Professional Security Magazine: Growing security risk of AI vendor insolvency

Professional Security Magazine explored the emerging cybersecurity implications of AI vendor bankruptcies, with an article from NetSPI’s Sam Kirkman warning that insolvency could expose sensitive data, disrupt services, and undermine resilience. Read the preview below or view it online.

+++

When your AI provider fails

Regarding “Growing security risk of AI vendor insolvency” (Professional Security Magazine, 2025): With AI tools now embedded across industries, organisations face a new and overlooked threat; what happens when a third-party AI provider collapses. Sam Kirkman, Director of Services for EMEA at NetSPI, explained that insolvency doesn’t just trigger financial or legal challenges, but poses serious cybersecurity risks.

Kirkman noted that during bankruptcy proceedings, data may be treated as an asset to be sold, exposing sensitive logs, datasets, and intellectual property to unknown buyers. Past cases such as Cambridge Analytica and CloudMine show how quickly control can vanish once a vendor enters liquidation. He warned that CIOs and CISOs must assume contracts offer limited protection once insolvency begins.

The article highlighted how failing vendors can also become active security liabilities. As operations shut down, patching and monitoring stop, leaving connected APIs, tokens, and integrations vulnerable to hijacking. CISOs should treat an insolvent provider as a compromised one, revoking credentials, isolating links, and activating incident-response plans immediately.

Kirkman also addressed the risks of “orphaned” AI models. When vendors vanish, their unmaintained systems and models can become targets for attackers or even be sold off to competitors. He advised maintaining visibility over where AI data resides and ensuring internal teams can patch, replace, or migrate vendor models if needed.

Legal protections, he warned, are often ineffective once bankruptcy courts prioritise creditors over customers. By the time disputes are resolved, any data exposure may already have occurred. Instead, CISOs should act pre-emptively – recovering data, rotating keys, and preparing for rapid migration.

Finally, Kirkman urged organisations to develop continuity and exit strategies well before instability strikes. That means retaining regular data exports, testing transitions to alternative models, and assessing financial stability as part of third-party risk management. Regulations such as DORA are beginning to require this discipline, but forward-looking organisations should already be implementing it.

AI vendor insolvency is fundamentally a security issue. By treating provider failure as another form of breach, businesses can protect data, customers, and reputation, and build resilience that outlasts the next AI bubble.

You can read the full article here.