Insights
The realities of AI security in early-stage biotech
Small biotechs have adopted AI faster than they have governed it. The exposure shows up first in diligence.
Anthony Walker, PhD, and Cort Hepler · July 2026 · 6 min read
What is actually at stake
Many small biotechs adopted AI the same way: someone approved an enterprise subscription, sent a polite email about responsible use, and considered the matter settled. The result is a bring-your-own-AI culture running on corporate identity, with no map of what data goes where. For a company whose value rests on intellectual property, clinical data, and a credible narrative, that is not a trivial IT question.
It is a governance gap that surfaces at the worst possible moment: when an investor or a prospective partner asks, during diligence, exactly how you use AI and what happens to your data. The US and UK national cyber agencies have set out the stakes plainly.1 The exposure is manageable, but only with deliberate yet lightweight governance, and the time to build it is before someone asks.
Where the data goes
Generic security guidance tends to focus on two risks: data leakage and supply chain vulnerabilities.12 Both translate directly into the biotech setting, and the translation is where the real exposure lives. Data leakage in a standard enterprise might mean a misplaced internal memo; in this sector it means unpublished sequence designs, omics analyses, and draft patent claims feeding a model you do not control. Once that content leaves your controlled environment, the risk is no longer an IT incident: disclosure of an unpublished invention outside confidentiality can jeopardize its novelty and weaken your position before a negotiation begins.
Figure
Where the exposure is largest, and least visible
The largest leak, for many companies, is not a scientist installing a browser extension. It is AI switched on inside tools you already run: assistants embedded in Microsoft 365 and Google Workspace, note-takers in Zoom and Teams that transcribe and summarize meetings, and features enabled by default across your existing software. These tools reach your highly sensitive conversations without anyone deciding they should.
Supply chain risk is just as concrete for a virtual company. Early biotechs send proprietary data to CROs and CDMOs by design, and those partners use AI of their own, so your data-handling terms with service providers are part of your AI exposure whether or not your own policy is in order.1 And regulated data carries obligations that ordinary corporate data does not: AI use that touches records under 21 CFR Part 11, or personal data under HIPAA or GDPR, sits inside compliance regimes that predate the technology and still apply to it.
Reliability and manipulation
Beyond leakage is the question of whether you can trust what a model gives back. In late 2025 the NCSC warned that prompt injection, where hidden instructions buried in content hijack a model's behavior, may never be fully eliminated, and can be used to leak confidential data or generate disinformation.4 Separately, models produce confident output that is sometimes wrong. Relying on either failure mode to draft a safety narrative or synthesize a body of literature is not a harmless shortcut: flawed upstream content works its way into internal analysis and can shift how a team frames risk to a regulator or a clinical partner, quietly and without an obvious error to catch.
Shadow use and the diligence question
The tools are already in use. MIT's 2025 study of enterprise AI found personal AI tools in regular use at roughly 90 percent of surveyed companies, against about 40 percent that hold an official subscription, and about 95 percent of formal GenAI initiatives showing no measurable impact on profit and loss.5 A separate survey of 1,000 U.S. workers the same year found 78 percent using AI tools their employer had not approved.7 The draw is flexibility and immediate utility, not better performance on hard problems; the MIT study found many users still prefer human judgment for complex, high-stakes work. Carefully configured enterprise controls do little if a computational biologist is pasting proprietary code into a personal account on a laptop.
External scrutiny is rising in parallel. The EU AI Act classifies as high-risk any AI that is, or is a safety component of, a regulated medical device, along with certain health uses such as patient triage; high-risk systems carry documentation and human-oversight obligations that phase in across 2027 and 2028.6 Those obligations apply directly only to regulated products. For many small biotechs, the pressure arrives a different way: through the questions investors and partners now ask about AI during diligence, whether or not the company ever plans to build a medical device.
This is the part that tends to surprise founders. When we run technical due diligence for an investor or an acquirer, AI usage is now part of what we probe: which tools touch the company's sensitive data, what the vendors do with that data, whether unpublished material has passed through systems the company does not control, and who is accountable for any of it. These questions have moved from optional to routine, because the answers bear on the integrity of the asset being bought.
The cost of poor AI governance is rarely a dramatic breach. More often it is a quieter discount applied by the person across the table.
From the other side of the table, a weak answer is not a missing certification; it is hesitation, a founder who cannot say where their data goes. The intellectual property exposure carries the greatest weight: if unpublished material has been disclosed through an uncontrolled tool, it can surface in IP diligence, complicate representations and warranties, and in a licensing process it can stall or reset the conversation.
How Alacrita helps
For over fifteen years Alacrita has provided technical due diligence to pharma, biotech, universities, and investors, assessing assets across clinical, regulatory, CMC, and commercial dimensions. We also help companies prepare for incoming diligence, including the questions a partner will now ask about AI use and data handling.
Explore our due diligence services →A minimum viable policy
The response is not a fifty-page governance manual. Many AI policies fail on contact with bench scientists and business teams because they are abstract and detached from daily work. The single decision that does much of the work is also the simplest to picture: match each class of data to the tool environment it belongs in, and name what is out of bounds.
Figure
Which data belongs in which tool
Configuring what you already pay for
A small company without a security team does not need one to do much of this. The work is configuring the platforms you already pay for, then having someone confirm the settings hold, because defaults change and assumptions drift.3 Turn off model training on your corporate data, enforce single sign-on so access is centralized and revocable, and restrict the export of chat histories. Keep production data separate from casual experimentation, and treat data connectors and plugins, the integrations that let a tool reach into your email, files, or code, as the single weakest point, defaulting them to read-only. Give your genomic and omics stores the tightest access controls you run: unlike a password, sequence data cannot be rotated after it leaks.
