• Cloud Security Newsletter
  • Posts
  • 🚨 Every Employee Vibe-Coding an App Is Now a Vendor - Igor and Jasper on Rebuilding TPRM for It

🚨 Every Employee Vibe-Coding an App Is Now a Vendor - Igor and Jasper on Rebuilding TPRM for It

The Netherlands blocked the first foreign acquisition of its national identity system host the same week the EU Tech Sovereignty Package landed. Two actively-exploited zero-days hit CISA's federal deadline. Lazarus Group went fully memory-resident against financial firms. And the two practitioners in this week's conversation β€” Lovable CISO Igor Andriushchenko and Athira CEO Jasper Mills β€” make the case that the third-party risk program most enterprises run today cannot see the AI-built apps already deployed inside the perimeter.

Author

Ashish Rajan
May 27, 2026

This week's Cloud Security Newsletter topic: Third-Party Risk in the AI Era β€” Why Your Vendor Inventory Is Already Wrong (continue reading) 

This image was generated by AI. It's still experimental, so it might not be a perfect match!

Incase, this is your 1st Cloud Security Newsletter! You are in good company!
You are reading this issue along with your friends and colleagues from companies like Netflix, Citi, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb, Block, Booking Inc & more who subscribe to this newsletter, who like you want to learn what’s new with Cloud Security each week from their industry peers like many others who listen to Cloud Security Podcast & AI Security Podcast every week.

Welcome to this week’s Cloud Security Newsletter

The week, Europe codified digital sovereignty as procurement law the same week the Netherlands used its investment-screening authority to block a US company from buying the host of its national identity system. Two actively-exploited vulnerabilities (Drupal, Microsoft Defender) hit federal patch deadlines. A North Korean Lazarus subgroup went fully memory-resident, neutralizing most filesystem-based forensics in financial-sector intrusions. And Anthropic shipped a free in-IDE security review plugin for Claude Code that moves AppSec scrutiny inside the AI coding loop developers are already using.

This week's conversation is with Igor Andriushchenko, CISO at Lovable (and 4x prior CISO across telco, AI, and medical-device companies), and Jasper Mills, co-founder and CEO of ethira, hosted by Ashish Rajan. The thread running through both the news and the episode: trust assumptions are breaking faster than the programs built to manage them. The vendor list is wrong because half the new vendors are five-person AI companies. The "vendor" category itself is wrong because every employee building with AI is functionally introducing third parties without procurement ever seeing them.[Listen to the episode]

⚑ TL;DR for Busy Readers

- Netherlands blocks Kyndryl–Solvinity acquisition (DigiD host). EU Tech Sovereignty Package follows next day. CLOUD Act is now a procurement gate, not a legal-theory debate.

- Drupal CVE-2026-9082 actively exploited. CISA federal deadline today. PostgreSQL-only, CVSS 6.5 understates the operational risk.

- Microsoft pushed out-of-band patches for two Defender zero-days (RedSun, UnDefend) after six weeks of LPE exploitation. The EDR is the escalation path.

- Lazarus deployed memory-only RemotePE against financial and crypto firms. Filesystem-based EDR triage fails. Memory acquisition belongs in your IR runbook now.

- Igor + Jasper's frame: "second-party risk" β€” every employee vibe-coding an app with an MCP attached is a vendor your TPRM program does not know about.

πŸ“° THIS WEEK'S TOP SECURITY HEADLINES

Each story includes why it matters and what to do next β€” no vendor fluff.

1. Netherlands Blocks Kyndryl–Solvinity Acquisition; EU Tech Sovereignty Package Lands the Next Day

Primary source: European Commission Digital Strategy 
Reporting: TechCrunch Β· DutchNews 
Analysis: CNBC Β· TheNextWeb

What happened: On May 26, Dutch State Secretary for the Digital Economy Willemijn Aerdts issued a "complete prohibition" on Kyndryl's acquisition of Solvinity β€” the Dutch cloud provider that hosts DigiD, the national digital identity system used by millions of citizens to access tax, health, and government services. It is the first acquisition the Dutch Investment Screening Bureau (BTI) has ever fully blocked. The Dutch competition authority cleared the deal on antitrust grounds in February; the separate investment-screening review reached the opposite conclusion on public-interest grounds. The named concern was the US CLOUD Act.

