Your AI Tools Are Only as Safe as Their Supply Chain

And then the breach happened anyway — from a vendor you never directly approved, through a connection you didn't know existed, using access that looked completely legitimate every step of the way.

In April 2026, Vercel — one of the world's most widely used developer platforms — disclosed that its internal systems had been breached. The entry point was not a phishing email to a Vercel employee. It was not a weak password or an unpatched server. It was an AI tool called Context AI that a Vercel employee had connected to their corporate Google account.

Context AI had been compromised weeks earlier. When the attacker gained access to Context AI's OAuth tokens, they gained access to every organisation whose employees had connected that app to their own accounts. Vercel's internal data — including customer information — was subsequently listed for sale on BreachForums for USD $2 million.

This is the AI supply chain attack. And it is now one of the defining security stories of 2026.

How This Breach Actually Happened

The inbox is not the only entry point any more. Any application an employee connects to their corporate accounts — particularly AI tools with broad data permissions — becomes a potential path for an attacker who compromises that application's vendor first.

That is exactly what happened here. The attacker did not target Vercel directly. They targeted a vendor that Vercel's employees trusted — and used that trust as the entry point.

The result was invisible to every traditional security control. No malware was detected. No suspicious login was flagged. No alert was triggered. The access came from a legitimate, trusted OAuth connection — and it looked normal every step of the way.

The Full Attack Chain — Step by Step

To understand why this incident matters beyond the headline, it helps to trace how the attack actually unfolded.

This Is Not an Isolated Incident — It's a Pattern

The Vercel breach would be alarming enough on its own. But it sits within a documented pattern of AI supply chain attacks that accelerated significantly through 2025 and into 2026.

The LiteLLM supply chain attack — malware planted inside a widely used open-source AI library — affected thousands of organisations simultaneously, including Mercor, a USD $10 billion AI startup. In each case, the common thread was identical: attackers exploited trust rather than vulnerabilities.

Researchers have described this as SaaS-to-SaaS lateral movement — a technique that bypasses endpoint security entirely because it never touches endpoints. The attack surface is the connection itself: the OAuth token, the API key, the integration permission. And most organisations have no visibility into these connections at all.

The AI Governance Framework: Where to Start

An effective AI governance framework doesn't need to be complex to be effective. The organisations that avoided major incidents in 2025 were not the ones with the largest budgets. They were the ones with real visibility into how their AI systems behaved and what connections they maintained.

Pillar 1 — Visibility: Know What You Have

You cannot govern what you cannot see. The first step is a complete inventory of AI tools — including those adopted by individual teams without central IT approval.

• Inventory all AI tools: sanctioned and unsanctioned (shadow AI)
• Map every OAuth connection and third-party AI integration
• Document what data each tool can access and what actions it can take
• Identify API keys and credentials stored in development platforms
• Review which employee accounts are connected to which AI services

Pillar 2 — Access Control: Apply Least Privilege

Most AI integrations carry far more permissions than their function requires — and those excess permissions become the attacker's path.

• Revoke all AI tool permissions that are not actively required
• Replace broad OAuth scopes with minimum-necessary scopes
• Rotate API keys and OAuth tokens on a regular cadence
• Require explicit approval for any new AI tool integration
• Apply least-privilege principles to AI agents as strictly as to human users

Pillar 3 — Vendor Due Diligence: Treat AI Tools as Third-Party Vendors

An AI tool is a third-party vendor with privileged access to your systems. It should be subject to the same risk management process as any other supplier.

• Assess the security posture of every AI vendor before connection
• Verify security certifications independently — do not rely on self-attestation
• Review vendor incident history and disclosure practices
• Include AI vendors in your third-party risk register
• Establish contractual requirements for breach notification timelines

Pillar 4 — Monitoring: Detect Unusual AI Behaviour

Standard security monitoring was not designed to detect SaaS-to-SaaS lateral movement. Dedicated AI behaviour monitoring is now a necessary component of any security programme.

• Monitor OAuth-connected applications for access from unexpected IPs or timeframes
• Set up alerts for AI-related credential leakage notifications from providers
• Review AI tool access logs for activity during periods your applications were not active
• Include AI integrations explicitly in your incident response runbooks

Pillar 5 — Policy and Culture: Close the Shadow AI Gap

Research consistently shows that banning AI tools doesn't work — nearly half of employees continue using personal AI accounts after a ban. The effective approach is building a sanctioned programme that meets employees' genuine needs.

• Develop a clear, accessible AI acceptable use policy
• Provide approved AI tools that match what employees actually need
• Train employees to recognise AI-specific risks (credential handling, data sharing)
• Create a simple process for employees to request new AI tool approvals
• Make it easier to do the right thing than to go rogue

The AI Governance Priority Matrix

Not everything can be done at once. Here is a prioritised view of governance actions, organised by urgency and impact.