JP Morgan’s Warning: Ignoring Security Could End Your SaaS Startup
The AI-driven SaaS boom, powered by code generation, agentic workflows and rapid orchestration layers, is producing 5-person teams with £10M+ in ARR. This breakneck scale and productivity is impressive, but it’s also hiding a dangerous truth: many of these startups are operating without a secure software supply chain. In most cases, these teams either lack the in-house expertise to truly understand the risks they are inheriting — or they have the intent, but not the tools, time, or resources to properly analyse, let alone mitigate, those threats. Security, while acknowledged in principle, becomes an afterthought in practice.
This is exactly the concern raised by Pat Opet, CISO of JP Morgan Chase, in an open letter addressed to their entire supplier ecosystem. He warned that most third-party vendors lack sufficient visibility into how their AI models function, how dependencies are managed, and how security is verified at the build level. In his words, organisations are deploying systems they “fundamentally don’t understand” — a sobering assessment from one of the world’s most systemically important financial institutions.
To paraphrase the message: enterprise buyers can no longer rely on assumed trust. Instead, they are demanding demonstrable assurance that:
- Dependencies are known and continuously monitored
- Model behaviours are documented and explainable
- Security controls exist beyond the UI and extend into the build pipeline
- Vendors can detect and respond to supply chain attacks in real time
In June 2025, JP Morgan’s CISO, Pat Opet, issued a public open letter warning third-party suppliers and technology vendors about their growing negligence in security. The message was clear — financial institutions are now treating supply chain risk as systemic. And if your SaaS startup sells to enterprise, you’re on notice.
The Enterprise View: Supply Chain Security Is Not Optional
JP Morgan’s letter wasn’t vague. It cited the following concerns:
- 78% of AI systems lack basic security protocols
- Most vendors cannot explain how their AI models behave
- Software vulnerabilities have tripled since 2023
The problem? Speed has consistently outpaced security.
This echoes warnings from security publications like Cybersecurity Dive and CSO Online, which describe SaaS tools as the soft underbelly of the enterprise stack — often over-permissioned, under-reviewed, and embedded deep in operational workflows.
How Did We Get Here?
The SaaS delivery model rewards speed and customer acquisition, not resilience. With low capital requirements, modern teams outsource infrastructure, embed GPT agents, and build workflows that abstract away complexity and visibility.
But abstraction is not control.
Most AI-native startups:
- Pull dependencies from unvetted registries (npm, PyPI)
- Push unscanned artefacts into CI/CD pipelines
- Lack documented SBOMs or any provenance trace
- Treat compliance as a checkbox, not a design constraint
Reco.ai’s analysis of this trend calls it out directly: “The industry is failing itself.”
JP Morgan’s Position Is a Signal, Not an Exception
When one of the world’s most risk-averse financial institutions spends $2B on AI security, slows its own deployments, and still goes public with a warning — it’s not posturing. It’s drawing a line.
The implication is that future vendor evaluations won’t just look for SOC 2 reports or ISO logos. Enterprises will want to know:
- Can you explain your model decisions?
- Do you have a verifiable SBOM?
- Can you respond to a supply chain CVE within 24 hours?
This is not just for unicorns. It will affect every AI-integrated SaaS vendor in every enterprise buying cycle.
What Founders Need to Do — Today
If you’re a startup founder, here’s your checklist:
Inventory your dependencies — use SBOM tools like Syft or Trace-AI
Scan for vulnerabilities — Grype, Snyk, or GitHub Actions
Document AI model behaviours and data flows
Define incident response workflows for AI-specific attacks
This isn’t about slowing down. It’s about building a foundation that scales.
Final Thoughts: The Debt Is Real, and It’s Compounding
Security debt behaves like technical debt, except when it comes due, it can take down your company.
JP Morgan’s open letter has changed the conversation. Compliance is no longer a secondary concern for SaaS startups. It’s now a prerequisite for trust.
The startups that recognise this early and act on it will win the trust of regulators, customers, and partners. The rest may never make it past procurement.