One day later, the European Commission unveiled its long-delayed Tech Sovereignty Package, which includes the Cloud and AI Development Act (CADA) and Chips Act 2.0. The package proposes to restrict EU member-state governments from using US-headquartered cloud platforms for sensitive public-sector data in healthcare, finance, and judicial systems. CLOUD Act is again the named cause. The package still requires all 27 member-state approvals.

Why it matters: This is the first time the CLOUD Act has been codified as a procurement-disqualifying condition at EU scale rather than litigated through Schrems II–style data-protection rulings. The threat model is no longer hypothetical legal risk β€” it is a procurement gate. For US-headquartered enterprises with EU operations, the assumption that AWS, Azure, and GCP regions in Frankfurt, Dublin, or Paris are functionally interchangeable with sovereign-EU alternatives for sensitive public-sector contracts is now wrong. For European enterprises in regulated sectors, sovereignty review is moving from a contracts question to an architecture question. This connects to Jasper's point in this week's conversation: contractual accountability under DORA is the closest existing analogue, and the same mechanism β€” written guardrails that follow the data β€” is what regulators are now extending across the rest of EU procurement.

2. Drupal CVE-2026-9082 β€” Actively Exploited, CISA Federal Deadline Today

What happened: Drupal disclosed CVE-2026-9082 on May 19 β€” an unauthenticated SQL injection in Drupal Core's database abstraction API affecting PostgreSQL-backed deployments. Drupal rated it "highly critical" (23 of 25 on its internal severity scale). Discovered by Google/Mandiant researcher Michael Maturi. Within 48 hours of patch release, Drupal updated its advisory to confirm exploitation in the wild. CISA added the CVE to KEV on May 22 with a federal civilian remediation deadline of May 27 under BOD 22-01. Imperva reported observing over 15,000 attack attempts against nearly 6,000 sites across 65 countries, with gaming and financial services sites comprising roughly half the attack traffic. MySQL, MariaDB, and SQLite-backed deployments are not affected.

Why it matters: Drupal Core sits behind a long tail of government, education, research, and enterprise public-facing sites. The vulnerability is unauthenticated and the gap between disclosure and in-the-wild exploitation was under 48 hours. Programs that triage by CVSS alone will deprioritize this β€” the score is 6.5, lower than the operational risk. EPSS and KEV are the better signals. The PostgreSQL specificity is a natural triage gate, but only if asset inventory is current enough to answer "which Drupal sites are on Postgres?" without paging someone.

3. Microsoft Defender Zero-Days RedSun and UnDefend β€” Out-of-Band Patches After Six Weeks of Exploitation

What happened: On May 21, Microsoft pushed out-of-band patches for two Windows Defender zero-days β€” CVE-2026-41091 "RedSun" (CVSS 7.8) and CVE-2026-45498 "UnDefend" (CVSS 4.0) β€” after six weeks of confirmed in-the-wild exploitation. RedSun is a local privilege escalation in the Microsoft Malware Protection Engine ≀1.1.26030.3008 caused by improper link resolution before file access. A low-privileged user can manipulate a symbolic link or directory junction during a Defender scan to escalate to SYSTEM. UnDefend is a DoS flaw exploited by standard users to block Defender definition updates. Both were originally disclosed publicly without coordination by a researcher operating under the aliases "Chaotic Eclipse" / "Nightmare Eclipse" between April 3 and April 16. The first in the series (BlueHammer, CVE-2026-33825) was patched April 14. RedSun and UnDefend went unpatched for six weeks while Huntress confirmed exploitation in hands-on intrusions. The same engine update (Microsoft Defender Antimalware Platform 4.18.26040.7) also fixes CVE-2026-45584, a heap-based RCE (CVSS 8.1) not yet confirmed exploited. CISA added RedSun and UnDefend to KEV on May 20 with a federal deadline of June 3.

