Menu

ScotlandIS

building, supporting and enabling the digital technology ecosystem

  • 0
    • Join Today

    3VRM: Cyber Briefing

    By updatesPosted on Posted in Member News, ScotlandISCyber

    Read on below for Edition 4 of 3VRM’s cyber briefing newsletter.

    In Through the Side Door

    Identity, developers and AI supply chains

    Welcome back to The Cyber Briefing!

    Well, it’s been an interesting fortnight, and the pattern we’re seeing is pretty hard to ignore. The cyber stories making the headlines aren’t really about firewalls or networks being breached anymore, but more about something slipping in where you least expect it. A developer login here. An AI integration there. A supplier somewhere in the chain you’d half-forgotten about.

    The front doors are – for the most part – well guarded. It’s those pesky side doors people aren’t watching…

    What’s striking about what we’ve seen this fortnight is actually how consistent the through-line is. Every story we’re flagging this fortnight involves cyber risk arriving via a route that traditional TPRM programmes weren’t built to see. Identity rather than infrastructure. Outputs rather than systems. Spillover rather than direct targeting.

    It’s a shift in where the risk lives – and where TPRM needs to start looking.

    So, let’s get into it:

    01 / A single developer account can expose an entire SaaS supply chain

    Vercel compromise, April 2026

    A recent SaaS breach showed how one compromised privileged developer account can quickly cascade across multiple customers. The issue wasn’t an infrastructure failure. It was access misuse, compounded by personal and non-approved tools on a work device blurring security boundaries.

    Once inside, the attackers moved quickly, demonstrating how modern SaaS environments amplify the impact of individual control failures.

    “One supplier incident can rapidly become your incident.”

    Why this matters for TPRM:

    · One supplier incident can rapidly become your incident

    · CI/CD pipelines and developer tooling are now part of the third-party attack surface

    · Developers should be treated as privileged or high-risk users, with appropriate controls

    · Stronger assurance is needed around supplier access management, endpoint controls and acceptable-use practices

    TPRM practitioner lens This reinforces the need for supplier due diligence that goes beyond policies, focusing on how access is actually governed in high-risk supplier roles.

    02 / AI suppliers introduce new integrity risks into the third-party ecosystem

    AI tools increasingly rely on models, data sources and components that customers didn’t build, and often can’t fully see. Without transparency, the risk isn’t system outages, but decisions being made on data or models you didn’t knowingly accept.

    AI “Bills of Materials” (AI-BOMs) have emerged as a way to surface hidden dependencies, such as which models are used, where data comes from, and how systems are trained and updated.

    “The risk isn’t system outages. It’s decisions being made on data or models you didn’t knowingly accept.”

    Why this matters for TPRM:

    · AI-BOMs help expose hidden third and fourth-party dependencies

    · Integrity risk shifts focus from patching systems to trusting outputs and decisions

    · Regulators increasingly expect documented AI supply chains: EU AI Act (traceability and risk management) DORA (Articles 28 and 30, ICT supplier and subcontractor risk) NIS2 (Article 21, supply-chain security and SDLC oversight)

    TPRM practitioner lens: Existing third-party processes aren’t yet designed for AI risk at scale, creating a clear opportunity to strengthen AI supplier assurance as regulatory pressures increase.

    03 / State-linked cyber activity continues, but impact is indirect

    Geopolitical tensions remain a feature of the threat landscape, with state-linked and proxy cyber activity continuing globally. For most organisations, the impact is less about direct targeting and more about spillover risk through global suppliers.

    “The impact is less about direct targeting and more about spillover through global suppliers.”

    Why this matters for TPRM:

    · Heightens the importance of understanding where suppliers operate and who they rely on

    · Reinforces the value of risk-based supplier segmentation, not blanket threat modelling

    · Supports proactive monitoring of suppliers with geopolitical exposure

    What does all this mean for organisations RIGHT NOW?

    Across identity, developers and AI, the message is consistent: cyber risk increasingly sits with suppliers, and with access, not infrastructure.

    For leaders, this isn’t about deeper technical controls. It’s about:

    · Knowing which suppliers matter most

    · Understanding how access is actually managed

    · Ensuring emerging technologies like AI are governed before regulators enforce it for you. Let’s not wait for the headlines…

    That’s all for now folks, until next time…

    If there’s one thing to take from this edition, it’s that the perimeter mindset is showing its age. The questions that matter now are about who has access to what, where your dependencies actually sit, and whether your assurance processes can keep up with how quickly the supplier ecosystem is shifting.

    We’ll be back in a fortnight with the next set of stories on our radar. Until then, take a look across your supplier base – and maybe ask whether your TPRM programme is still standing guard at the front door, while the side gate’s been left swinging.

    The Cyber Briefing is compiled by 3VRM’s cyber practice.

    Scroll to top
    X