I was in a session at a large enterprise recently when their AI policy slide went up. Five tiers, side by side: regular ChatGPT — your own account — on the left, a managed internal model on the right. Employees were expected to determine which tier their data belonged in before choosing which tool to use.

Nobody in that session was going to read the policy PDF carefully enough to get that decision right — including the engineers.

In April 2026, Vercel disclosed a breach that started with exactly that kind of decision. A developer granted OAuth access to Context.ai, a third-party AI assistant tool. The developer’s own machine was clean — but malware had compromised an employee at Context.ai, and from there, attackers used the stolen OAuth tokens to bypass Vercel’s firewalls and access internal systems. Your data security is now only as good as the endpoint security of the smallest AI startup your developers have authorized.

Right now, your team has made similar grants. Netskope’s Cloud Threat Reports found that 98% of organizations have active, unsanctioned AI usage on their networks. IBM’s 2025 Cost of a Data Breach Report put a number on it: shadow AI incidents added an average of $670,000 to the cost of a breach. If you don’t know which AI tools your developers have authorized in the last six months, you are in this statistic.

The standard response is a policy PDF and a ChatGPT ban. It doesn’t hold. When you block tools that McKinsey estimates add 40–70% productivity on knowledge tasks, employees don’t stop using them — they stop using corporate networks, moving to mobile hotspots and personal laptops where security teams have zero visibility.

The bottom tier compounds the risk. When employees use free accounts — which is most of what BYOAI looks like in practice — their inputs train the model. Cyberhaven’s 2025 AI Adoption and Risk Report found that source code is the single largest category of sensitive data being pasted into AI tools, and the majority of that usage runs through personal accounts. Once in the training set, that data is no longer private — it can surface in responses to anyone.

Two things fix this. Neither requires a policy rewrite.

Different data genuinely carries different risk — and a corporate API proxy handles the classification invisibly. One endpoint for your team, with routing, data retention controls, and model selection all handled behind it. You absorb the decision so your employees never face it.

The other exposure that no gateway touches: OAuth grants already made. Every IDE extension, AI assistant, and code review tool your developers authorized directly has access to your repositories and documents right now, before any traffic crosses your network. An OAuth audit — pulling every third-party application with access to your corporate accounts and revoking anything unrecognized — is the fix for the Vercel-class incident.

An OAuth grant doesn’t expire when an employee leaves, when a startup gets acquired, or when you stop using the tool. It just sits there, open.

Does anyone on your leadership team know which AI tools currently have active OAuth access to your corporate email, code repositories, and documents — and when each of those grants was last reviewed?

Sources: Vercel Security Advisory, April 2026; IBM Cost of a Data Breach Report 2025; Netskope Cloud and Threat Report 2025; McKinsey & Company, The State of AI in 2024; Cyberhaven 2025 AI Adoption and Risk Report (cyberhaven.com/resources/report/2025-ai-adoption-risk-report); OpenAI Enterprise Admin Documentation.

Share