Why it matters: The exploited flaws are in the endpoint agent itself. The defensive control becomes the privilege-escalation vector β€” compromised low-privilege accounts reach SYSTEM through the AV the SOC trusts. This inverts the trust direction of the control, which makes it the most consequential class of EDR/EPP bug. For Windows cloud workloads (VDI, RDS gateways, jump boxes, Citrix farms on Azure, AWS, or GCP), this is the lateral-movement layer. CVE-2026-45584 β€” RCE without user interaction β€” is the one to watch. Exploitation isn't confirmed yet, but the technical bar is the lowest in the bundle.

4. Microsoft SharePoint CVE-2026-45659 β€” RCE with Only Site Member Permissions

What happened: Microsoft released patches for CVE-2026-45659 (CVSS 8.8), a high-severity RCE in on-premises SharePoint disclosed as part of May 2026 Patch Tuesday (advisory published May 21, broader coverage May 26–27). The flaw is a deserialization-of-untrusted-data issue (CWE-502). An attacker with only Site Member permissions β€” no admin rights, no elevated privileges β€” can execute code remotely on a SharePoint Server instance. Network vector, low complexity, no user interaction. Affected: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Microsoft assesses exploitation as "less likely" with no public PoC at disclosure, but the 2025–26 pattern for SharePoint deserialization bugs has consistently been reclassification upward within weeks once PoCs surface β€” CVE-2026-32201 followed that pattern and was added to CISA KEV in April.

Why it matters: "Authenticated but only Site Member" is almost no bar at all. SharePoint Site Member permissions are routinely granted to contractors, vendors, business-line partners, and broad employee groups. Treat this as one credential-compromise hop from RCE. The conservative move is to patch on Microsoft's original cadence, not the assessed-likelihood cadence. SharePoint Online is patched centrally by Microsoft; the hybrid and on-prem footprint is where the residual risk concentrates.

5. Lazarus Group Deploys RemotePE β€” Fully Memory-Resident RAT Against Financial and Crypto Firms

Primary source: Fox-IT (NCC Group) 
Reporting: SC Media Β· The Hacker News 
Analysis: Cryptopolitan

What happened: On May 22, NCC Group subsidiary Fox-IT published research on a new toolset deployed by a North Korea-linked Lazarus subgroup (overlapping with AppleJeus, Citrine Sleet, UNC4736, and Gleaming Pisces) in IR engagements against financial and crypto organizations. The toolset has three components forming a chain: DPAPILoader decrypts and loads RemotePELoader from disk using the Windows Data Protection API; RemotePELoader beacons to a C2 server and receives RemotePE, a RAT executed entirely in memory with no filesystem artifacts. The chain uses environmental keying via DPAPI (the second-stage loader can only be decrypted on the originally-infected host), Hell's Gate direct syscalls, and ETW patching. Initial access is via Telegram social engineering, with the actor impersonating trading-firm employees using cloned Calendly and Picktime scheduling pages. This toolset replaced the actor's previous ThemeForestRAT and PondRAT.

Why it matters: Memory-only execution plus DPAPI environmental keying defeats most filesystem-based forensics. The standard EDR triage workflow β€” pull artifacts, find the dropped binary, hash and pivot β€” collapses. The DPAPI keying is the technically interesting part: even if defenders capture RemotePELoader, they cannot decrypt the next stage on a different machine. That is anti-collaboration design by construction. The targeting (trading firms, DeFi, banks with international operations) is the same population that runs the most sensitive cloud workloads. AWS, Azure, and GCP credentials, BI tool API keys, and trading-platform integrations are the actual prize.

