Welcome to the third episode of Group Dentistry Now & Black Talon Security's Dental Cyber Watch Live. As dental groups rush to adopt artificial intelligence, many are spending on tools no one uses and feeding patient data into platforms no one controls. The result is wasted budget, hidden liability, and growing security exposure. In this episode of Dental Cyber Watch Live, Bill Neumann (CEO, Group Dentistry Now) sat down with Gary Salman (Co-founder and CEO, Black Talon Security) and Matthew McGaw (founder, DSO Compass; co-founder, Relay) to unpack the promise and peril of AI in dentistry. The clear message for DSOs of every size: AI is transformative, but only when paired with governance, training, and due diligence. Here are the key takeaways. Shadow AI: The Risk You Can't See Shadow AI is the unmonitored use of large language models — ChatGPT, Gemini, Claude — by employees without policy, oversight, or controls. Staff turn to these tools to work faster. The problem is that no one is watching what data goes in. Salman described the scope at a recent DSO event with roughly 20 leaders, representing practices from 10 to 200-plus locations. Most reported a mix of LLMs already in use across their teams. Few had standard operating procedures governing what could be entered. Fewer still had any technology to monitor that activity. The exposure is real. Information uploaded to a free model may be anonymized, but it can resurface when others ask similar questions. "When the product's free, you're the product. They're not doing you a favor." — Gary Salman, Black Talon Security For an organization handling protected health information, that is a compliance event waiting to happen. The fix doesn't require shutting AI down — it requires structure: enable privacy settings so platforms don't train on your data, write SOPs that define what can and cannot be entered, and train staff on why it matters. The AI Graveyard: Paying for Tools No One Uses The "AI graveyard" is where promising technology goes to die. It's the software a DSO bought with enthusiasm, then abandoned because of poor implementation, failed training, low adoption, or clunky integration — while the subscription keeps billing. McGaw pointed to two familiar culprits: "shiny object syndrome" and the "Hawaiian shirt guy effect," where a charismatic salesperson wins the room and the product never fits the problem. Neumann offered a grounded example. Some automations at Group Dentistry Now worked well. Others proved clunky and were better handled manually. A buried tool isn't just a wasted subscription. It drains training hours, erodes staff confidence in future rollouts, and makes the next investment harder to champion. The escape route is unglamorous but reliable: plan, implement, and train before you scale. Roll out to a small group, confirm adoption, refine the workflow, then expand. Design Backward, Build Forward The smartest framing of the conversation came from a concept Salman credited to Andy Farina of Destination DSO: design backward, build forward. Understand the problem you're solving first, then align products to it — never the reverse. Most purchasing runs backward. A leader sees an exciting tool, then invents a reason to need it. McGaw captured the trap: "Sometimes the problem that they think they have to solve isn't always the problem that is really the problem." Salman's advice for separating substance from hype was blunt: "Stay away from the shiny penny and buy the gold." Before any AI purchase, leaders should define the problem, set clear criteria for success, evaluate fit against those criteria, and only then buy. Vendor Due Diligence — and Who's Really Liable Many DSO leaders misunderstand a critical point: under HIPAA, breach liability sits with the healthcare entity — the DSO — not the software or technology provider. Assuming the vendor carries that risk is a dangerous shortcut. That makes cyber due diligence non-negotiable. Before signing with any AI vendor, ask: How do they access, store, and share data? Who, specifically, has access to it? What security measures protect it? Salman's larger point: security should be the first question in any technology evaluation, not the last. Too often it's raised only after the contract is signed and the data is already flowing. Building AI Securely The throughline of the discussion was AI governance, risk, and compliance treated as a foundation, not an afterthought. For organizations handling patient data, that distinction separates innovation from exposure. Leaders should expect real safeguards from any tool touching PHI: scrubbing confidential data like dates of birth, Social Security numbers, and patient health information on upload; annotating sources so answers can be traced; flagging possible hallucinations; and hashing files to protect their integrity. Pair those safeguards with disciplined implementation, and today's investment doesn't become tomorrow's graveyard occupant. Protecting What You've Built AI is a genuine opportunity for DSOs willing to pair ambition with discipline. The risk isn't the technology — it's deploying it without control. Three steps to start now: Audit current AI usage to learn which tools your team uses and what data flows into them. Establish AI governance and SOPs before the next tool goes live. Make vendor security due diligence standard, with security as the opening question. Is your DSO adopting AI faster than it can secure it? Get these fundamentals in place, and AI stops being a liability waiting to surface — and becomes the advantage it promised to be for your practice and your patients. Get the MAX Surgical Specialty Management Case Study: https://dso.pub/4v8OwfP
