Here are two stories the cybersecurity industry likes to tell about AI right now. The first is that it’s coming for your business. The second is from the vendor telling you it has the AI to save you from it coming for your business.

We’re going to skip both. We’re not going to AI you. Here’s what we’d rather show you: how OrbitalFire actually thinks about AI inside our own shop. From the language we use, the framework we built, the policy we publish, and the new assessment we’re launching to help smaller businesses make the same decisions for themselves.

 OrbitalFire’s AI strategy is built around three things: a vocabulary (“robots” instead of “AI”), a decision framework called the Robot Applicability Quadrant that classifies every task as mandatory, prohibited, or somewhere in between, and an open-source acceptable use policy aligned to NIST. The result is a robot-first company that draws very clear lines about what humans still own.

We Live in a Volcano Now

As Reg Harnish, OrbitalFire’s CEO, put it in our April 2026 customer webinar, AI at OrbitalFire: “We live in a volcano. It doesn’t make any sense to spend all our time thinking about how we avoid lava. We’re in the situation. We need to deal with it.”

That’s the frame. Not fear, not hype, but acceptance. AI is here. It’s already in the tools your business uses, the tools your vendors use, and the inboxes your team opens every morning. Spending another quarter debating whether to “let AI in” is like spending a quarter debating whether to let the internet in. The interesting questions are downstream: where does it help, where do we draw the line, and how do we keep the humans in the loop?

That’s where most cybersecurity vendors stop being useful. They sell AI doom or AI salvation. They don’t tell you how they use AI internally, what they refuse to automate, or what their policy actually says. We think the more useful thing a cybersecurity company can do — especially one built for smaller businesses — is publish its own playbook. So that’s what this article is.

We Call them Robots — and That’s on Purpose

Inside OrbitalFire, we don’t call them “AI tools.” We call them Robots.

That’s not branding. It’s clarity. When everyone calls everything “AI”: workflow rules in your CRM, machine learning baked into your endpoint security, generative chat assistants, agentic systems that act on their own, nobody knows what’s actually doing what. The label hides the substance.

“Robots” is our umbrella term. It covers:

• Workflow rules built into the platforms we run our business on (CRM, ticketing, finance). Computer doing repeatable work. Most primitive form of robot. We’ve used these since day one.
• Robotic process automation (RPA) software bots moving data and triggering actions across applications.
• Machine learning  systems that get better over time by learning from past inputs. Most of our third-party security tools include this.
• Generative AI text, image, and code generation. Glorified search-and-write engines, in the most basic form.
• Agentic AI multi-step, context-sensitive systems where the output of one step becomes the input to the next, and the system makes contextual decisions on its own.

Calling all of them “robots” forces us to be specific. When a team member says, “Let’s use a robot for this,” the next question is “Which one?” The naming pushes the conversation past the marketing layer and into the actual decision.

Practically, here’s how we use robots today:

• Content generation with meticulous training of the models we use behind them, content is drafted and go through peer review before they leave the building. Nothing gets blasted out untouched.
• Workflow automation not just inside one application; across them. Finance, CRM, ticketing, marketing, all wired together.
• Coding  much of CyberBlast™ (our comprehensive monthly dashboard of your key metrics and performance data) and other customer-facing tools is written, built, and increasingly tested by AI.
• Peer review robots help us check robots. Every output still gets human eyes before publish or delivery.
• Cloning the CEO we trained our model on our CEO, Reg Harnish’s writing, social posts, and webinar transcripts so anything we generate sounds like us, not the industry.

The Robot Applicability Quadrant — our decision framework

Every time we look at a new task or process inside OrbitalFire, it runs through what we call the Robot Applicability Quadrant, or RAQ.

The RAQ has two axes.

Y-axis — task characteristics that suit robots.Five criteria, stacked:

• actuarial
• data-driven
• frequent
• repeatable
• error-prone

The more of those a task hits, the higher it sits on the Y-axis.

X-axis how objective the task is. Three criteria:

• objective
• binary
• simple

The more of those a task hits, the further right it lands. Tasks at the right end need very little human judgment to do. Tasks at the left end need a lot.

