Safeguarding Data in AI Deployments for the Private Capital Markets

By: Frank Vesce

Head of Information Security • Legal & Technology Risk Department

October 9, 2025

Incorporating AI tools into private capital market operations can streamline processes, improve analytics, and enhance investor communications. However, critical concerns remain over sensitive customer data, particularly when choosing third-party AI providers. In The Pragmatic CISO, I highlight essential considerations and controls required to securely manage third-party relationships and safeguard sensitive information.

When evaluating AI vendors, private capital market firms must rigorously apply Third-Party Risk Management (TPRM) practices, assessing providers on operational transparency, governance, and adherence to data protection standards. Essential questions include whether vendors train their AI models on customer data and how they handle data encryption.

The recent Base44 vulnerability, discovered by Wiz Research, demonstrates how exposed API endpoints can become a critical attack vector. Two unauthenticated APIs allowed attackers to bypass Single Sign-On (SSO) and create verified accounts on any app built with the platform by exploiting publicly available app id values from manifest files, potentially granting unauthorized access across environments. Although Wix, Base44’s parent company, patched the flaw within 24 hours and it was not exploited in the wild, the incident highlights the need for firms to continuously monitor authentication activity, perform API discovery, and assess third-party platforms to detect and remediate similar risks before they can be leveraged by attackers

Implementing strict Identity Access Management (IAM) and Privileged Access Management (PAM) controls ensures that only authorized individuals and systems access sensitive information. Firms should mandate Multi-Factor Authentication (MFA) to bolster security further, preventing unauthorized data access through compromised credentials.

Data encryption using robust standards like AES-256 for data at rest and TLS for data in transit offers additional layers of protection against data leaks and breaches. CISOs in private capital markets should verify that their chosen AI providers enforce these encryption standards across all customer data interactions.

Ultimately, selecting AI partners with transparent, secure practices and enforcing stringent security controls will enable private capital market firms to leverage AI capabilities confidently and responsibly, maintaining investor trust and regulatory compliance.

Ready to streamline workflows, and unlock greater efficiency with secure AI solutions? Allvue Fund Accounting and Investment Accounting customers can download our agentic AI solution Andi for free here: