
AI vendor risk becomes a immediate business problem the moment a tool provider tells you they will not fix a security flaw in software you depend on every day. For SMBs adopting generative AI tools, customer relationship management platforms, or productivity software, this is not a theoretical concern. It happens regularly, and when it does, you are left holding the liability.
Independent security researchers routinely discover vulnerabilities in popular business software. They report the flaws to vendors following responsible disclosure practices. And sometimes, the vendor response is a blunt refusal: “won’t fix.” That two-word answer transfers all the risk from the vendor’s balance sheet to yours.
What does AI vendor risk mean for your business operations?
When you adopt an AI tool to draft client proposals, analyze financial data, or automate customer service, you create a dependency. That tool touches sensitive information: client lists, pricing strategies, health records, proprietary processes. If the tool contains a known security vulnerability and the vendor refuses to patch it, you face a decision tree with no good branches.
You can continue using the tool and accept the exposure. You can try to mitigate the flaw with network controls or access restrictions, adding cost and complexity. Or you can rip out the tool and find a replacement, disrupting operations and losing the productivity gains that justified the adoption in the first place.
None of these options appear in the vendor’s glossy sales deck. But one of them will land on your desk when a researcher publishes a proof-of-concept exploit and your vendor’s support ticket closes with “working as designed.”
The business consequences are concrete. If the vulnerability enables unauthorized access to customer data, you face breach notification requirements under laws in all 50 states. If you serve healthcare clients, a HIPAA (Health Insurance Portability and Accountability Act) violation investigation may follow. Financial services firms operating under the Gramm-Leach-Bliley Act or state regulations face similar exposure. And every client whose data you handle will ask the same question: why were you using software with a known, unfixed security flaw?
Why do vendors refuse to fix reported vulnerabilities?
The reasons vary, but the pattern is consistent. Some vendors classify the flaw as low severity, even when independent researchers disagree. Others claim the vulnerability requires user error to exploit, shifting blame to customers. Some cite architectural limitations, essentially admitting the software was not built with security as a foundational requirement. And some vendors simply calculate that the cost of engineering a fix exceeds the cost of losing a few customers.
For enterprise buyers with million-dollar contracts and legal teams, this calculus may shift. For a 50-person professional services firm or a 120-employee manufacturing company, you have no negotiating leverage. You accepted the vendor’s terms of service, which almost certainly disclaim liability for security flaws and limit damages to the amount you paid in the last 12 months.
This power imbalance makes pre-adoption evaluation your only protection. Once you have operationalized a tool, migrating away is expensive and disruptive. Prevention costs less than remediation.
How can SMBs evaluate AI vendor risk before adoption?
Start with public vulnerability databases. The Common Vulnerabilities and Exposures (CVE) system, maintained by MITRE, catalogs disclosed flaws. Search for the vendor name and product. If you find entries marked “disputed” or “won’t fix,” that is a red flag. It tells you the vendor has a history of refusing to address reported issues.
Review the vendor’s security page and look for evidence of a coordinated disclosure program. Reputable vendors publish a security contact, response timeline commitments, and a track record of patching. If the vendor has no public security policy or has not issued a security update in over a year, proceed with caution.
Ask specific questions before signing. Request a copy of their vulnerability management policy. Ask how quickly they commit to patching critical and high-severity flaws. Request references from customers in regulated industries. If the vendor cannot or will not answer these questions, you have learned something important about how they will treat you when a flaw surfaces.
Contract language matters, even in adhesion agreements. Some vendors will negotiate a side letter for business customers. Specify that the vendor must notify you of any reported vulnerabilities within a defined timeframe. Require a committed patch timeline for high and critical flaws. Include termination rights if the vendor refuses to remediate a flaw that creates regulatory or client contract risk. These clauses will not prevent vulnerabilities, but they give you options when one appears.
What should you do when a vendor refuses to fix a flaw?
First, document everything. Save the vulnerability report, the vendor’s response, and your internal assessment of the business risk. If you later face a regulatory investigation or a client lawsuit, this documentation demonstrates you acted on available information.
Second, assess whether you can mitigate the flaw through configuration, access controls, or network segmentation. This is not ideal, but it may buy time while you evaluate alternatives. Consult with someone who understands both the technical vulnerability and your regulatory obligations. A generic “we’ll monitor it” response does not satisfy due diligence requirements under most compliance frameworks.
Third, begin evaluating replacement tools immediately. Do not wait until the vulnerability is actively exploited. The time to find a lifeboat is before the ship takes on water. Identify two or three alternatives, test them with a subset of users, and understand the migration path. This preparation gives you the ability to move quickly if the risk escalates.
Fourth, notify affected stakeholders if the vulnerability creates a material risk. If you process client data under a contract that requires specific security controls, and a vendor’s refusal to patch undermines those controls, your client needs to know. Delayed disclosure compounds the trust damage when the issue eventually surfaces.
How does this apply to generative AI tools specifically?
Generative AI platforms introduce additional dimensions of AI vendor risk. These tools often process unstructured data: emails, meeting transcripts, strategic plans, source code. A vulnerability that exposes this data can leak information you did not even realize the tool had captured.
Many generative AI vendors also use your input data to train or improve their models unless you specifically opt out. If a security flaw allows unauthorized access to the training pipeline, your proprietary information could end up in responses served to other users. Some vendors have already faced this exact scenario.