6. Iranian APT Nimbus Manticore β€” AI-Assisted MiniFast Backdoor, AppDomain Hijacking, SEO Poisoning

Primary source: Check Point Research 
Reporting: The Hacker News Β· SecurityWeek 
Analysis: Infosecurity Magazine

What happened: On May 22, Check Point Research published "Fast and Furious β€” Nimbus Manticore Operations During the Iranian Conflict," documenting three waves of activity between February and April 2026 by the IRGC-affiliated threat actor Nimbus Manticore (also tracked as UNC1549, Screening Serpens). The campaigns coincide with Operation Epic Fury, the joint US–Israeli military operation that began February 28. Targets: aviation, software, defense, and telecommunications organizations across the US, Europe, Saudi Arabia, and Australia. Three tradecraft shifts: AppDomain hijacking replaces DLL sideloading (a trojanized XML .config file placed next to a legitimate .NET application loads an attacker-controlled DLL via the AppDomainManager class); a new backdoor named MiniFast replaces the older MiniJunk family, with hallmarks Check Point attributes to AI-assisted development; and SEO poisoning via a counterfeit Oracle SQL Developer download page. The March wave used a trojanized Zoom installer.

Why it matters: AppDomain hijacking is well-known but underweighted relative to DLL sideloading in most hunt programs. The detection signal β€” an XML .config file appearing next to a legitimate .NET binary, named after the abused binary with a .config suffix β€” is concrete and hunt-friendly. AI-assisted malware development is no longer a forecast. Check Point's fingerprints (excessive error handling on trivial functions, verbose repetitive naming, debug-style status strings) are now indicators. State-actor capability ramp times are getting shorter. Aviation, defense, and software-supplier organizations in Australia and Saudi Arabia in scope is worth flagging for AU/NZ readers β€” Iranian APT activity is not historically the top concern for that region.

7. Anthropic Ships Claude Code Security-Guidance Plugin and Self-Hosted Sandbox

What happened: At the Code w/ Claude event in London the week of May 26, Anthropic announced two security-relevant features for Claude Code, its terminal-based AI coding agent. The security-guidance plugin (free, all plans, launched May 26) is a three-layer reviewer that runs inside the Claude Code session. Layer one is a deterministic regex pass with no model call β€” it catches around 25 dangerous patterns (eval, os.system, child_process.exec, pickle deserialization, dangerouslySetInnerHTML and similar) at zero usage cost. Layers two and three are deeper agentic reviews triggered on model turns and on commits, reading surrounding callers and sanitizers to minimize false positives. Anthropic's internal rollout reported a 30–40% reduction in security-related PR comments. Anthropic separately announced a public-beta self-hosted sandbox: Claude Managed Agents now run tool execution in customer-controlled environments (the customer's own infrastructure or a managed provider like Cloudflare, Daytona, Modal, or Vercel), while the orchestration loop stays on Anthropic infrastructure. Files, repositories, and runtime images stay inside the customer perimeter.

Why it matters: AppSec embedded in the AI coding loop is the architectural shift the senior reader's developers are already living through. Free, zero-config security review at the point of code creation collapses the developer-friction tax that has been the longstanding gap in shift-left. The self-hosted sandbox addresses the most concrete enterprise objection to agentic AI coding β€” that agent-executed code, files, and secrets leave the corporate perimeter. Cloud security architects now have an architecture pattern to point to: agent reasoning external, execution internal. This connects directly to Igor's framing in this week's conversation. When employees build with AI agents and connect MCPs to internal data, the company is creating second-party risk on a continuous basis. Tooling that catches issues at the point of creation is the only realistic way to keep up.

πŸ€– 8. Akamai to Acquire LayerX for $205M β€” Browser-Layer AI Usage Control Becomes a Platform Feature

Announced May 14 β€” outside the strict 5-day window but included as the largest cybersecurity M&A of May 2026 and directly relevant to the AI-governance thread running through this week's news.

