Best Practices Jul 14th, 2026

The Invisible Risk Inside Your Dealership's AI Boom

InvisibleAIRiskToddSmith

There is a moment happening inside dealerships right now that nobody is talking about publicly.

A GM, a fixed ops manager, or an F&I director sits down at their computer after hours. They open ChatGPT or Claude. They describe a problem they have been trying to solve for months. Within an hour they have a working tool. A dashboard. A report. An automated workflow. Something their vendor never built and never would have built.

They feel good about it. They should. They solved a real problem with real ingenuity.

What they do not realize is that they just connected an ungoverned AI tool directly to the most sensitive data in their store.

This is happening at dealerships across the country right now. And almost no one in the industry is talking honestly about what it means.

A New Behavior With No Name

The technology industry calls it vibe coding. The idea is simple: instead of hiring a developer to build a software tool, you describe what you want to an AI model in plain English and it builds it for you. The results are genuinely impressive. A pay plan calculator. A service absorption dashboard. A lead follow-up tracker. Tools that would have taken months and tens of thousands of dollars to build through a vendor are now being built in an afternoon by people with no technical background.

The instinct driving this behavior is completely right. Dealers have been strangled for decades by software that was not built for them. Bloated vendor platforms. DMS systems designed before smartphones existed. CRM tools that log everything and surface nothing useful. When AI makes it possible to build exactly what you need in plain English, people are going to use it.

The problem is not the creativity. The problem is what these tools are connecting to.

What Is Actually at Stake

Every useful dealership AI tool touches something sensitive. Deal jacket data. Customer nonpublic personal information. F&I product penetration rates. Service repair orders. Payroll figures. Gross profit by unit.

That data lives in your DMS, your CRM, your desking tool, your accounting platform. These systems were never designed to be AI endpoints. Reynolds ERA, CDK Drive, Tekion, VINSolutions, all of them were built to be accessed through specific, controlled interfaces. When a vibe-coded app connects directly to one of these systems through an API key found in a settings menu, a data export fed into a prompt, or browser automation scraping live data, an exposure is created that no one on the team is monitoring.

One misconfigured application. One tool sitting on a public URL. One prompt that returns more data than it should. That is all it takes.

The compliance dimension makes this more serious than a simple security concern. Dealerships handle nonpublic personal information under the FTC Safeguards Rule. The Gramm-Leach-Bliley Act governs how customer financial data is stored and accessed. When a vibe-coded tool touches DMS data with no audit trail, no access controls, and no logging, a dealer is potentially in violation of both, not because of malicious intent, but because of a governance gap nobody noticed.

The Wrong Response

The instinct of most dealership leadership when they hear this is to shut it down. Ban AI tools. Lock down the DMS. Issue a policy that requires IT approval for everything.

This will fail.

You cannot stop motivated, capable people from using the most powerful productivity tool they have ever seen. Banning AI at your dealership does not eliminate the behavior. It drives it underground. The tools get built anyway. They just do not get disclosed. The exposure is identical and now leadership has less visibility than before.

The dealers who ban AI tools in 2025 are making the same mistake as the dealers who refused to build websites in 1999. The technology is not going away. The only question is whether your dealership engages with it safely or dangerously.

The Principle That Changes Everything

The fix is not complicated, but it requires a shift in how dealers think about their data.

In any regulated industry that handles sensitive data at scale, there is a concept called an abstraction layer. It is a governed interface that sits between the applications making requests and the systems holding the data. Banks use it. Hospitals use it. Financial services firms use it. The idea is simple: your core systems should never be directly accessible by any application that has not been specifically authorized, monitored, and logged.

Dealerships do not have this yet. But they need it.

The abstraction layer has one job: to be the only thing that knows both sides. AI tools talk to the layer. The layer talks to the DMS. The two never speak directly. The layer controls what data gets served, to whom, under what conditions. It logs everything. And critically, it means your DMS and CRM never know an AI application exists.

This is not a theoretical architecture. It is the practical standard that every other regulated industry already meets. Dealers are simply behind.

Five Things Every Dealer Should Do This Month

Getting ahead of this does not require building a technology company. It requires a series of deliberate decisions made with intention.

First, take inventory. Ask every department head directly: what AI tools are you using to access dealership data? Frame it as an inventory, not a disciplinary conversation. You cannot govern what you do not know exists.

Second, tier your data by sensitivity. Customer PII and deal jacket financials are Tier 1 — they should never enter an external AI model's context window under any circumstances. Department-level operational data is Tier 2 — accessible internally but governed and logged. Workflow and scheduling data is Tier 3 — lowest sensitivity, can be used more freely. Most dealerships have never made these distinctions explicitly. Making them is the first act of real data governance.

Third, establish a single governed access point. Every AI tool should make requests through one controlled endpoint, not directly to the DMS or CRM. This endpoint enforces permissions, logs access, and keeps your core systems completely isolated from the AI layer above it.

Fourth, enforce a data residency rule. Tier 1 data should never leave a governed environment in raw form. AI tools should receive anonymized or aggregated outputs, not raw records. Any external AI platform your team uses should be assessed for its data retention and model training policies before use.

Fifth, build a lightweight approval process. Four questions before any new tool goes live: What data does it access? Does it connect through the governed layer? Who has access, and is that restricted? Does it log activity? A five-minute conversation drops your exposure dramatically. The goal is visibility, not friction.

What the Next Three Years Look Like

The dealers who build governed AI infrastructure in the next 12 months will have a compounding advantage. Their tools will be built on clean, reliable, dealer-owned data. Their AI outputs will be trustworthy because the inputs are trustworthy. When regulators begin asking questions about how dealerships are handling AI and customer data, and they will, these stores will have an audit trail.

The dealers who let vibe coding happen without a governance layer will spend the next several years cleaning up exposures they did not know existed. Dealing with incidents. Trying to explain to a lender or a regulator why customer nonpublic personal information touched an external AI model.

The creative energy inside your store is an asset. The curiosity your best people are showing about AI is something to channel, not suppress. What it needs is infrastructure worthy of it.

Your team is already building. The only question is whether they are building on a foundation that protects you.

Todd Smith

Chrome to Code

with Todd Smith

Todd Smith is the CEO of QoreAI, where his expertise lies at the intersection of AI and automotive, focusing on fraud prevention and data security. With over 30 years in retail, tech, and automotive, Todd has successfully founded and grown multiple startups, including companies recognized by Inc. 500/5000 and Red Herring Top 100. As Managing Director of Kyzor, he invests in and mentors promising automotive tech ventures. Todd's practical application of AI to address identity fraud and enhance dealership data protection has established him as a respected industry voice. His insights on automotive technology and security are frequently sought at major industry events.

View column

Get Curated Insights

Content worth the click

Stay Ahead of the Curve

Get exclusive insights, expert advice, and the latest trends in automotive marketing delivered straight to your inbox.

Join over 10,000 automotive professionals