Vercel and Figma are the same story at different doors. One door says security. The other says governance.

Sunday's Vercel piece said a third-party AI OAuth grant had become an enterprise identity risk. Sunday's Figma piece said AI partners can become product competitors. Monday's frame is counterparty risk.

SpecterOps describes the Vercel incident as a lesson in identity attack paths, with third-party access sitting outside the places security teams usually watch. [1] VentureBeat's account makes the OAuth gap explicit: the problem was not only breach response but the inability to detect, scope, and contain delegated AI-tool access. [3]

TechCrunch reported Anthropic CPO Mike Krieger left Figma's board after reports Anthropic would offer a competing design product. [2] That is not a breach. It is the product-strategy version of the same mistake: treating an AI lab as a vendor when it may be a future adversary, platform, or acquirer.

Procurement used to ask whether the tool worked. Now it must ask what the tool can see, what it can become, and when partnership turns into leverage.

That is not paranoia. It is ordinary vendor diligence catching up to companies that can copy, compete, and authenticate all at once.

-- MAYA CALLOWAY, New York