The Vercel Breach Started With One AI App Permission. Here Is What Fort Worth Businesses Should Check.
In April, Vercel, a cloud company that hosts a meaningful chunk of the modern web, disclosed a security incident. Nobody cracked a firewall. Nobody guessed a password. According to Vercel's own security bulletin, the attack started when a third-party AI tool called Context.ai was compromised. One Vercel employee had connected that tool to their Google Workspace account. The attacker used the AI app's access to take over the employee's work account, pivoted into Vercel's internal systems, and walked out with customer environment variables. Vercel had to notify customers and tell them to rotate credentials.
Read that chain again. The way into a sophisticated technology company was an everyday productivity decision: an employee connected an AI tool to their work account, and the permission grant did the rest. If it can happen there, it can happen at a 12-person home health agency on Camp Bowie or a law firm downtown. This post walks through what actually happened, why the permission screen is the part everyone gets wrong, and what to check in your own Microsoft 365 or Google Workspace tenant this week.
The Problem Is Not the AI. It Is the Permission Grant.
What actually happened at Vercel
Here is the chain of events, straight from Vercel's bulletin. Context.ai, a small third-party AI tool, had a Google Workspace OAuth app that was compromised, potentially affecting hundreds of users across many organizations. A Vercel employee was one of those users. Because the AI tool held an OAuth grant into the employee's Google Workspace account, the attacker who controlled the tool inherited that access. From there they took over the employee's account, got into the employee's Vercel systems access, and enumerated customer data.
The thing worth sitting with: the employee did nothing unusual. They signed up for an AI tool to work faster, the same thing people in your office did this month. When you sign in to one of these tools with your work account, you get a consent screen listing what the app wants. Read email. Read files. Maintain access when you are not using it. Most people click Allow without reading, because the whole point was to save time.
That grant does not expire when you close the tab. It is a standing key to your account that lives on the vendor's servers. Whoever controls the vendor controls the key. That is the entire Vercel story in one sentence.
This is a numbers problem, not an edge case
This is not one unlucky company. IBM's 2025 Cost of a Data Breach report found that 20% of organizations studied had experienced a breach linked to shadow AI, meaning AI tools employees adopted without IT oversight. Those breaches cost an average of $670,000 more than breaches without a shadow AI component. And per IBM's research announcement, among organizations that had an AI-related breach, 97% lacked proper AI access controls. Sixty-three percent had no AI governance policy at all.
We wrote about finding shadow AI in your business back in April. The Vercel incident is what it looks like when the thing we described in that post actually goes wrong, at a company with a real security team. Most Fort Worth businesses do not have a security team. They have an office manager who is also the IT person, and nobody has ever opened the list of third-party apps connected to the company tenant.
Even Microsoft is treating this as a front-line problem now. This month it is rolling out shadow AI detection and policy controls into Intune and Defender, as reported by VentureBeat, because enterprises cannot keep track of which AI tools have tenant access. Those controls help, but only if someone is configuring and watching them.
What to Check in Your Own Tenant This Week
Microsoft 365: see what is already connected
If your business runs on Microsoft 365, the list of every third-party app with access to your accounts already exists. In the Entra admin center, under Enterprise applications, you can see every app any employee has ever consented to, what permissions it holds, and when it was granted. Most owners who look at this list for the first time find apps they have never heard of, granted by employees who left two years ago.
Three settings matter most:
First, user consent settings. By default, many tenants let any user grant permissions to any app. You can change this so apps with significant permissions (reading mail, reading files) require admin approval. Employees can still request a tool. Someone with context just has to say yes before the key gets handed over.
Second, the admin consent workflow. Turn it on so requests route somewhere visible instead of dying silently or, worse, being self-approved by default.
Third, review the grants that already exist. New consent policies do not revoke old permissions. The AI note-taker someone connected in 2024 still has its access until you remove it.
Google Workspace: same problem, different menu
Google Workspace tenants have the same exposure, and the Vercel incident ran through Google Workspace specifically. In the admin console under Security, then API controls, you can see and control which third-party apps can access Workspace data, and block unverified apps by default. Vercel's bulletin even published the OAuth app ID of the compromised tool so administrators could check whether it was in their environment. If nobody in your business knows where that screen is, that is the finding.
Do not solve this by banning everything
The tempting response is to block all third-party apps and tell everyone to stop using AI. We do not recommend it, and not because it is unfriendly. It is because it does not work. People are using these tools to keep up with their workload. Lock the front door without offering an alternative and the same tools come in through personal accounts on personal devices, where you have zero visibility instead of partial visibility.
The approach that holds up: approve a small set of AI tools that meet your bar, configure them properly, and make the approved path easier than the workaround. That is the core of the AI integration and governance work we do, and it pairs with the basic security hygiene that limits the damage when something does get through: MFA everywhere, least-privilege access, and offboarding that actually revokes app grants instead of just disabling the laptop login.
Need help with AI app permissions? IT Integrations provides Shadow AI audits and AI governance for Fort Worth businesses and the surrounding DFW area. Call us at (817) 808-1816 or contact us for a free IT assessment.
Why This Lands Harder in Fort Worth Healthcare
A big share of our clients are healthcare organizations: home health agencies, hospice providers, and assisted living operators across Fort Worth, from the Medical District out to Weatherford and Burleson. For them, this is not an abstract security topic. It is a HIPAA problem with a specific shape.
