By: Frank Vesce
Chief Information Security Officer • Legal & Technology Risk Department
October 9, 2025
Incorporating AI tools into private capital market operations can streamline processes, improve analytics, and enhance investor communications. However, critical concerns remain over sensitive customer data, particularly when choosing third-party AI providers. In The Pragmatic CISO, I highlight essential considerations and controls required to securely manage third-party relationships and safeguard sensitive information.
When evaluating AI vendors, private capital market firms must rigorously apply Third-Party Risk Management (TPRM) practices, assessing providers on operational transparency, governance, and adherence to data protection standards. Essential questions include whether vendors train their AI models on customer data and how they handle data encryption.
The recent Base44 vulnerability, discovered by Wiz Research, demonstrates how exposed API endpoints can become a critical attack vector. Two unauthenticated APIs allowed attackers to bypass Single Sign-On (SSO) and create verified accounts on any app built with the platform by exploiting publicly available app id values from manifest files, potentially granting unauthorized access across environments. Although Wix, Base44’s parent company, patched the flaw within 24 hours and it was not exploited in the wild, the incident highlights the need for firms to continuously monitor authentication activity, perform API discovery, and assess third-party platforms to detect and remediate similar risks before they can be leveraged by attackers
Implementing strict Identity Access Management (IAM) and Privileged Access Management (PAM) controls ensures that only authorized individuals and systems access sensitive information. Firms should mandate Multi-Factor Authentication (MFA) to bolster security further, preventing unauthorized data access through compromised credentials.
Data encryption using robust standards like AES-256 for data at rest and TLS for data in transit offers additional layers of protection against data leaks and breaches. CISOs in private capital markets should verify that their chosen AI providers enforce these encryption standards across all customer data interactions.
Ultimately, selecting AI partners with transparent, secure practices and enforcing stringent security controls will enable private capital market firms to leverage AI capabilities confidently and responsibly, maintaining investor trust and regulatory compliance.
Ready to streamline workflows, and unlock greater efficiency with secure AI solutions? Allvue Fund Accounting and Investment Accounting customers can download our agentic AI solution Andi for free here:
Andi for Credit Front Office Suite:
Andi for Equity and Fund Administration:
More About The Author
Frank Vesce
Chief Information Security Officer • Legal & Technology Risk Department
Frank Vesce is a veteran cybersecurity leader with over 25 years of experience driving value across the financial, insurance, and tech-startup sectors including helping to scale a firm from funding through IPO. Currently the CISO at Allvue Systems, Frank previously spent a combined 20 years at Goldman Sachs in senior global leadership roles. An authoritative voice in the field, Frank is the author of The Pragmatic CISO, a guide designed to help businesses of all sizes navigate complex security landscapes and eliminate technology bloat. He serves as a Cybersecurity Advisor to the U.S. Coast Guard (NY/NJ), holds a Government Clearance, and has presented at Harvard, MIT, the FBI, and the NY Counter Terrorism Bureau. Beyond technology, Frank is a dedicated advocate for foster care and non-profits like Year-Up, having testified before Congress on the power of private-sector partnerships with organizations like Casey Foster Care.
