Not A Vendor, Still A Breach: Vercel’s Third-Party Risk Failure

The rapid adoption of self‑serve SaaS and AI tools has reshaped how companies build their tech stacks. OAuth and single‑sign‑on enable a single click to connect external applications to corporate data, eliminating procurement friction but also sidestepping traditional vendor oversight. As organizations layer dozens of such services, the attack surface expands beyond the contracts that risk teams normally track, creating hidden pathways for threat actors.

Traditional third‑party risk management (TPRM) programs focus on contracts, spend, and vendor master lists. This approach assumes that paid relationships equate to risk, ignoring free or freemium tools that nonetheless receive privileged access. The Vercel incident illustrates the "shadow vendor" phenomenon: applications that operate like vendors—reading data, acting on behalf of users—yet remain invisible to compliance workflows. An access‑centric definition, where any external entity with read or write permissions is in scope, closes this blind spot and aligns risk assessment with the realities of modern identity‑driven ecosystems.

CISOs must evolve their controls to treat access as the primary risk metric. Continuous monitoring of OAuth grants, automated de‑provisioning when thresholds are crossed, and tiered treatment based on data sensitivity can transform TPRM from a static inventory to a dynamic, mitigation‑focused engine. Leveraging AI‑assisted platforms that surface anomalous permission requests and enforce policy in real time helps organizations stay ahead of compromised third‑party tokens, turning a potential breach into a manageable event.