There's something uncomfortable about Vercel's recent story. Not because it's an isolated incident, but because it lays bare something I've been seeing for months across multiple organizations: AI adoption is moving far faster than the capacity to govern it.
What's been discussed about the incident is, at its core, a problem of permissions and misplaced trust. An employee connects an AI tool to their corporate account — probably trying to be more productive. They grant broad access, as tends to happen with OAuth when no one looks closely at what's actually being authorized. That tool, or its environment, gets compromised. At that point, the attacker doesn't need to "hack" the company in the traditional sense: they already have the keys.
That completely changes the logic of security. It's no longer just about protecting infrastructure or endpoints — it's about understanding that every integration is an extension of your perimeter. If an external tool inherits permissions over email, repositories, internal systems, or APIs, then that tool becomes part of your chain of trust. And if it falls, you fall with it.
The problem isn't one person's mistake. It's the context in which that mistake becomes possible.
Today there are thousands of AI applications, and building a new one keeps getting easier. With a few APIs, a simple frontend, and a base model, any team — or even a single person — can ship a functional tool in days. But the ease of building doesn't automatically come with good security practices. Many of these applications lack robust credential management, don't encrypt data properly, or simply weren't designed to operate in enterprise environments with high standards.
And yet, companies are adopting them anyway.
This is what's known as "shadow AI." Teams that, with the best intentions, start using external tools to gain efficiency. Marketing connects a content generator to Google Drive. Development tries out a platform that integrates with GitHub. Finance automates reports with an app that requests access to email. All of it happens outside any formal framework — no evaluation, no policies, no visibility.
From a business perspective, it's understandable. The pressure to "use AI" is real. Nobody wants to fall behind. But from a risk perspective, it's a ticking time bomb.
The Vercel case puts something critical on the table: security no longer depends only on what you build or deploy — it depends on everything you connect. Every broad authorization is, in practice, a potential privilege escalation for a third party. And when that combines with exposed credentials, poorly managed tokens, or chained integrations, the impact can be systemic.
I've seen organizations where no one can confidently answer a basic question: what AI applications are currently connected to our corporate accounts? And if you can't answer that, you can't manage the risk either.
The point isn't to stop using AI tools. That would be a strategic mistake. AI does generate real value — and in many cases, it does so in very tangible ways. The point is to stop adopting it haphazardly.
Adopting AI the right way means making deliberate decisions. Defining which use cases make sense, which data can be used, which tools meet minimum standards, how access is managed, how integrations are audited, and what happens when something breaks. It means understanding that productivity cannot come at the cost of control.
It also means culture. Blocking tools or restricting access isn't enough on its own. If the organization doesn't offer secure, business-aligned alternatives, people will find workarounds anyway. Shadow AI doesn't appear out of nowhere — it appears because there's an unmet need.
That's why this conversation needs to be about strategy and governance, not just tools. About how decisions get made around what to use, how to use it, and under what conditions. About how to balance speed with security. About how to build a foundation that allows AI to scale without unnecessary exposure.
The Vercel incident isn't an anomaly. It's a signal.
The companies that understand this in time will be able to capture the value of AI in a sustained way. Those that don't will probably learn it the hard way.
At fuubo, we work precisely at that in-between point where many organizations find themselves stuck today: caught between the urgency to use AI and the need to do it right. We help companies understand their real maturity level, identify invisible risks like shadow AI, and build a strategy that allows them to move forward without compromising the business.
If you don't have clarity today about what AI tools are being used in your company, what permissions they have, or what risks they carry — it's probably a good time to take a closer look.
