Last weekend, a Vercel employee connected a third-party AI tool called Context.ai to their corporate Google Workspace account. Standard behavior. Happens hundreds of times a day inside organizations everywhere.
The attacker who had already compromised Context.ai used that OAuth connection to take over the employee’s Google account, pivot into Vercel’s internal systems, and access environment variables containing API keys, database credentials, and signing keys across a subset of customers. Mandiant is now investigating. The IOC is published. Hundreds of organizations may be affected through Context.ai’s broader user base.
The breach wasn’t sophisticated. It didn’t require a zero-day or nation-state capability. It required one employee, one AI tool, and one OAuth grant nobody was tracking.
Here’s the governance failure in plain language.
Most organizations have a formal vendor risk review process for enterprise software. Legal reviews the contract. Security reviews the architecture. IT reviews the integration. That process exists because someone learned the hard way that third party access is a liability.
That process does not exist for the AI tool your developer installed last Tuesday.
No formal inventory of what OAuth grants exist across your Google Workspace. No review of what permissions those grants carry. No audit of what internal systems they can reach. No policy defining what non-sensitive actually means when an attacker is enumerating your environment variables.
The tool arrived. The governance didn’t.
Three things worth doing this week.
Go to your Google Workspace admin console and pull a full list of third-party apps with OAuth access. You will find things you didn’t know were there.
Review which of those apps have broad permission scopes versus narrow ones. An app that can read your entire Google Drive is a different risk profile than one that can only read your calendar.
Ask your security team when you last reviewed this list. If the answer is never or I don’t know, that’s your gap.
The Vercel breach is being called a supply chain attack. It is. But it’s also something more specific and more preventable: an AI tool governance failure at the identity and access layer. That category of failure has no control in most organizations right now.
The IOC is published at vercel.com/kb/bulletin/vercel-april-2026-security-incident
If you are on Vercel, rotate your credentials today.