An open letter from JP Morgan CIO Pat Opet has warned that, when it comes to AI procurement, security vulnerabilities are growing faster than companies can contain them. The letter, which outlines new requirements for software as a service (SaaS) delivery models at the finance giant, represents a very real speed bump in an enterprise landscape where the attitude to generative AI procurement has, so far, been “more, more, more.”
“At JPMorganChase, we’ve seen the warning signs firsthand,” writes Opet, who notes that, since 2022, JP Morgan’s third-party providers have “experienced a number of incidents within their environments.”
A “critical juncture”
Global spending on generative AI will likely reach $644 billion in 2025, a 76.4% increase over 2024, according to Gartner’s latest forecast. However, according to Opet’s letter, the relentless drive to launch new generative AI products and procure new tools is leaving security on the back burner.
“We stand at a critical juncture,” he writes. “Providers must urgently reprioritise security, placing it equal to or above launching new products.” Opet calls for large enterprises in the financial sector and beyond to “reject these integration models without better solutions,” demanding “continuous, demonstrable evidence that controls are working effectively, not simply relying on annual compliance checks.”
Customers, he argues, should have the right to products that are secure by default, transparent about the risks involved, and that management can operate safely. In a time when AI products are being pushed constantly and forcefully as the solution to any and all enterprise problems, Opet’s letter offers a skeptical counterpoint.
Security on the back burner puts the ecosystem at risk
Opet recognises that intense market competition among software vendors has driven them to prioritise quick rollouts of new features over security. As a result, he argues, this “often results in rushed product releases without comprehensive security built in or enabled by default,” which makes it all the easier for hackers to find and exploit weaknesses.
What’s more hackers are well aware that supplier ecosystems are more deeply intertwined than ever. “Most critically, SaaS models are fundamentally reshaping how companies integrate services and data—a subtle yet profound shift eroding decades of carefully architected security boundaries,” notes Opet. Whereas, under the traditional model, security teams enforced strict segmentation between a firm’s trusted internal resources and untrusted external interactions, “modern integration patterns … dismantle these essential boundaries.”
Compromising a single SaaS provider can mean gaining access to a whole ecosystem comprising hundreds, if not thousands, of organisations. And the problem is getting worse, not better.
Opet warns: “Critically, the explosive growth of new value-bearing services in data management, automation, artificial intelligence, and AI agents amplifies and rapidly distributes these risks, bringing them directly to the forefront of every organisation.”