AI Vendors Are Blaming You for Their Own Security Failures
TL;DR
The world's biggest AI vendors, Anthropic, Google, and Microsoft, are burying critical security vulnerabilities in their products, classifying them as 'expected behaviour, ' and refusing to issue the standard public advisories the rest of the software industry has followed for decades. Meanwhile, regulators in the UK, Australia, and Singapore are making it clear that your business bears the legal liability when those unpatched flaws cause harm. This is not a future risk. It is happening now.
What are the AI vendors actually hiding?
Security researchers recently disclosed that AI agents integrating with GitHub, Anthropic's Claude Code, Google's Gemini CLI, and Microsoft's Copilot, could be hijacked to steal API keys and access tokens. These are the credentials that unlock your source code, customer data, and internal networks.
The vendors' response was extraordinary in its inadequacy. Anthropic paid a $100 bug bounty and quietly updated a 'security considerations' page in its documentation. Google paid $1,337. GitHub paid $500 after initially claiming it could not reproduce the issue. None of them assigned a CVE, a Common Vulnerabilities and Exposures number, which is the standard industry mechanism for alerting the public to a security flaw. They swept it under the rug and moved on.
A separate research team then disclosed a design flaw in Anthropic's Model Context Protocol (MCP), the protocol that lets AI models interact with external tools and data sources. The flaw puts up to 200,000 servers at risk of complete remote takeover, affecting packages with over 150 million downloads. The researchers repeatedly asked Anthropic to patch the root cause. Anthropic refused, stating the protocol was working 'as intended' and that developers using it were responsible for their own security.
'Expected behaviour.' That was the official response.
Why is this vendor behaviour so dangerous?
The traditional software industry has operated under a clear social contract for decades: if you ship a product and a critical flaw is discovered, you issue a public advisory, assign a CVE, and release a patch. Businesses rely on this process to know when to act. Security teams cannot patch what they do not know is broken.
AI vendors have decided those rules do not apply to them. They are operating in a regulatory grey zone and exploiting it. By refusing to issue CVEs, they ensure their customers never hear about the vulnerability through official channels.
Consider the car industry analogy. If a manufacturer discovered the brakes on 200,000 vehicles could fail, and chose not to issue a recall because the mechanical design was 'working as intended, ' there would be criminal prosecutions. The AI industry has given itself permission to do precisely that, and so far no one has stopped them.
See where AI fits in your business. Free.
A 45-minute audit. We map the highest-value automations and what they're worth in time and money. No pitch, no pressure.
How exposed are businesses right now?
More exposed than most leaders realise. A recent Fortune study found that 91 per cent of organisations are already using AI agents, but only 10 per cent have a clear strategy to manage them. Only 22 per cent treat these agents as independent identities with specific access controls.
Employees are connecting AI agents to internal systems, databases, email, code repositories, without formal governance. Nearly 90 per cent of organisations are now reporting suspected or confirmed security incidents involving AI agents.
At the same time, IBM reported a 44 per cent year-on-year surge in AI-driven cyberattacks. AI-generated phishing is now virtually indistinguishable from genuine correspondence. Three Windows zero-day vulnerabilities were discovered by AI in minutes, flaws human researchers had missed for over a decade. Even Anthropic itself was breached by AI-assisted hackers. The company that refuses to patch its own protocol was compromised by the same class of attack it is enabling.
The UK government co-signed an unprecedented open letter to every business leader in the country, noting that frontier model capabilities are now doubling every four months, twice the pace of the previous year. The threat is accelerating. Vendor security practices are not keeping up.
Who actually carries the legal liability?
You do. Not the vendor.
The Australian Federal Court has issued its first comprehensive Practice Note on AI in legal proceedings. Chief Justice Debra Mortimer was unequivocal: presenting AI-hallucinated information to the court is 'unacceptable, ' and entering confidential data into open AI tools risks inadvertently waiving legal professional privilege. The court does not care if the vendor's security was flawed. The court cares that you used the tool.
In Singapore, the Monetary Authority has published an AI risk management toolkit developed with 24 financial institutions. It places governance responsibility squarely on the deploying organisation, not the vendor.
In the UK, the Cyber Security and Resilience Bill is progressing through Parliament and will impose new obligations on businesses regarding AI-related security risks. The regulatory direction is consistent across every jurisdiction: if you deploy it, you own the risk.
What does good AI governance actually look like?
