Recently, Vercel, a popular cloud platform, acknowledged a security breach after an attacker compromised a third-party AI tool (Context.ai) used by an employee. Additional reports suggested that the employee’s credentials were initially harvested by Lumma Stealer (or LummaC2) malware in February 2026.
From there, the attacker pivoted through additional systems to access the employee’s Google Workspace account, ultimately reaching Vercel’s environment information, including source code and configuration data. In the days that followed, data allegedly belonging to Vercel was listed for sale on BreachForums for $2 million under the ShinyHunters name.
Identity compromise remains a primary entry point across most environments. What is less understood is what happens next. Once access is established, the problem is no longer perimeter defence. It becomes a question of how sensitive data is handled, shared, and transformed across modern workflows. This is where AI materially changes the risk profile.
The recent Vercel incident is a useful case study, not because it is unique, but because it exposes where existing security models are starting to break down.
Where the Model Starts to Break
In a traditional incident, data exposure tends to follow relatively well-understood paths, like file access, database queries, and API calls. These are observable and, in most cases, governed.
In modern engineering environments, workflows are increasingly mediated by AI tools. Debugging, code generation, documentation, and analysis are often assisted by external or embedded models.
This introduces a different class of exposure. Sensitive code or configuration can be passed into AI tools during routine workflows, where prompts often aggregate context from multiple internal sources. Outputs may unintentionally reveal or reconstruct sensitive logic, while data handling beyond the organisation’s boundary, particularly in third-party or embedded AI systems, becomes opaque.
None of this necessarily triggers traditional controls. It doesn’t look like exfiltration. It looks like normal usage.
The Compounding Effect of Context
One of the more subtle risks in AI-assisted workflows is how context compounds.
An API key on its own may have limited value. Snippets of infrastructure code may appear harmless. Internal documentation might be considered low sensitivity.
Combined within a single prompt, or across a sequence of interactions, these elements create a much richer representation of the system. That context can be enough to reconstruct access paths, identify weaknesses, or accelerate lateral movement.
This is particularly relevant in environments like Vercel’s, where front-end infrastructure, deployment pipelines, and configuration logic are tightly coupled. The issue is not a single data point. It is the aggregation of context over time.
Financial Impact Is a Second-Order Effect
The reported $2 million ransom highlights how quickly technical exposure translates into financial risk.
Once an attacker has sufficient context, the value is not just in the data itself, but in what it enables. Intellectual property, system access, and the ability to disrupt services all become leverage. This reflects a broader pattern. AI-related risk does not stay within security teams. It quickly becomes relevant to legal, compliance, and executive leadership.
What makes this more concerning is how it aligns with what we are seeing across enterprise environments at large. Recent research suggests that 72% of security leaders believe they have full visibility into AI usage, yet 65% still uncover unauthorised or shadow AI usage. Additionally, 67% report that AI is already widely used across teams, and 91% expect that usage to increase, despite significant concerns over data leakage and compliance violations.
This highlights that even in highly regulated industries, where governance maturity is high, shadow AI usage remains persistent. Behaviour does not align cleanly with policy, particularly when AI tools are embedded into everyday workflows.
The Control Plane Has Shifted
What incidents like Vercel’s breach suggest is that the control plane is moving.
It is no longer sufficient to focus on things like which applications are approved, where data is stored and who has access to systems. Whilst those questions still matter, they do not address how data is used in practice.
Those questions still matter, but they do not address how data is used in practice. The focus now sits closer to the interaction itself: what is being shared into AI systems, how that data is combined and transformed, when usage deviates from expected patterns, and whether users receive feedback or guardrails in real time.
Without visibility at that level, organisations are effectively relying on policy without enforcement.
A More Practical Framing
It is tempting to frame this as an AI security problem, where solutions usually involve blocking tools or restricting access. However, this won’t necessarily solve the issue. Employees who have found these tools useful will find workarounds, like putting corporate data into personal AI tools. This greatly expands risk.
A more accurate way to think about it is as an AI usage problem. The risk emerges from legitimate activity carried out in new contexts, rather than from clearly malicious actions or unauthorised tools.
The implication is that control needs to be applied differently. Not by preventing usage, but by making it observable and governable as it happens.