Primary source: Akamai press release 
Reporting: SecurityWeek Β· Help Net Security 
Analysis: BankInfoSecurity

What happened: Akamai announced a definitive agreement to acquire LayerX, a Tel Aviv–based browser-native security firm, for approximately $205 million in cash. LayerX provides AI usage control and secure-enterprise-browser (SEB) technology that runs on top of standard browsers (Chrome, Edge, Safari) rather than requiring users to switch to a proprietary browser. The platform covers shadow AI discovery, gen-AI data loss prevention, access controls for AI tools, and protection for agentic browsers (Atlas, Comet). The deal is expected to close in Q3 2026. This is Akamai's third Israel-based security acquisition after Guardicore (2021, ~$600M) and Noname Security (2024, ~$450M).

Why it matters: Browser-layer telemetry is becoming a category. The deal validates that "AI usage control" β€” which workforce uses which models with which data β€” is a platform requirement, not a standalone product. For cloud security architects, this signals a likely shift in vendor roadmaps: browser-based DLP, SaaS access governance, and AI-tool inventory will converge with ZTNA and CASB rather than sit alongside them. Expect Zscaler, Palo Alto, and Netskope to respond with comparable consolidation moves. The agentic-browser detail (Atlas, Comet) is the forward-looking part. If workforce starts using AI browsers that act on their behalf, the security control point has to live there β€” network-layer DLP cannot see what a browser-resident agent does inside a session.

🎯 Cloud Security Topic of the Week:

Third-Party Risk in the AI Era - Why Your Vendor Inventory Is Already Wrong

The pre-AI state of third-party risk management was, in Igor's word, "abysmal." A spreadsheet of 200-question vendor checklists, hours filled out by both sides, generating documentation nobody reads until an auditor asks for it. Both sides know it is a paper exercise. Both sides do it anyway.

What Igor and Jasper lay out in this week's conversation is that the program was barely surviving the old model when AI broke three assumptions underneath it at once. The vendor list shrank from a handful of large suppliers to dozens of five-person AI companies whose risk profile a 200-question checklist cannot meaningfully assess. The "vendor" boundary itself stopped holding β€” when an employee builds an internal app with AI and wires an MCP server into Salesforce, no procurement event has occurred, but a third party has effectively been introduced inside the perimeter. And the pace at which both sides operate started moving toward agent speed. Pactum is already running agent-to-agent procurement negotiations. The same architecture applied to vendor questionnaires is technically obvious. The only thing holding it back is comfort.

That is the framing for this week's conversation. Igor and Jasper are not predicting a distant future. They describe a transition already happening in pieces β€” and a series of practical decisions cloud security leaders need to make in the next 12–18 months about what to automate, where to keep humans in the loop, and how to inventory a class of "vendors" the existing TPRM program cannot see. [Listen to the full episode β†’]

Featured Experts This Week 🎀

Definitions and Core Concepts πŸ“š

Before diving into our insights, let's clarify some key terms:

  • Third-Party Risk Management (TPRM): Assessing, monitoring, and governing the security and compliance posture of external suppliers β€” historically driven by vendor questionnaires (SIG, CAIQ), SOC 2 reports, pen test attestations, and contractual clauses.

  • Second-Party Risk: Igor's term for the risk introduced when internal employees or departments build their own applications with AI β€” functionally creating new "vendors" the procurement-driven TPRM program never sees.

  • MCP (Model Context Protocol): A protocol that lets AI agents connect to external tools and data sources through standardized connectors. An MCP server bridges a language model to systems like Salesforce, Git, databases, or internal APIs. From a TPRM perspective, every MCP connection is a privileged integration point.

  • Shadow AI: AI tools adopted by employees without security or procurement review. A common pattern: employees bypass enterprise restrictions on a sanctioned tool by creating a personal account and re-enabling the feature there.

  • DORA (Digital Operational Resilience Act): EU financial-sector regulation that requires ongoing, contractual accountability for ICT third-party providers β€” including subcontractors, exit strategies, and continuous monitoring. The closest existing analogue for how regulators will likely govern AI agents.