The rapid pace of AI feature releases creates more surface area for vulnerabilities. Vendors prioritize speed to market over security testing. Independent researchers have found prompt injection flaws, data exfiltration bugs, and access control failures in popular AI tools. When notified, some vendors have responded within days. Others have marked the reports “won’t fix” and closed the ticket.
For SMBs, this means your AI adoption policy must include vendor security criteria that match or exceed your standards for traditional software. If you would not accept an unfixed vulnerability in your accounting system, do not accept it in your AI writing assistant. The data is equally sensitive, and the regulatory standards are the same.
Can independent research help SMBs manage vendor risk?
Independent security researchers provide early warning. They discover vulnerabilities before widespread exploitation, giving organizations time to react. By monitoring researcher disclosures on platforms like GitHub Security Advisories, the Full Disclosure mailing list, or security researcher blogs, you can learn about flaws in your tools before your vendor mentions them.
This information asymmetry can work in your favor. If a researcher publishes a vulnerability and proof of concept, you can immediately ask your vendor for their remediation plan. If they respond with “won’t fix,” you know the risk is real and documented, and you can make an informed decision about continued use.
Some SMBs formalize this monitoring. They designate someone to subscribe to security feeds relevant to their technology stack, scan for mentions of their vendors, and escalate findings to leadership. This does not require a security operations center. It requires one person, 30 minutes a week, and a documented process for evaluating findings.
The alternative is learning about vulnerabilities from a breach notification letter or a regulatory inquiry. By then, your options have narrowed to damage control and customer apologies.
What policies protect SMBs from AI vendor risk?
An effective AI and software vendor policy starts with security requirements. Define minimum standards: vulnerability disclosure program, patch timeline commitments, security audit frequency, and incident notification obligations. Make these requirements part of your vendor evaluation scorecard. Tools that do not meet the standard do not get adopted, regardless of features or price.
Second, establish a regular vendor review cadence. Every quarter, review the vendors processing sensitive data. Check for new vulnerability disclosures. Verify they are still meeting contractual security obligations. Look for signs of financial instability or acquisition rumors that might affect support commitments. Vendors change, and a company that had strong security practices two years ago may have cut its security team after a private equity acquisition.
Third, maintain an exit plan for every critical vendor. Document what data lives in the system, how to export it, which business processes depend on it, and what replacement options exist. This exit plan is not a contingency for unlikely disasters. It is a forcing function that prevents you from becoming so dependent on a single vendor that you cannot afford to leave when they refuse to address a security issue.
Finally, train your team to recognize and report concerning vendor behavior. If a support ticket about a potential security issue gets closed without explanation, escalate it. If a vendor pressures you to accept a new terms-of-service agreement that expands their liability disclaimers, read it carefully before clicking agree. AI adoption security risks often arrive through small changes in vendor behavior that nobody noticed until after the breach.
Do you need outside help to manage vendor risk?
Most SMBs do not have in-house security expertise to evaluate vulnerability reports, assess mitigation options, or negotiate vendor security terms. This does not mean you cannot adopt AI tools safely. It means you need access to expertise when decisions carry regulatory or operational risk.
A fractional chief information security officer (CISO) or a security-focused MSP can provide vendor evaluation frameworks, review vulnerability reports, recommend mitigation strategies, and help you write contract language that protects your interests. This guidance costs far less than responding to a breach caused by a vendor’s unfixed vulnerability.
The return on investment appears in the tools you do not adopt, the vendors you exit before a vulnerability becomes a breach, and the client relationships you preserve by demonstrating consistent security diligence. You cannot eliminate AI vendor risk, but you can manage it to a level your business can sustain.
Frequently asked questions about AI vendor risk
What is AI vendor risk and why does it matter?
AI vendor risk is the security, operational, and compliance exposure created when third-party AI tool providers fail to maintain adequate security controls or refuse to fix known vulnerabilities. It matters because you remain liable for data breaches and regulatory violations even when the flaw exists in vendor software you do not control.
How can I tell if an AI vendor has a history of ignoring security issues?
Search the CVE database for the vendor name and product, review their security page for a coordinated disclosure program, check security researcher blogs for mentions, and ask the vendor directly for their vulnerability response policy and recent patch history. Absence of public security information is itself a warning sign.
What should I do if my current AI vendor refuses to fix a reported vulnerability?
Document the vulnerability and vendor response, assess whether you can mitigate through configuration or access controls, begin evaluating replacement tools immediately, notify clients or partners if required by contract or regulation, and consult with legal or compliance advisors about your ongoing liability exposure.
Are SMBs legally responsible for security flaws in vendor software?
Yes, in most cases. Data breach notification laws, industry regulations like HIPAA and GLBA, and client contracts typically hold you responsible for protecting data regardless of whether the vulnerability exists in your infrastructure or a vendor’s platform. Vendor terms of service generally disclaim their liability for security flaws.
How often should I review the security posture of my AI vendors?
Conduct formal vendor security reviews quarterly for any tool processing sensitive data. Monitor security disclosure channels continuously if possible, or at minimum monthly. Trigger an immediate review whenever you learn of a vulnerability report, vendor acquisition, significant service outage, or change in vendor terms of service.
Keep reading
Sources
Source: When a vendor says ‘Won’t Fix’: the case for independent security research