By: Frank Vesce
Chief Information Security Officer • Legal & Technology Risk Department
October 9, 2025
Incorporating AI tools into private capital market operations can streamline processes, improve analytics, and enhance investor communications. However, critical concerns remain over sensitive customer data, particularly when choosing third-party AI providers. In The Pragmatic CISO, I highlight essential considerations and controls required to securely manage third-party relationships and safeguard sensitive information.
When evaluating AI vendors, private capital market firms must rigorously apply Third-Party Risk Management (TPRM) practices, assessing providers on operational transparency, governance, and adherence to data protection standards. Essential questions include whether vendors train their AI models on customer data and how they handle data encryption.
The recent Base44 vulnerability, discovered by Wiz Research, demonstrates how exposed API endpoints can become a critical attack vector. Two unauthenticated APIs allowed attackers to bypass Single Sign-On (SSO) and create verified accounts on any app built with the platform by exploiting publicly available app id values from manifest files, potentially granting unauthorized access across environments. Although Wix, Base44’s parent company, patched the flaw within 24 hours and it was not exploited in the wild, the incident highlights the need for firms to continuously monitor authentication activity, perform API discovery, and assess third-party platforms to detect and remediate similar risks before they can be leveraged by attackers
Implementing strict Identity Access Management (IAM) and Privileged Access Management (PAM) controls ensures that only authorized individuals and systems access sensitive information. Firms should mandate Multi-Factor Authentication (MFA) to bolster security further, preventing unauthorized data access through compromised credentials.
Data encryption using robust standards like AES-256 for data at rest and TLS for data in transit offers additional layers of protection against data leaks and breaches. CISOs in private capital markets should verify that their chosen AI providers enforce these encryption standards across all customer data interactions.
Ultimately, selecting AI partners with transparent, secure practices and enforcing stringent security controls will enable private capital market firms to leverage AI capabilities confidently and responsibly, maintaining investor trust and regulatory compliance.
Ready to streamline workflows, and unlock greater efficiency with secure AI solutions? Allvue Fund Accounting and Investment Accounting customers can download our agentic AI solution Andi for free here:
Andi for Credit Front Office Suite:
Andi for Equity and Fund Administration:
More About The Author
Frank Vesce
Chief Information Security Officer • Legal & Technology Risk Department
Frank has over 25 years of technology experience across several sectors including Financial, Insurance, and a Technology start-up from funding through IPO. Frank has a global perspective on driving growth and value creation. Prior to joining Allvue Systems as their CISO, Frank spent a combined 20 years at Goldman Sachs holding several senior global positions.
Frank is a Cyber Security Advisor to the Captain of the New York/ New Jersey Coast Guard and holds a Government Clearance. Frank has presented Cyber Security and Technology Risk at several Universities including Harvard, MIT, and NJ Institute of Technology. He has also presented at a few closed-door sessions at the NY Counter Terrorism Bureau and the FBI.
On a personal note, Frank is an advocate for Foster Care and other non-profits such as Year-Up. Representing Goldman Sachs, and on behalf of Casey Foster Care, Frank was asked to testify before Congress on the benefits of private sector firms working with non-profits such as Casey.
