I’ve been in bad relationships. You probably have, too. You ignore the warning signs because the person looks good on paper—smart, successful, says all the right things. But then you move in, and the cracks show fast.
Dirty dishes pile up. The bathroom situation gets dire. And you realize: this is unsustainable.
That’s what it feels like working with AI vendors who have bad security hygiene. And unfortunately, there’s a lot of them.
What Does “Bad Hygiene” Actually Mean in AI?
Let me get specific.
I recently inspected a vendor that powers customer-facing chatbots for major retail brands. And by “inspected,” I mean that I right-clicked on the website, opened DevTools, and immediately found plaintext API keys, encryption credentials, and access to proprietary model payloads.
No code obfuscation. No protection. No gatekeeping.
It was all just… there. Public. In production.
With those credentials, I could’ve copied their source code, pointed it at their customers’ systems, and had full access to proprietary pricing algorithms, customer data, the works. I could’ve flooded the system with thousands of prompts, melted their infrastructure, and racked up a $5 million cloud bill by lunch.
And this wasn’t just one vendor. I found the same thing across multiple deployments. It’s standard.
Why Are Enterprises Still Saying “Yes”?
Because the packaging looks clean.
These vendors speak well on stage. Their founders have polished resumes. Their pitch decks are slick. So we assume: if it looks that good, it must be safe.
But open the hood, and it’s a different story.
I’ve seen platforms used by Fortune 500s that wouldn’t pass a basic high school security audit. No access controls (aka “locks on the doors”). No model isolation (aka “separate rooms for different clients”). No runtime monitoring (aka “watching what’s happening in real-time”). It’s like someone sprayed cologne over a month of dirty laundry and called it enterprise-ready.
And I get it…CIOs are under pressure. Everyone’s being told to “do something with AI.” But in any other domain, this level of hygiene wouldn’t make it past procurement. AI just gets a pass it hasn’t earned.
The Lie Everyone’s Buying: “We’re SOC 2 Compliant”
Every vendor throws this one out. SOC 2. HIPAA. GDPR. All the acronyms.
Here’s what that really means: They passed an audit. Once.
Audits are snapshots. AI Hygiene is behavior. One doesn’t guarantee the other.
You can be “compliant” and still push source code with live API keys to production (similar to publishing your passcodes and security credentials on a live website)! You can be “secure” on paper and leave your customers wide open to attacks that steal data, manipulate the AI, or expose customer information.
If your idea of security is a badge in the pitch deck, you’re already compromised.
If You’re About to Sign a Contract, Ask These First
I don’t care how many case studies they send you. Before you go live with any AI platform, especially one that touches your customers, here’s your 3-question test:
- Can I open a browser, inspect the code, and see something I shouldn’t?
If yes, walk away.
- What happens if someone tries to flood this with prompts or spam?
If they don’t have rate limits or abuse controls, you’ll find out the hard way.
- How do you handle personal or sensitive data in the model?
If the answer is “we’re GDPR-compliant,” that’s not an answer. Ask what gets retained, redacted, stored, and by whom.
If they can’t answer clearly, they don’t deserve your trust. Full stop.
Relationships, AI, and the Mess We Make
I got engaged recently. And yeah, I’ve had my share of relationships where I ignored red flags because I liked the person’s potential. I told myself: they’ll figure it out. It’ll get better once we’re committed.
It never did.
When I met the right person, I realized the difference. She’s consistent. She shows up the same way with friends, family, and strangers. There’s no guessing. No switch-up once the papers are signed.
That’s what good hygiene looks like.
AI vendors should be held to the same standard. Consistency. Transparency. A willingness to be inspected without falling apart. Because once you bring them into your stack, into your workflows, into your customer-facing product, it’s too late to realize they’re not who they appeared to be.
