Do You Know Where Your Employees Are Putting Your Data?

The Vercel hack last week is a warning sign for the need to have strong operational and technical leadership within an organization. It is another clear example of how one person’s decisions can impact an entire organization and its customers. If you’re not familiar with the events of last week, Vercel’s Google Workspace was accessed by a bad actor due to an employee using an unauthorized tool, Context.ai. 

From Vercel’s PR Team

The incident originated with a compromise of Context.ai, a third-party AI tool used by a Vercel employee. The attacker used that access to take over the employee's individual Vercel Google Workspace account, which enabled them to gain access to that employee’s Vercel account. From there, they were able to pivot into a Vercel environment, and subsequently maneuvered through systems to enumerate and decrypt non-sensitive environment variables.

From Context.ai’s PR team - https://context.ai/security-update:

We also learned that the unauthorized actor appears to have used a compromised OAuth token to access Vercel's Google Workspace," the company said. "Vercel is not a Context customer, but it appears at least one Vercel employee signed up for the AI Office Suite using their Vercel enterprise account and granted 'Allow All' permissions. Vercel's internal OAuth configurations appear to have allowed this action to grant these broad permissions in Vercel's enterprise Google Workspace.

If you take a minute to let that sink in, you’ll recognize that an AI company’s data was compromised because an employee used another AI tool in their workflow. The amount of information and capabilities within these tools makes a lack of governance, clear policies, and access to the right tools a major problem for organizations of all sizes. 

How is your organization setting up for success? 

The velocity at which AI tools are made available and the power in the hands of each individual user creates exponential situations for compromising your environment. I have seen too many organizations throughout my career that have zero IT governance, policies, or training for their team. I’m still encountering organizations that disallow any AI tooling.

All that is doing is creating an environment of Shadow AI. Your team is using the tools and signing up for subscriptions, many unpaid, and putting your data into the system.

It may have been less dangerous years ago when natural barriers limited your exposure. A project manager was unlikely to find themselves setting up a GitHub repository and publicly sharing their API Token to your Jira environment.

But today, your project manager can go into Vercel, Lovable, Replit, Claude Code, and whatever new tool is out this minute, vibe code their own app, and give public access to that system. The barrier to entry is now zero. The technical moat is gone and everyone can walk into the castle. 

From my experience, these examples come from good, thoughtful, and curious people. They are doing the right thing by finding ways to increase their productivity, build tools that help them in their roles, and help the organization. Especially when there are mandates from leadership to leverage AI in workflows, can you blame an entrepreneurial employee from exploring while not fully understanding what they are getting into?

Do you know where your employees are putting your data?

There are solutions to reducing your risk. We’ve known the work that has to go into fixing the systems, the process and the team’s knowledge. The cost and time to address were always the excuse but now it’s having real impact on the bottom line and trust of your customers. You need strong investment in your technical and operational leadership. Without someone steering your ship, you will navigate straight into pirate infested waters.

Deloitte’s findings in their latest State of AI in the Enterprise report for March 2026 supports the issues we are all living

Agentic AI usage is poised to rise sharply in the next two years, but oversight is lagging: Only one in five companies has a mature model for governance of autonomous AI agents.

So how do you fix this?

There are 3 ways to get started to protect your organization

You need to invest time and money into your systems. If you’re not using a password manager, multi-factor authentication, and keeping your hardware & software up to date, you’ve been at risk for years and it’s time to mature within your organization. This applies to organizations of 1 to 1000. 

You need to invest in the tools to give your team access to what they need to do their jobs. Bite the bullet and have an approved AI tool. It doesn’t really matter which one. Give them something they are allowed to use in your environment. Also, allow budget for exploration. Shadow IT has been a problem for years and shadow AI is now a huge problem. If your team doesn’t feel comfortable asking for and getting approval on a $20/month tool they want to use or try, they’ll find a free version OR pay for it themselves. You’ve now lost any control of their account or access to information. The days of forcing the same tools on everyone is over. The team will make their own. You can’t stop it but you can guide it. 

The third place you need to invest is in your people. They need training, access to collaboration opportunities, and coaching on how to use these tools. We are all in tech now across our roles and they need to think more like a technologist. They need to understand safe practices and what information is getting shared when they connect a tool. It also needs to feel safe to ask questions within the organization without feeling stupid. 

Organizations are running towards AI without the technical and operational leadership that is key to making these tools successful for adoption and with safeguards for their business.

Another finding from Deloitte’s report:

Compared to last year, more companies (42%) believe their strategy is highly prepared for AI adoption—but they feel less prepared in terms of infrastructure, data, risk, and talent.

The teams are ready to work with AI but the foundation is missing in the organization to support the team with a real technical and operational strategy. Access to AI is not enough.

We’ve hit the point where it’s non-negotiable to not have strong operational and technical leadership throughout your organization. This is the work I’m doing and have done for years for teams of all sizes. It’s been easy to recognize the problems, ignore them or even laugh about them. It’s time to get serious and put into practice a clear vision for how your technology and operations are setup, configured, and explored. 

Did you find this post helpful? Share it to your network