  • Agent-to-Agent (A2A): The emerging pattern where one organization's AI agent communicates directly with another organization's AI agent β€” for procurement negotiation, vendor onboarding, or security questionnaire exchange. Pactum is one of the early production examples.

  • CLOUD Act: US law (2018) that lets American law enforcement compel US-headquartered cloud and technology providers to disclose customer data regardless of where the data is physically stored. The named concern behind both the Dutch Kyndryl–Solvinity block and the EU Tech Sovereignty Package this week.

This week's issue is sponsored by Tamnoon

The Alert Crisis: 14M Cloud Threats Found… But Who's Fixing Them?

Tamnoon's 2026 State of Cloud Remediation Report analyzed over 14 million CNAPP detections across hundreds of enterprise environments and 10 CNAPPs.

With 53% of detections still open across cloud environments, critical alerts taking 150 days to close, and vulnerability management MTTR increasing by 22% since last year, it’s clear more work needs to be done.

Read the 2026 State of Cloud Remediation Report for a full breakdown of what's improving, what's regressing, and the benchmarks your board will ask about next quarter.

πŸ’‘Our Insights from this Practitioner πŸ”

1. The pre-AI state was a paper exercise. AI doesn't fix it β€” it raises the stakes.

The opening framing from Igor lands the first point hard:

"If you take a security program, right? There is a whole bunch of security program dedicated, any security program dedicated to third-party risk management. You can fail a lot of audits on it. It requires a lot of documentation, a lot of rigor. And the more, the bigger company becomes, the more impossible it becomes to control your vendors the way you actually bring value. It becomes this kind of paper exercise where you do something for the sake of doing it." β€” Igor Andriushchenko

Jasper's experience implementing DORA at her previous company hit the same wall from a different direction β€” DORA's accountability requirements collided with the AI-tooling wave at exactly the moment her organization was trying to onboard productivity tools at speed:

"The process of, like, using the tools on the market felt like I'd been catapulted to 1979. It was the worst experience of my professional career." β€” Jasper Mills

The practical implication for senior cloud security leaders: the program does not need optimization. The cadence at which AI-driven vendors arrive, and the rate at which employees create new internal applications that behave like vendors, is fundamentally incompatible with a checklist-driven model. Optimization within the existing frame produces the same paper exercise faster.

2. Second-party risk is the new category β€” and the existing program cannot see it

The most useful new vocabulary in the conversation is Igor's distinction between third-party and second-party risk:

"Should we treat each of these people or their departments as mini vendors? Because essentially we need to apply to those, whatever they produce, some kind of rules, some kind of governance. And that governance is very similar in its nature to third party risk. You're, like, it's almost like it's a second party risk. It's your employees, it's your builders." β€” Igor Andriushchenko

Jasper's working example crystallizes the operational problem:

"Or maybe John built it themselves... and then he found an MCP that he has spun up and now it's going to Salesforce and, like, fetching whatever it wants." β€” Jasper Mills

There is no procurement event for John. No SOC 2 review. No vendor questionnaire. There is an MCP server reaching into a CRM, configured by someone in a non-technical team, governed by nothing. From a TPRM program's perspective, John's app does not exist. From an actual risk perspective, it is one of the highest-velocity new sources of exposure in the organization.

The practitioner translation: TPRM coverage has to extend to inventory the program does not currently own. Discovery of internal apps, MCP servers, and the data sources they touch needs to live alongside the vendor inventory β€” and the same risk-tiering language needs to apply to both.

3. The "kindergarten with a nuclear bomb" problem

Jasper's most-quoted line in the episode comes from a customer conversation, and it captures why the AI-productivity push is currently outrunning the controls:

"A CISO called me and he said, like, 'We have just given a kindergarten a nuclear bomb.'" β€” Jasper Mills (recounting a customer conversation)

The CISO had enabled AI tooling for sales and other non-technical teams. The technology worked. The productivity gains were real. Visibility into what those teams were doing with the tooling β€” where data was going, which integrations had been wired up β€” was effectively zero. The control plane lagged the adoption plane by months.