When a nurse or intake coordinator connects an AI tool to their work email, and that mailbox contains referrals, care plans, or anything with patient identifiers, that vendor is now touching protected health information. There is no business associate agreement with a free AI tool someone signed up for on a Tuesday. If that vendor gets compromised the way Context.ai did, you do not just have a security incident. You have a potential reportable breach, with notification obligations and an OCR paper trail. IBM's report found shadow AI breaches exposed personally identifiable information at a higher rate than breaches overall, which tracks with what these tools are connected to: mailboxes and document stores, the places where the sensitive data lives.
The same logic applies to the law firms, accounting practices, and construction companies that make up the rest of the Fort Worth business landscape. A construction estimator's mailbox holds bid numbers and contract terms. A CPA's OneDrive holds client financials. None of it belongs inside a third-party AI vendor's infrastructure by accident. For regulated data, this is the reason we keep steering clients toward properly configured tools, and in some cases local AI deployments where the data never leaves the building. That conversation starts with HIPAA compliance built into the IT stack, not bolted on after the fact.
What We Find When We Run These Audits
We have been running Shadow AI audits for Fort Worth businesses for a while now, and the pattern is consistent enough to predict. A typical 20-person company has somewhere between five and fifteen third-party apps with OAuth grants into its tenant. The owner can usually name two or three of them.
The greatest hits: an AI meeting transcriber connected by someone who left the company, still holding access to the calendar and recordings. A "free" email assistant with full mailbox read permission, granted during a busy week and forgotten the same day. Browser extensions with file access that nobody can explain. And at least one app where the vendor has been acquired since the grant was made, meaning the company holding the key today is not the company anyone said yes to.
None of this comes from carelessness or bad employees. It comes from the consent screen being designed to be clicked through, and from nobody owning the review. The fix is not dramatic. It is a list, a policy, and a recurring calendar entry: review app grants quarterly, require admin consent for high-permission apps, revoke what nobody recognizes, and give your team an approved AI tool so they stop needing unapproved ones. After 20+ years of doing IT for Fort Worth businesses, we can tell you the boring recurring review beats the expensive emergency response every single time.
Frequently Asked Questions
How do I see which AI apps have access to our Microsoft 365?
Sign in to the Microsoft Entra admin center with an admin account and open Enterprise applications. That list shows every application that holds a grant into your tenant, including apps individual employees consented to on their own. Click into any app to see its exact permissions and when consent was granted. Look hardest at anything with Mail.Read, Files.Read.All, or offline_access, which is the permission that lets an app keep its access when nobody is using it. If your IT provider manages your tenant, ask them to export this list for you. It is a reasonable request, the report takes minutes to produce, and reviewing it together is one of the fastest security wins available. If you would rather have a second set of eyes, this exact review is the first step of our Shadow AI audit.
Should we just block all third-party apps?
Blocking everything is a real option in both Microsoft 365 and Google Workspace, and for a small number of high-risk environments it is the right call. For most businesses it backfires. Your team is using AI tools because they help, and a hard ban pushes that usage onto personal accounts and personal devices where you have no visibility and no control at all. The setup we recommend: require admin consent for apps requesting significant permissions, turn on the consent request workflow so employees can ask, and maintain a short list of approved tools that you have actually vetted. That keeps the door locked without pretending the demand does not exist. The goal is not zero AI. The goal is knowing what is connected and being able to defend every grant on the list.
Does HIPAA allow our staff to use AI tools like ChatGPT?
HIPAA does not name specific tools, but the rules are clear about the principle: protected health information can only be shared with vendors under a business associate agreement, with appropriate safeguards. A free consumer AI account does not come with a BAA, so the moment patient information flows into one, you have a compliance problem, whether or not anything bad happens afterward. That does not mean healthcare organizations cannot use AI. It means the tools have to be chosen deliberately: enterprise versions with BAAs where the vendor offers them, configurations that keep PHI out of the tool entirely, or local AI deployments where data never leaves your environment. We help Fort Worth home health, hospice, and assisted living providers sort out which of those paths fits, and we put it in writing as part of an AI use policy staff can actually follow.
What should we do if we find an app we do not recognize?
Do not panic, and do not just delete it blind. First, note what permissions it holds and which user granted it, then ask that person (if they are still with you) what it is. If nobody can identify it, revoke the grant. In Microsoft 365 that means removing the app or its permissions in Enterprise applications; in Google Workspace, removing access under API controls or the user's connected apps. After revoking, change the password and review sign-in activity for the affected account, since an unrecognized app with mailbox access deserves a little suspicion. If the app had broad access to email or files containing client or patient data, treat it as a potential incident and get help assessing whether anything was actually accessed. That assessment is the difference between an afternoon of cleanup and a notification letter.
Next Steps
The Vercel breach is the clearest public example yet of how AI tool sprawl turns into a real incident: one compromised vendor, one standing permission grant, one employee account, and the dominoes go from there. The defense is not exotic. Know what is connected to your tenant, control who can grant new access, give your team an approved way to use AI, and review the list on a schedule.
If you do not know what is connected to your Microsoft 365 or Google Workspace right now, that is the place to start, and it takes us about a week to get you a complete answer.
Ready to find out what your employees have connected? IT Integrations provides Shadow AI audits, AI governance, and managed IT for Fort Worth businesses and the surrounding DFW metro. Call (817) 808-1816 or schedule a free IT consultation today.