How to find out if your AI vendor is a security risk
One of the most pressing concerns with AI adoption is data leakage. Consider this: An employee logs into their favorite AI chatbot, pastes sensitive corporate data, and asks for a summary. Just like that, confidential information is ingested into a third-party model beyond your control.
Even with data loss prevention (DLP) policies, AI data leaks are challenging to prevent. If the AI system is cloud-based and employees can access it externally, companies may never know when their data is compromised.
Also, most AI vendors offer more than web interfaces – they also provide programmatic access via APIs. However, APIs also introduce a significant security blind spot. If an AI vendor allows remote API access, how do you verify who is using it? If an attacker gains access to an API token, they could extract or manipulate data without detection.
The AI security checklist: What to look for in a vendor
If you’re evaluating an AI provider, security must be a top priority, especially when dealing with sensitive business data. Here are the must-have security features when choosing an AI vendor:
1. Authentication and authorization standards
API access should never be granted via usernames and passwords. Instead, look for token-based authentication:
- The vendor must support OAuth 2.0 for secure token generation
- Tokens should inherit or have assignable permissions to ensure least privilege access
- No token sharing. Each system or user should have unique credentials
2. Token monitoring & lifecycle management
Vendors should provide a centralized list of active authentication tokens, and tokens should include metadata such as:
- Who created it
- When it was created, last modified and last used
- Permissions assigned
- Whether it’s still active or expired
3. Comprehensive API logging & audit trails
AI vendors must provide audit logs for API access and these logs should be accessible via API for real-time monitoring. At a minimum, each log entry should include:
- Date and time of access
- Source IP address
- Token used for access
- Action performed (e.g., “new token created,” “data retrieved”)
- Success or failure status
Advanced logging should include the complete API endpoint, HTTP method and HTTP response code for granular insights.
4. Transparent documentation
AI vendors should provide complete API documentation in an open format (e.g., OpenAPI or Swagger). Organizations are left in the dark about how their AI interactions are logged and secured without proper documentation.
The hidden API security crisis
After researching API security for over two years, I’m still shocked by the lack of logging, monitoring and security features across AI vendors. APIs without sufficient logging create an invisible attack surface where unauthorized access can occur without detection.
We’ve already seen horror stories of API tokens being leaked in GitHub repositories or sold on dark web forums. Once an attacker has a valid API token, they can exploit it indefinitely—until someone notices.
AI is here to stay, but security can no longer be an afterthought. Organizations must demand transparent API security, rigorous monitoring and strong authentication controls before trusting any AI vendor with sensitive data.
If an AI provider lacks fundamental security controls, they pose a risk. AI vendors should be held accountable for security. If an AI provider cannot answer who is using their APIs, when they were last accessed and how they are being used, then they don’t deserve your business.