Igor frames the dynamic from the other side β€” what's happening inside the user's head when they make the choice to bypass a sanctioned tool:

"People just create a personal workspace, and they just enable that feature. Everything feels solvable, just, like, one toggle away." β€” Igor Andriushchenko

When the friction between "thing I want to do" and "thing I can do" collapses, the security implication is no longer a calculation most users perform. The ergonomic gap between sanctioned and unsanctioned has to close, or the workforce will close it for the program.

4. What actually gets automated β€” and what stays human

Both speakers are practical about where the line sits today. Jasper described what ethira automates and what it explicitly does not:

"We can do all of that autonomously. Where we actually pull the humans in is at the end. So we basically aggregate everything that we cannot get, or we'll give an analysis based on your risk tolerance β€” this is sort of what we would recommend, and these are the mitigating factors if you want to onboard or not." β€” Jasper Mills

The automation absorbs data gathering, financial and news checks, GitHub-based open-source maintenance signal, pen test request workflows, and the back-and-forth that historically dominated TPRM analyst time. Human judgment stays at the point of risk acceptance, where it belongs.

Igor reinforces the same pattern from the consumer side and recommends an underrated starting point that does not require new procurement:

"I'm very excited about AI doing inventory of everything that's going on in the company, 'cause we already have some solutions. They just look into telemetry from the device. Let's say they take CrowdStrike telemetry, they take any other agent kind of running on your computer telemetry, and then they analyze it, and it was like, 'Oh, I found these 75 vendors here.'" β€” Igor Andriushchenko

Practitioner takeaway: AI-driven inventory is the highest-leverage place to start. Most enterprises already have the telemetry sitting in their EDR. What they don't have is a vendor list reconciled against it. Running AI over existing endpoint telemetry to produce a continuous vendor inventory closes a gap the spreadsheet has never been able to close.

5. Build vs. buy for the TPRM stack β€” both speakers come down on "buy"

This is one of the rare sections where two AI-native operators arrive at the same conclusion from different angles. Igor's reasoning is operational, not philosophical:

"Imagine you have to build your third party risk management from scratch... how many people are working on that really? Like, is there one engineer who's vibe coding it? Good. But then what happens next? It needs to be maintained. Somebody needs to take a look at logs, at alerts, at telemetry... and you end up with somebody whose full-time job is just maintaining that app." β€” Igor Andriushchenko

He extends the point to audit posture: if it was your own fault, you decided to take that risk and build it yourself, then it could be a more serious issue.

Jasper makes the same point from the vendor side β€” the unique data sources and hallucination-mitigation work that a serious TPRM product invests in are not realistic to replicate as a side project. For cloud security leaders evaluating whether to build internal TPRM tooling on top of foundation-model APIs, the maintenance tail and the audit-defensibility tail are typically larger than the build cost, and neither shows up in the initial estimate.

6. Where this ends up: agent-to-agent procurement, contractual accountability as guardrails

Both speakers point at the same destination. Igor names the year:

"I've heard it many times, 2027 is the year of agent to agent. We are looking at third party management agent, risk management agents talking to company agents, like vendor agents that are just there listening for anyone coming in, asking about pen test results or NDA or something like that... It may sound bad, but there is no place for humans in that loop." β€” Igor Andriushchenko

Jasper draws the architectural line back to the regulatory anchor that the whole conversation circles:

"DORA, one of the key sort of foundations is contractual accountability. And one of the things that we've thought about is if you think about people, if you think about agents, if you think about vendors, historically what you've been able to do, if you look at when something goes wrong, you go back to the contract, you call a person up. But actually what you're able to do with vendors, with third-party agents, even with first-party agents, you can then actually take the contract that you have and create guardrails." β€” Jasper Mills

The contract becomes the guardrail. The guardrail becomes the policy the agent operates under. The audit trail becomes the proof that the policy was followed. That sequence β€” contract β†’ guardrail β†’ enforceable policy on agent behavior β€” is the most actionable architectural insight in the episode for senior cloud security leaders thinking about how their TPRM program survives 2027.

