SECURING AI VENDOR PARTNERSHIPS WITHOUT COMPROMISING OPERATIONAL SECURITY

Businesses today face a dual imperative: embrace innovative artificial intelligence (AI) tools to stay competitive, while safeguarding operational security against growing third-party risks.

The cautionary tales of past vendor-related breaches highlight what is at stake. Meanwhile, the rush to adopt early-stage AI solutions is expanding the attack surface faster than many security teams can adapt.

This article examines how organisations can securely engage with AI vendors without undermining their own defences. We will review lessons from high-profile third-party breaches, explore the new risks posed by AI start-ups, and propose a structured framework for vetting and managing AI vendors. Throughout, we emphasise a zero-trust approach, rigorous assessment of vendor security controls and disciplined offboarding procedures.

Third-party breaches: hard lessons from Target and beyond

High-profile breaches have repeatedly shown that a company’s security is only as strong as the weakest link in its vendor ecosystem. In 2013, Target Corporation learned this lesson the hard way.

During the holiday season, hackers infiltrated Target’s network through a compromised heating, ventilation and air conditioning (HVAC) maintenance vendor account, ultimately stealing credit card and personal data of 70 million customers. Attackers had phished the vendor, using stolen credentials to install malware on Target’s point-of-sale systems.

The fallout was devastating. Profits plunged by 50 percent that quarter and Target incurred tens of millions in legal settlements. This incident became a poster child for third-party risk, underscoring that even a trusted contractor can introduce massive vulnerabilities.

Target was not alone. In 2014, Home Depot similarly suffered a breach of 56 million payment cards due to stolen credentials from a third-party vendor. The SolarWinds breach of 2020 saw attackers implant malware in a software update, affecting thousands of organisations downstream. In 2021, the Kaseya ransomware incident infected numerous companies by exploiting a vulnerability in a widely used IT management tool. These cases illustrate how threat actors increasingly target third-party providers as efficient ‘one stop’ entry points into many firms.

Oct-Dec 2025 Issue

Fresco