Plot a task on those two axes and you land in one of four quadrants. Two of them are named on our slide.

Mandatory (top-right). A task that’s high on both axes — repeatable AND objective. We find a way to robotize it. 

Prohibited (bottom-left). A task that’s low on both axes — neither repeatable nor objective. Fundamentally human work; needs empathy, judgment, or relationship context. Robots are not allowed. Three high-profile prohibitions from our policy:

• Reviewing or approving time-off requests
• Salary negotiations and performance improvement plans
• Anything unlawful

These are our indelible lines in the AI sand. They’re not going to move.

The two grey-area quadrants  top-left (repeatable but requires judgment) and bottom-right (objective but rare) — are where most decisions actually live. A task that’s repeatable but emotionally loaded. A task that’s clearly objective but happens twice a year. Those decisions need a human, the RAQ, and an exception process — which is why our policy has all three.

Even if you never formalize a quadrant, the two-question version is useful for any business:

• How repeatable is this task, really?
• How objective is this task, really?

Most small business owners are surprised how many of their day-to-day decisions are sitting in the wrong quadrant.

Inside our open-source Robot Acceptable Use Policy

Our Robot Acceptable Use Policy isn’t a secret document. It’s open-source to OrbitalFire customers, meaning if you’re a customer and you’d like a copy to use as a starting point for your own, we’ll send it. We’d rather give smaller businesses a working example than have them start from a blank page.

Without reprinting the whole document, here are the pillars.

• Exception policy: Every rule has a documented, reviewed-on-a-six-month-cycle escape hatch. Exceptions are not permanent and they’re not informal — they’re written down so we can inventory them.
• Controls alignment: The policy is anchored to NIST SP 800-171 as our baseline cybersecurity framework. Whatever robots we build or deploy must comply with our cybersecurity program. The two are wired together by design.
• Ethics: Robots must be used in moral ways. Our position is written down and tied to our company values.
• AI infrastructure: Two non-negotiables: no third party trains their model on our content or intelligence, and our model is only trained on our content. We’re not feeding our customer data into someone else’s training pipeline. We’re also not borrowing somebody else’s voice; we sound like us because we trained the model to sound like us.
• Vendor consolidation: We’re a small business too. Managing six AI platforms is not the move. Where we can, we coalesce around a single well-governed platform — even if it’s not the best at everything — because we can’t watch six things diverge or conflict.
• Acceptable use: Robot-first is a mandate. Every new task and every modified process must consider robotization first. Paired with the prohibitions above and a legal element that respects laws which haven’t been written yet.
• Training and enablement: Employees are continuously trained on the policy itself and on how to work alongside robots. You can’t operate a robot exoskeleton if nobody told you what it does.

That’s a lot. It is also why most companies don’t actually have an AI policy that works.

Humans with AI Replace Humans Without AI: the Robot Exoskeleton

AI will not replace humans, but humans with AI will replace humans without AI.

The picture we use internally for what that means is a robot exoskeleton. You come to work and you put on a set of capabilities that lets you lift more, think faster, make fewer errors, and stand up from your desk a little quicker. Some of what the exoskeleton does, it does without your input — lifting a box looks the same now as it did 2,000 years ago, and we don’t need a human optimizing that. The human stays at the center; the robot handles what was never high-value human work in the first place.

We don’t wave away the real concern. Jobs and agency matter. The honest answer is that the businesses that figure out the exoskeleton: what it lifts, what it doesn’t, will outcompete the ones that don’t. Pretending otherwise is unhelpful.

The other side of that same conversation — what attackers are doing with AI against smaller businesses — is in our piece AI Scams and Deepfakes: The New Frontier of Small Business Fraud. These two articles are companions: one is about how we use AI on our side, the other is about how cybercriminals are using it on theirs.

First Steps for Smaller Businesses and AI

You don’t need to formalize a quadrant or run a six-month policy review on day one. But the same two questions: what’s mandatory and what’s prohibited, work at any size.

