The AI Control Problem

Shadow AI Is the New Supply Chain. Vercel Just Proved It.

TV
Thiago Victorino
7 min read
Shadow AI Is the New Supply Chain. Vercel Just Proved It.
Listen to this article

On April 18, 2026, Vercel published a short bulletin titled “April 2026 Security Incident.” The bulletin is careful. Mandiant is engaged. Law enforcement is engaged. A limited number of customer environment variables may have been exposed.

Read past the careful prose and the attack chain is this: an employee connected a third-party AI productivity tool called Context.ai to their Google Workspace using OAuth. Context.ai was compromised. The attacker pivoted from the AI tool’s OAuth session into the employee’s Workspace, and from there into Vercel’s internal systems.

No zero-day. No exotic malware. No spear-phish. A developer installed an AI tool that asked for the usual permissions, clicked Allow, and went back to work. That click was the entry point.

This is the first public production breach we can point to where the vector was ungoverned AI tool adoption. The attack surface was not code. It was consent.

The Story We Have Been Telling

We have been writing toward this moment for two months.

In Clinejection: When an AI Agent Becomes the Attack Surface, we walked through an npm supply chain compromise that started with an AI issue-triage bot processing unsanitized input. In The Plugin That Wrote Its Own Consent Dialog, we looked at a different Vercel surface entirely: a first-party Claude Code plugin whose telemetry opt-in rendered through the agent’s own voice, with no attribution chrome. Two incidents, two different vectors, one pattern: the AI agent is infrastructure the rest of the security program has not learned to see yet.

This month’s incident is not a sequel to the plugin story. That earlier piece was about consent-spoofing on the developer’s machine. This one is about an employee’s Workspace becoming a staging ground because a third-party AI tool held OAuth scopes nobody audited. Different path, different controls, same governance deficit. What is new is that the blast radius reached production.

What Vercel Actually Said

Precision matters, because this story gets embellished fast.

Vercel’s bulletin confirms: a third-party application with OAuth access to an employee Google Workspace account was compromised; the attacker used that access to reach Vercel internals; a limited set of customer environment variables may have been exposed; Mandiant is still investigating.

Vercel does not, at time of writing, publicly name Context.ai as the vector. Multiple secondary sources do. Context.ai has not conceded fault, and the investigation is live. Treat the vendor attribution as the best available read, not a closed case. Treat the architectural lesson as settled regardless.

The architectural lesson does not depend on Context.ai being the culprit. It depends on the fact that a reasonable employee, at a sophisticated company, connected an AI tool to Google Workspace during normal work, and that connection became the perimeter.

Why the Old Playbook Misses This

Most security programs built for SaaS sprawl assume OAuth consent is reviewed by IT, scopes are right-sized at install, and unusual activity lights up a SIEM. That world is running a decade behind the calendar.

AI productivity tools are adopted one employee at a time, during a workflow, with no IT ticket. The tool asks for “read your email to summarize threads” or “read your drive to answer questions about your documents.” Those scopes are not unusual by SaaS standards. They are unusual when the grantee is an eighteen-month-old vendor running a server-side integration that sees every message and file it indexes.

Shadow IT had a footprint you could scan for. Shadow AI has a consent screen. The scan does not catch it. The screen has already been clicked.

This is what we mean by “AI is the new supply chain.” The supply chain is not your package manifest anymore. It is the list of third-party AI tools your employees have connected to Workspace, Slack, GitHub, and the CRM. Each one is a potential indexer of your corporate memory and, as April 18 made public, a potential pivot point.

The Prescription: A Company Brain, Not More Connectors

On April 14, Conor Brennan-Burke, advocating a commercial thesis he is building toward, argued that the governance response to the AI tool explosion is not another integration. It is what he calls a “company brain.” Two of his lines are worth keeping.

“Retrieval is a scavenger hunt.”

“Retrieval gives fragments. Synthesis gives a worldview.”

The argument underneath is that most organizations, faced with the promise of AI agents, have responded by wiring them into every source system through connectors. Every agent, every employee, and now every compromised third-party tool runs a retrieval pass against the same untriaged pile. No ranking. No canonical source. No audit trail of which version of a document the agent believed when it acted.

That picture explains why shadow AI adoption is both inevitable and dangerous. Inevitable because employees are trying to synthesize across fragments the company never synthesized for them. Dangerous because each tool that tries to help does so by indexing the same fragments through a new vendor.

A reader’s comment on Brennan-Burke’s thread was sharper than the post itself: “The real bottleneck isn’t retrieval or even reasoning. It’s authority. Who decides which doc is canonical?”

That is the governance question most companies have not answered. When two documents contradict, which one wins? When a policy is updated, how does every agent know? When an engineer leaves and her Notion page goes stale, what retires it? In practice the answer is “nobody and nothing.” Every retrieval pass re-litigates authority from scratch. As we argued in Codifying Institutional Intelligence, knowledge that is not testable is not governable, and knowledge that is not governable is a liability.

What a Company Brain Actually Is

Strip away the branding risk and the idea is concrete. A company brain is three things a retrieval layer is not.

It is authoritative. Documents are ranked. Conflicts are resolved at write time, not read time. When the HR policy changes, the old version is retired, not re-ranked against the new one on every query.

It is synthesized. The output is a worldview, not a pile of passages. An agent asking “what is our customer data retention policy” gets the policy, not six candidate documents and the instruction to figure it out.

It is auditable. Every answer traces back to the specific version of the specific source that produced it. When the agent acts on the answer, the action is bound to the version. When the version is wrong, every downstream action is discoverable.

Those three properties are what make agents safe to rely on. They also make shadow AI adoption less dangerous. An employee who can get a canonical answer from the company brain does not need to connect Workspace to a consumer AI tool to get it from fragments. The connector exists because the brain does not.

The company brain is not a product category to buy. It is an internal investment, built against systems the company already owns. Buying another connector-heavy tool to solve this problem is the thing that got us here.

What CISOs Should Do This Quarter

Three moves. None of them wait for Mandiant’s final report.

Audit the OAuth graph for AI tools. For every Google Workspace, Microsoft 365, Slack, and GitHub org you own, pull the list of third-party applications with active tokens. Flag any whose primary function is AI-assisted productivity. That is your shadow-AI attack surface today. It is larger than you expect.

Set a scope policy for AI tool grants. Not a block policy. A scope policy. Most employees do not need AI tools that read every document in Drive. Most need scoped access to specific folders. Default to narrow. Make broad scopes a ticketed decision.

Start the company brain investment. Pick one domain where authority matters: security policies, customer data handling, incident runbooks. Build the authoritative, synthesized, auditable version there first. Measure how many employee queries it answers. Expand. The point is to make shadow AI adoption less attractive by making the governed alternative more useful.

The Vercel incident is a data point, not a verdict. Companies that treat it as a Vercel problem will be next. Companies that treat it as a preview will not.

This analysis synthesizes Vercel’s April 2026 Security Incident bulletin (April 2026) and Conor Brennan-Burke’s “Your Company Needs a Brain, Not More Connectors” (April 2026).

Victorino Group helps teams audit their shadow-AI attack surface and build the authoritative company brain. Let’s talk.

All articles on The Thinking Wire are written with the assistance of Anthropic's Opus LLM. Each piece goes through multi-agent research to verify facts and surface contradictions, followed by human review and approval before publication. If you find any inaccurate information or wish to contact our editorial team, please reach out at editorial@victorinollc.com . About The Thinking Wire →

Part of The Thinking Wire, published by Victorino Group.

If this resonates, let's talk

We help companies implement AI without losing control.

Schedule a Conversation