Culture and validation
Culture carries more weight than software here. The GenAI initiatives that worked in the MIT study were distinguished by integration and adoption, not by which tool they bought,5 and the same logic governs security: a policy no one understands does little to protect the company. Make AI literacy part of onboarding, and show scientists concrete examples of prompts that would leak intellectual property so the boundary is tangible rather than theoretical. Build validation into the scientific workflow, so any regulatory document drafted with AI assistance gets explicit human review and a record of it, and AI-assisted analyses stay provisional until a qualified specialist signs off. An informal community of practice, where staff trade what works and reinforce careful habits, does more than a memo.
When you are asked
AI governance has moved from internal hygiene to something you are asked about directly. When a board member, a prospective partner, or a diligence team raises it, the goal is a clear, immediate answer. Hesitation invites the follow-up questions that are harder to answer well.
A founder who has done the work described in this piece can answer in thirty seconds. They can name the tools their team uses and say where the boundaries are. They can point to the contract terms that keep their vendor from training on proprietary data. They can confirm that their CRO and CDMO agreements cover how those partners use AI. And they can name the person who tracks it, which at an eight-person company is usually themselves.
That kind of answer, given without hesitation, does more than a compliance document. It tells the person across the table that someone in the company knows where the data goes and what is off limits. The founder who cannot give a version of it is the one whose diligence takes longer and ends with harder questions.
A 90-day path
None of this requires a multi-year program. The first two weeks go to inventory: list the tools in use and map where sensitive data lives. The next month covers a brief policy and the configuration work on software you already own. The month after that goes to training scientists and tightening controls around research and business development. About ninety days, no new hires, using tools you already pay for.
What to watch
- The EU AI Act's high-risk obligations for medical-device AI and listed health uses, phasing in across 2027 and 2028.6
- Evolving FDA and EMA expectations for AI in regulated work, including documentation and human oversight of AI-assisted submissions.
- The steady hardening of AI-usage and data-handling questions in investment and partnering diligence, moving from optional to routine.
A small biotech cannot run a bank-grade security operation, and does not need to. What it cannot absorb is an avoidable breach, a partner walking away over governance, or a regulator questioning basic data handling. Governance can be lightweight. It must also be real.
Frequently asked questions
The main risks are leakage of unpublished research and IP into models the company does not control, unreliable or manipulated model output, and shadow use of unsanctioned tools. For many small companies the largest surface is AI switched on by default inside tools they already run, such as assistants in Microsoft 365 and Google Workspace and meeting note-takers.
Disclosing an unpublished invention to a tool outside confidentiality can jeopardize its novelty. It is not automatically fatal, but it can surface in the buyer's IP diligence, complicate representations and warranties, and weaken a negotiating position.
Diligence teams increasingly ask which tools touch sensitive data, what vendors do with that data, whether unpublished material has passed through systems the company does not control, and who is accountable for the controls. These questions have moved from optional to routine.
Four things: map data classes to approved tools, set clear boundaries on what can and cannot be entered into which tools, designate a single owner to track approved tools and workflows, and channel shadow usage by asking staff to bring new tools for a quick risk check rather than banning them.
It classifies as high-risk any AI that is, or is a safety component of, a regulated medical device, along with certain health uses such as patient triage. High-risk systems carry documentation and human-oversight obligations phasing in across 2027 and 2028. Software outside those categories is not automatically high-risk.
AI security is the narrow, adversarial slice: protecting data from leakage, defending against prompt injection, and ensuring model output is reliable. AI governance is the broader system: which tools touch which data, who approves new tools, who owns the policy, and what an investor or partner sees when they ask. Much of the exposure that surfaces in diligence is governance, not security.
Yes. Much of the work is configuring platforms already in use: disabling model training on corporate data, enforcing single sign-on, restricting export of chat histories, keeping production data separate from experimentation, and defaulting connectors and plugins to read-only access.
About the authors
Cort has been with Alacrita since 2018, leading the firm's marketing and technology functions while taking a direct role in client-facing analytical projects. He builds financial models, scenario analyses, and market intelligence tools for consulting engagements, and oversees the firm's approach to emerging technologies including AI.
Anthony brings over 35 years of experience in the life sciences industry, including more than a decade building and managing a biotechnology company and over 20 years as a management consultant to pharmaceutical and biotech companies.
References
1. Cybersecurity and Infrastructure Security Agency; National Cyber Security Centre; National Security Agency; et al. Guidelines for Secure AI System Development. Published November 26, 2023. Accessed June 25, 2026. ncsc.gov.uk
2. National Security Agency; Cybersecurity and Infrastructure Security Agency; National Cyber Security Centre; et al. AI Data Security: Best Practices for Securing Data Used to Train and Operate AI Systems. Cybersecurity Information Sheet. Published May 2025. Accessed June 25, 2026. media.defense.gov
3. National Security Agency; Cybersecurity and Infrastructure Security Agency; Federal Bureau of Investigation; et al. Deploying AI Systems Securely. Cybersecurity Information Sheet. Published April 15, 2024. Accessed June 25, 2026. cisa.gov
4. National Cyber Security Centre. Mistaking AI Vulnerability Could Lead to Large-Scale Breaches, NCSC Warns. Published December 8, 2025. Accessed June 25, 2026. ncsc.gov.uk
5. Challapally A, Pease C, Raskar R, Chari P. The GenAI Divide: State of AI in Business 2025. MIT NANDA, Project NANDA; July 2025. Accessed June 25, 2026. nanda.media.mit.edu
6. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act). Official Journal of the European Union. Published July 12, 2024. Accessed June 25, 2026. data.europa.eu
7. WalkMe (SAP). AI in the Workplace Survey: Second Annual Report. Survey conducted by Propeller Insights, July 2025. Published August 2025. Accessed July 1, 2026. news.sap.com