Four actions matter most right now.
Map your AI footprint first. You cannot secure what you cannot see. Audit every AI tool, agent, and integration operating inside your business. Identify what data each one can access, who authorised it, and whether it uses MCP or GitHub integrations. Shadow AI, tools staff have connected without IT approval, is your biggest unknown risk.
Treat AI agents as non-human identities with restricted access. Apply the principle of least privilege. An AI agent should only access the specific data it needs for its designated task and nothing more. Monitor agent activity with the same rigour you apply to human employees.
Enforce strict data classification policies. The Australian court's warning applies to every industry, not just law. Establish clear rules about what data can be entered into public or open AI models. For sensitive customer information, financial records, or proprietary IP, use closed enterprise-grade systems where your data is not absorbed into the vendor's training pipeline.
Assess vendors on security conduct, not just capability. When evaluating any AI tool, ask how the vendor handles vulnerability disclosures. Ask whether they assign CVEs for flaws in their models. Ask what their breach notification commitment is. If the answer is 'expected behaviour, ' that is your answer.
What to do this week
- Run an AI footprint audit. Ask every department head to list every AI tool, agent, or integration their team uses. Collate the list centrally and identify what data each one can access.
- Review access controls for MCP or GitHub agent integrations. If your developers use Claude Code, Gemini CLI, or Copilot with repository access, confirm least-privilege principles are applied today.
- Draft a data classification policy that defines what categories of data may and may not be entered into open AI models. Get sign-off from your legal adviser.
- Read the MAS AI Risk Management Toolkit if you operate in APAC. Read the UK government's business guidance on AI cyber threats if you operate in the UK, both are free and practical.
- Add AI vendor security conduct to your procurement checklist, CVE practices, vulnerability disclosure policy, and breach notification commitments should be non-negotiable line items.
Where to from here
Book a free 60-minute AI audit, we'll explore exactly what workflows are worth augmenting with AI.
Live with passion & AI,
Brett
Want this installed in your business?
Bespoke AI implementation across your operations: strategy, build, rollout, and ongoing drift maintenance.
Frequently asked questions
What is the MCP vulnerability and why does it matter?
+
The Model Context Protocol (MCP) is the standard that lets AI models connect to external tools and data sources. Researchers found a design flaw that puts up to 200,000 servers at risk of complete remote takeover. Anthropic refused to patch it, calling it 'expected behaviour.' If your developers use MCP-based integrations, your systems may be exposed right now.
Which AI vendors have been caught downplaying security flaws?
+
Anthropic, Google, and Microsoft have all been identified in recent research. Security researchers found that AI agents integrating with GitHub, including Claude Code, Gemini CLI, and Microsoft Copilot, could be hijacked to steal API keys and access tokens. None issued public CVEs. Bug bounties paid ranged from $100 to $1,337.
Am I legally liable if an AI tool I use causes a data breach?
+
Yes. Regulators in Australia, Singapore, and the UK are consistent on this: organisations are responsible for the automated systems they deploy, regardless of vendor fault. The Australian Federal Court has already issued guidance holding practitioners accountable for AI outputs. The UK Cyber Security and Resilience Bill extends similar obligations to businesses broadly.
What is the principle of least privilege and how does it apply to AI agents?
+
Least privilege means giving any user or system only the minimum access it needs to perform its specific job. Applied to AI agents, it means not granting an agent access to your entire database when it only needs to read a single table. This limits the blast radius if the agent is compromised or behaves unexpectedly.
How do I find out what AI tools are running inside my business?
+
Start with an AI footprint audit. Survey every department, review network traffic logs, and ask your IT or development team to list every third-party AI integration, agent, and API connection in use. Shadow AI, tools staff have connected without formal approval, is the biggest risk and the hardest to find.
What is a CVE and why does it matter that vendors are not issuing them?
+
A CVE (Common Vulnerabilities and Exposures) is the standard public record used to track and communicate security flaws in software. When vendors skip the CVE process, your security team cannot patch or monitor for the vulnerability. It is the equivalent of a car manufacturer knowing the brakes are faulty but choosing not to issue a recall.
Brett is a four-time founder (Darra Tyres, Gladfish, EzyTrac, Anaboo) and the operator behind AIOS, Anaboo's AI Operating System. He writes from inside the build, installing AI in his own businesses first and reporting back what actually moves the numbers. Based between Singapore, the UK and Australia.