If you do nothing else this quarter, do these four things:

• Inventory where you’re already using AI You are. Even if you don’t think you are. Your CRM, your spam filter, your accounting software, your design tools — chances are at least four of them have AI baked in. Write it down.
• Classify the data your robots touch Customer information, financial records, employee data, regulated data (HIPAA, NIST 800-171, NYSDFS Part 500). Robots that touch sensitive data carry different risk.
• Decide your three indelible lines What will you never let a robot do? Three is enough. Write them down. Tell the team.
• Write down your exception policy Even a paragraph. “Exceptions must be documented, time-bound, and reviewed quarterly.” The discipline is in writing it down at all.

The harder questions: privatization, controls alignment to NIST or HIPAA or CMMC or NYSDFS, supplier governance, AI risk for regulated industries — are where outside help pays off. Which leads us to our new AI Readiness Assessment.

The AI Readiness Assessment: What it is and Why We Built It

The OrbitalFire AI Readiness Assessment is a security readiness assessment for your AI program. It’s built on the NIST AI Risk Management Framework (RMF 1.0) — the same standards body that backs the rest of our cybersecurity work.

It identifies critical risks across four areas:

• your policy
• your technology
• the third-party tools in your stack
• how you’re actually using it

It is not a “which platform should you use” assessment. It’s a security assessment: what are the risks your AI usage creates, and how do those risks affect your business?

The process is the same shape as any other compliance assessment we run, including launch meeting, controls evaluation, evidence and documentation review, score, findings and recommendations, and the results land in your 12-month cybersecurity mission plan.

The AI RMF is shorter than many of the frameworks we use for HIPAA or NIST 800-171 work, so the assessment moves faster than most. 

Here’s how we can help:

The Policy If you’re an OrbitalFire customer and you’d like a copy of our Robot Acceptable Use Policy to use as a starting point, ask your customer success specialist at su*****@*********re.com

The AI policy Work If you’re trying to write your own AI policy and don’t know where to start, we’ll help you map it.

The AI Readiness Assessment If you’re ready to put your AI program under a real framework before something forces the issue, let’s talk about the assessment. Specific, scoped, standards-based. Learn More and contact us if you’re Ready to Launch.

Watch our webinar AI at OrbitalFire

Frequently Asked Questions

 How does a cybersecurity company use AI internally?

OrbitalFire treats AI as one category of “robots” — software doing repeatable, data-driven work for humans. Internal uses include content generation with peer review, cross-application workflow automation, code generation and testing for customer-facing tools like CyberBlast™, and document-generation pilots for assessment findings. Every robot output is peer-reviewed before it leaves the company.

What is the Robot Applicability Quadrant?

The Robot Applicability Quadrant (RAQ) is OrbitalFire’s decision framework for deciding what robots should and shouldn’t do. The Y-axis measures whether a task is data-driven, frequent, repeatable, and error-prone. The X-axis measures how much human instinct, emotion, or context the task needs. Tasks that hit all the right boxes are mandatory to automate; tasks that need human empathy are prohibited.

What should smaller businesses include in an AI acceptable use policy?

At minimum: a documented exception process with regular review, alignment to a cybersecurity control framework (NIST, HIPAA, CMMC, or NYSDFS where applicable), ethical-use language tied to company values, a list of three to five prohibited use cases your business won’t cross, a privatization stance on how vendors train their models, and a training plan so employees understand what they’re working alongside.

 What is an AI readiness assessment?

An AI readiness assessment is a structured evaluation of how prepared an organization is to use AI safely. OrbitalFire’s assessment is built on the NIST AI Risk Management Framework. It evaluates technology, people, process, and third-party AI exposure — and produces a score, findings, and a 12-month mission plan, similar to other compliance assessments.

Can I see OrbitalFire’s AI policy?

Yes. OrbitalFire’s Robot Acceptable Use Policy is open-source to customers. Request a copy through your customer success specialist or by contacting OrbitalFire directly. The intent is to give smaller businesses a real, working example to adapt rather than starting from a blank page.