AI Tools Are Rewriting Business Security, and Not in a Good Way

AI is completely rewriting the script on how founders run their businesses. As founders implement more AI tools into their workflows, they need to understand the security of their AI software supply chain. Only recently, deployment platform Vercel suffered a massive security breach as the result of an employee connecting a third-party AI tool to their corporate Google account. Revolutionizing your business operations isn’t going to do much good if sensitive data is compromised. Before you roll out AI-powered tools, you must consider how they affect the entire software supply chain. What are the risks of an under-managed AI software supply chain? Currently, enterprise enthusiasm for AI adoption seems to be outpacing companies’ ability to enact meaningful security measures. According to a report by cloud and AI security solutions provider Wiz, while 87% of security professionals are using some type of AI service, only 13% have an AI-specific posture management security strategy. Twenty percent aren’t implementing any type of AI security strategy. Another 25% admit they don’t know which AI services are currently being used in their organization. The lack of information and oversight creates major challenges for founders. Reports have found that as many as 80% of workers use unvetted and unapproved AI tools on the job. This isn’t just among lower-level employees. Senior managers and executives often have even higher rates of unapproved AI usage. The problem? Unvetted AI tools often use open-source components which can house major security flaws. The flow of information to and from micro-services, LLMs and database servers can be difficult to track, with the potential for serious connections and permissions vulnerabilities. The Vercel breach exposed a huge amount of database credentials, API keys and third-party integrations. This happened simply because an AI tool was given permission to read software environment variables. In some cases, cyberattackers, who insert false or misleading information into the training data, intentionally “poison” public machine learning models. This can make the AI malfunction in ways that trigger it to provide wrong answers, leak sensitive information or behave in a biased way, even when the model seems to be functioning normally. As agentic AI becomes more widely used, the risks grow exponentially. Agentic AI’s capabilities to carry out complex series of tasks without oversight can be a boon for time-strapped founders. It also allows AI agents to be used for increasingly sophisticated and devastating attacks if they are compromised. Minimize the risks, and maximize the results. For founders, the same risks that exist from a “standard” cyberattack also exist within the AI software supply chain, but at scale — potential regulatory, legal and financial accountability, significant downtime, and lost trust. All of those become even greater risks when founders don’t do their due diligence on their entire AI software supply chain. So how do you minimize the risks for your organization? Start by comprehensively vetting tools your organization uses. Even basic steps such as reviewing terms of use and understanding how an AI tool may use data you feed into its system can help reduce risk. For businesses operating in privacy-focused industries, tools should also meet all relevant regulations. You should also carefully vet the developers behind these AI tools. Ask yourself: Has your AI developers regularly updated AI tools, especially for security? Does the developer provide testing and validation results? Are they transparent with how your data is used or stored? What is their reputation like? Even if a given AI system is deemed safe unto itself, it’s important to map out the downstream connections it has with your apps and servers. This ensures that you are managing all relevant identities and workflows safely. The best AI supply chain security strategies take all of these components into account. Securing AI workflows and access When you integrate AI into your stack, you should also adopt many of the same security practices you use with human employees. Zero trust governance, with strict access and authentication controls, can ensure that AI tools only access the information they need to perform their critical functions. Finally, you need to establish clear AI policies and make sure your entire team follows them, on the user’s end as well as the developer’s end. The 2025 Verizon Data Breach Investigations Report found that roughly 60% of breaches had a human element, usually employee error. Ongoing training regarding safe AI use will hopefully keep your team from using unauthorized AI tools that could compromise your systems. Do you know where your AI comes from? As AI adoption accelerates, ensuring it doesn’t compromise your security becomes an increasingly high-stakes game for founders. It’s great to unlock exciting automations and boost productivity. But you need to reduce risk wherever possible. A proactive and informed approach to your AI software supply chain will help you avoid becoming another cautionary tale. EXPERT OPINION BY HEATHER WILDE RENZE @HEATHRIEL