket organizations, cybersecurity risk is increasingly driven by identity, expanding attack surfaces, and limited visibility into rapidly adopted AI tools. Human and non-human identities continue to be a primary entry point for attackers, while shadow AI and tool sprawl make consistent oversight difficult.
AI can help by improving threat detection, simplifying analysis, and reducing operational strain, but it requires strong governance and an identity-focused approach to be effective. As these organizations play a critical role in broader supply chains, building resilience and maintaining control over systems and identities will be essential to managing risk in the years ahead.
