Technology

The AI Employee You Didn't Hire Is Running On The Data You Never Secured

Vishal Chawla July 7, 2026

The AI Employee You Didn't Hire Is Running On The Data You Never Secured

An executive perspective on the unmonitored layer in wealth management and family office cybersecurity.

The following article comes from Vishal Chawla is Founder and CEO of BluOcean Cyber, and a former Big 4 Cybersecurity National and Global Practice Leader at PwC, Deloitte, and Grant Thornton. He spoke at this publication’s family office forum on cybersecurity in Manhattan, held in June. (More about the author below.)

A few facts:

700+ organizations breached via one connected app (Salesforce Drift, August 2025); 80 per cent of risk surface sits in unmonitored SasS platforms (BlueOcean field analysis); three active client lawsuits against wealth management firms (Mercer, Hightower and EP Wealth).
 

My take
Here is what 30 years in financial services cybersecurity - including leading breach responses at Fortune 100 institutions and sitting in the room after the damage is done - has taught me: the firms that get breached are not the ones with bad security. They are the ones with security that stops at the wrong layer.

Your organization has invested in protecting its endpoints and its network. That investment is real and it matters. But your client data - estate documents, portfolio records, wire transfer workflows, investor PII - does not live on your network. It lives in Salesforce, Microsoft 365, Orion, Addepar, DocuSign. Applications on the public internet, accessible through a single credential, an OAuth token, a session that nobody is watching. You have invested in a bank-grade vault for your crown jewels. You have placed that vault in a room with no alarm, no CCTV, no monitoring, and a door that anyone with the right key can walk through - completely undetected.

The adversaries who target financial services know this. APT38 - the Lazarus Group, backed by the North Korean state - has stolen billions from financial institutions not by breaking through firewalls, but by targeting the application layer: OAuth hijacking, SaaS platform abuse, API token theft. FIN7 and Scattered Spider operate the same playbook. They do not want your laptop. They want what is in Salesforce. They want your deal flow data, your investor records, your wire transfer credentials. These are not opportunistic criminals running generic attacks. They are specialists who have learned that the SaaS application layer in financial services is where firms are most exposed and least defended.

The second gap is connectivity. Your business applications do not sit in isolation. Salesforce connects to DocuSign connects to Box connects to your email system connects to your AI tools. Data flows across this ecosystem continuously and largely invisibly. An OAuth token compromised in one application is a key to others. A misconfigured permission in one platform exposes data across the chain. Most firms have no complete map of this connectivity and no alert when something unexpected traverses it.

The third gap is the one that concerns me most: visibility. If someone logged into your Salesforce environment right now with a stolen credential and downloaded one million client records, would you know? Not in six months when a regulator asks. Right now, tonight, while it is happening. In most wealth management firms, the honest answer is no. There are no real-time alerts. In many cases there are no logs. You would not know if it was a valid access or an intrusion. You would not know what was taken or when. You would find out from a press release - or from a letter from a plaintiff's attorney.

That is not a security programme. That is the appearance of one.

The debrief
I led the breach response for a Fortune 100 financial institution. The entry point was not a sophisticated perimeter attack. It was a misconfigured cloud environment — an identity with access to cloud-stored data that nobody had audited, sitting exposed, with no monitoring layer to detect the intrusion. The network was secure. Nobody was watching the floor above it.

In August 2025, attackers compromised Drift - an AI chatbot owned by Salesloft, integrated with Salesforce across thousands of organizations. They did not attack a single firm directly. They stole the OAuth tokens Drift used to authenticate into customer Salesforce environments and used them to walk through the front door of over 700 organizations simultaneously.

TD Bank. Virgin Money. Allianz Life. TransUnion. Farmers Insurance
Contact records, account data, support cases, pipelines - exfiltrated. Credentials embedded in support cases - API keys, plaintext passwords - used to reach further into connected systems. FINRA issued a cybersecurity alert. Not one of those organisations was directly attacked. Everyone had granted Drift an identity inside their Salesforce environment, and nobody was watching what that identity could access.

This is the architecture of the modern breach in financial services: find an identity with access, use it, stay quiet. A real credential - stolen, phished, or never deactivated after an employee left - logs in as a valid user. There is no malware. No alert triggers. As far as your systems are concerned, John from finance is downloading records. By the time anyone notices, the data is gone. You cannot investigate what you did not log. You cannot stop what you cannot see.

Then consider what AI adds to this. Every workflow your firm has deployed - Copilot, Salesforce Einstein, any integrated automation - operates as an identity. It inherits the access of the credential provisioned to it and runs continuously across every connected system. It does not badge in. It does not appear in a log anyone is reviewing. In an unmonitored environment, AI tools quietly traverse client estate documents, portfolio positions, and private correspondence - feeding data into outputs your compliance team never reviewed, and your clients never anticipated. The exposure is not always hostile. It is often your own tools doing exactly what they were built to do, with access nobody constrained and no one watching where it flows.

Your clients have entrusted you with their most private financial information, in many cases across generations. That fiduciary responsibility extends to every identity - human and machine - that touches their data. When something goes wrong at this layer, the call comes to you.

Clients will not distinguish between a hostile intrusion and a misconfiguration. Both are a failure of stewardship, and in this industry, that conversation is not recoverable.

The close
Mercer. Hightower. EP Wealth. The suits against these firms were not filed by regulators. They were filed by clients - the same clients who entrusted them with generational wealth and private financial records. The argument is simple and devastating: you held my most sensitive data, you told me it was safe, and no one was watching. That case does not require a sophisticated legal theory. It requires a client who is angry enough to make the call. That call is coming for every firm in this industry. The only variable is whether you have the answer ready before it arrives.

Monitoring identity and activity at the business application layer - knowing which accounts are active, which integrations have access, what your AI tools are doing - is achievable today. The firms that build this capability now will answer that call confidently.

Ask your technology lead or CISO one question: can you confirm that our business applications - Salesforce, Microsoft 365, our portfolio systems - are being actively monitored for unauthorised access right now?

If the answer is immediate and specific - here is how, here is who reviews it, here is what triggers an alert - you are ahead of most firms in this industry.

If the answer takes time, or arrives with qualifications, you are in the same position as the 700 organizations that learned about the Drift breach from a press release.

About the author
Vishal Chawla founded BluOcean after three decades advising and defending financial institutions - from Capital One and Citi to Freddie Mac and Legg Mason - and leading breach responses that taught him one consistent lesson: the most damaging attacks exploit the gaps nobody is watching. He previously led national cybersecurity practices at PwC, Deloitte, and Grant Thornton, and has presented at Black Hat, ISC2 Congress, ISACA National, and the Wall Street Journal. Today he works exclusively on the security of wealth management and financial services firms.

About BluOcean
BluOcean stops breaches at wealth management firms, family offices, hedge funds, FinTech companies, and private equity firms. It specializes in securing AI chatbots (Claude, ChatGPT and others), AI workflows (MCP agents), and the business application layer in the cloud - Salesforce, Microsoft 365, Addepar, Archway, Allvue, Box, and many more - where client data actually lives. 

Register for FamilyWealthReport today

Gain access to regular and exclusive research on the global wealth management sector along with the opportunity to attend industry events such as exclusive invites to Breakfast Briefings and Summits in the major wealth management centres and industry leading awards programmes