A Small Security Vendor Knew More About a Fortune 100's AI Risk Than Its Own CISO

The Accidental Whistleblower

A small AI security startup recently found itself in a surreal position: it knew more about one of its Fortune 100 customers' AI risks than the customer's own chief information security officer.

The vendor's product sat in the customer's stack monitoring data egress for compliance — a straightforward enterprise task. But because of where it operated, the tool could see something the customer couldn't: thousands of confidential internal documents being quietly piped into a commercial large language model. Not through the official "AI adoption program" with its careful pilots and risk committees, but through a fringe internal tool that had been wired into the startup's product.

The vendor had become an accidental x-ray machine, revealing how the company actually used AI versus how it said it used AI. And it had no idea what to do with that information.

Shadow AI Is Bigger Than Official AI

This isn't an isolated incident. Multiple security vendors now report that shadow AI usage — employees pasting data into unsanctioned tools — has become one of the largest drivers of new enterprise risk, often dwarfing officially approved pilots.

One vendor's anonymized dataset showed that in some large accounts, over 60% of AI prompts containing sensitive content came not from sanctioned AI tools but from side integrations: browser extensions, internal bots, or plugins tied into other SaaS products. Customer data, code, financials — all flowing into models that the company's AI governance committee had never even discussed.

The gap between official AI strategy and actual behavior is vast. Official slides talk about careful experimentation and oversight. The logs show something closer to a free-for-all.

The Power Dynamic Is Inverted

What makes this story strange isn't just that employees are bypassing official channels. It's that a niche B2B vendor with a small contract value ended up being the only party with an accurate picture of what was happening.

The customer's own AI center of excellence didn't have this level of granularity. They could see the approved tools and track usage of the official pilots. But they couldn't see which internal teams were pushing which data into which models through unofficial channels. Their governance framework was blind to the actual risk surface.

The vendor could. Not because it was trying to spy, but because data loss prevention tools have to sit in the flow to work. They see everything.

This is enterprise AI governance happening from the outside-in. A third party discovers the vulnerability. The question becomes: what duty of care does that vendor have? Are they obligated to report what they see? Do they risk the customer relationship by speaking up? Is staying quiet complicit?

A Familiar Pattern

This moment echoes the early days of shadow IT and cloud adoption. Businesses didn't realize they had a cloud strategy until a security vendor showed them the Dropbox logs. IT departments learned about hundreds of unsanctioned SaaS tools only after the fact, when usage data made the reality undeniable.

The difference now is the stakes. Shadow IT might have meant data living in unapproved places. Shadow AI means proprietary information being used to train models that competitors might query tomorrow. It means customer data ending up in prompt histories. It means the gap between perception and reality can have regulatory consequences.

The Emerging Niche

A quiet B2B category is emerging: companies that sit in the flow and see everything. Traffic analysts for AI prompts. Tools that weren't originally built for AI governance but happen to occupy the right place in the stack to reveal the truth.

These vendors are becoming accidental truth-tellers. They can show an executive team that their carefully constructed AI policy is mostly fictional. That the real AI adoption is happening in Slack bots, browser extensions, and productivity tools that someone in marketing or sales signed up for with a credit card.

The irony is that these vendors often don't want this role. They sold a data loss prevention tool or a compliance monitoring product. Now they're in conversations about AI risk posture and board reporting. Their product roadmap has to account for use cases they never imagined.

What Comes Next

As AI tools proliferate and become embedded in everything, this dynamic will only intensify. The companies with the clearest view of AI risk won't be the ones deploying AI. They'll be the ones whose products happen to sit where they can see the data moving.

That creates a strange new responsibility for B2B vendors. If your product can see that a customer is exposed in ways they don't understand, what do you do? Build it into the pitch? Add a disclosure requirement? Stay quiet and hope someone else notices first?

The Fortune 100 company in question eventually figured out what was happening — though whether the vendor disclosed it or the company discovered it independently isn't clear. Either way, the dynamic had already shifted. For a brief window, a small startup with a narrow product knew more about enterprise risk than the enterprise itself.

That window is becoming a permanent condition.