One Breach Could Cripple Wall Street—JPMorgan’s CISO Just Torched SaaS & AI Vendors in a Scathing Open Letter 🔥

Written By Mike May

Wall Street’s CISO Calls SaaS a “Quiet Time Bomb”—How to Defuse It Before AI Lights the Fuse

The security boss of the world’s largest bank just issued a rare public rebuke to the software industry. In an open letter to suppliers, JPMorgan Chase CISO Patrick Opet warns that today’s cloud-first, plug-and-play model is “quietly enabling cyber-attackers and weakening the global economic system.” (An Open Letter to Third-Party Suppliers - J.P. Morgan) He urges vendors to ship controls “built in or enabled by default,” not bolted on later. (An Open Letter to Third-Party Suppliers - J.P. Morgan) Coming from a firm that moves $10 trillion a day, the message lands like cold water on the boardroom table. Below is what Opet is worried about, the evidence that proves he’s right, and the fixes leaders can start today.

🔥 Five alarms JPMorgan just pulled

1 Domino risk  One breach at a major SaaS provider can hit thousands of downstream companies at once. Opet calls this the hidden “single point of failure.” (An Open Letter to Third-Party Suppliers - J.P. Morgan)

2 Speed over safety Features ship fast; security “should be built in … by default” but too often isn’t. (An Open Letter to Third-Party Suppliers - J.P. Morgan)

3 Tokens become tunnels  OAuth keys and API tokens now replace old firewalls, giving intruders direct access to crown-jewel data when those keys are stolen. (Department of Commerce Announces New Guidance, Tools 270 ...)

4 AI pours gasoline  Explosive growth in AI and automation “amplifies and rapidly distributes” existing weaknesses—one hijacked agent moves at machine speed. (Department of Commerce Announces New Guidance, Tools 270 ...)

5 Annual audits are obsolete  Real assurance demands “continuous, demonstrable evidence” that controls work, not once-a-year PDFs. (Department of Commerce Announces New Guidance, Tools 270 ...)

Proof the threat is real

Regulators are already moving

Five fixes any board can mandate now

  1. See every connection  Inventory every SaaS and AI token that can touch sensitive data.

  2. Shrink the blast radius Replace wide-open OAuth scopes with short-lived keys limited to one task.

  3. Add a safety switch Use a real-time policy layer that can block risky calls in under 100 ms.

  4. Demand live proof Ask vendors for API feeds that show block rates and control uptime, not marketing PDFs.

  5. Adopt zero-trust for APIs Treat every integration as untrusted until it proves otherwise; Traceable’s blueprint is a practical starting point. (Secure by Design Pledge - CISA)

Perspective from the trenches

“When the biggest bank on earth has to beg its vendors for basic security, that’s a flashing red light for every industry,” says Mike May, CEO & CISO of Mountain Theory. “Trust can’t be a checkbox, it has to live in every API call, every token, every prompt.”

Board-room checklist

  • Do we know every SaaS key that can reach customer data?

  • Could a single compromised integration read or change that data?

  • How fast would we spot an AI agent gone rogue?

  • Are we still betting on annual compliance reports?

Bottom line

We’re erecting AI skyscrapers on digital quicksand. Opet’s letter is the structural-integrity report. Fix the foundation visibility, least-privilege tokens, instant brakes, and live evidence, or brace for the collapse.

Mike May leads model-layer security research at Mountain Theory. Views are his own.

Mike May https://mountaintheory.ai
Previous

Cold Brew, No Driver: John Deere’s Midday Tractor Puts AI Risk in High Gear
Next

The Transparency Gap Widens—What Google’s Gemini Safety Snub Means for the AI Arms Race