7. The "IT becomes HR" frame β€” managing agents like contracted workforce

Jasper's closing prediction is the one to sit with:

"IT will end up being like HR, in the fact that it will be like your contracted workforce. So you'll have a lot of contracted agents, you'll have a life cycle, you'll have a cost within that. They have their own credentials. But I think you'll manage it very similarly to third party risk, and the vendors will eventually have their own agents that are working in your systems." β€” Jasper Mills

Igor extends the metaphor into something more uncomfortable β€” and useful for designing controls:

"What defines a person is the agency. We have free will. We decide what to do next. The agents have that too. Not to the same extent, of course. There is a program where there is intention we give them, but still, sometimes they do things we do not expect." β€” Igor Andriushchenko

"The moment we start thinking, 'Hey, this thing will behave deterministically,' we've failed as security people." β€” Igor Andriushchenko

The practical implication: the controls that work for non-deterministic actors (humans, contractors, agents) are different from the controls that work for deterministic systems. Audit logging at every action, source-and-destination metadata, scoped credentials, lifecycle management with onboarding and offboarding, and behavioral monitoring against a baseline β€” these are HR-adjacent controls. They are not the controls most TPRM programs are set up to run.

Practical takeaways for cloud security leaders

A few things senior cloud security leaders can act on in the next 30–60 days:

  • Start inventory with the telemetry you already have. Run AI over existing EDR telemetry to build a continuous vendor and application inventory before paying for a new tool. Most enterprises have the data β€” they just don't have the reconciled list.

  • Add a "second-party" track to TPRM. Internal apps built with AI and connected to internal data sources (especially via MCP) need a risk-tiering process equivalent to the one used for external vendors. Procurement isn't going to catch these.

  • Treat MCP servers as privileged integrations. Every MCP connection from an internal app to a SaaS data source (Salesforce, Git, internal APIs, CRM) is a privileged integration. Inventory, scope, and audit them with the same rigor applied to service accounts.

  • Pick the autonomy level deliberately. Match the toggle to the risk class. Agent-to-vendor questionnaire negotiation is reversible and low-blast-radius; agent-driven risk acceptance is not.

  • Map contractual accountability to agent policy now. Whether the organization is regulated under DORA or not, the contract β†’ guardrail β†’ policy sequence is the architectural pattern that survives the agent-to-agent transition. The teams that have written this out before 2027 will not have to retrofit it under regulatory pressure.

🧠 Mental Model β€” The Vendor List Was the Inventory. The Inventory Is Now the Vendor List.

For 20 years, TPRM ran on a procurement-driven vendor list. Procurement onboarded a supplier, security reviewed it, the supplier went on the list, the list got audited. The list was the inventory.

That sequence is now backwards. The inventory β€” what your EDR sees running, what your network sees connecting, what your developers have wired up β€” is the source of truth. The vendor list is a downstream projection of it, and an increasingly incomplete one. Procurement no longer sees a meaningful share of the third parties operating inside the perimeter, because employees are creating them with AI faster than procurement can intake them.

The program that survives 2027 starts from inventory and projects out to a vendor list. Not the other way around.

Podcast Episode

Question for you? (Reply to this email)

πŸ€” Is your TPRM program seeing the apps your own employees built with AI this quarter or just the vendors procurement onboarded?

Next week, we'll explore another critical aspect of cloud security. Stay tuned!

πŸ“¬ Want weekly expert takes on AI & Cloud Security? [Subscribe here]”

We would love to hear from youπŸ“’ for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.

Thank you for continuing to subscribe and Welcome to the new members in tis newsletter communityπŸ’™

Peace!

Was this forwarded to you? You can Sign up here, to join our growing readership.

Want to sponsor the next newsletter edition! Lets make it happen

Have you joined our FREE Monthly Cloud Security Bootcamp yet?

checkout our sister podcast AI Security Podcast