Six weeks after a compromised third-party AI tool opened a path straight into its internal systems, Vercel — the deployment platform serving more than 6 million developers worldwide — rewrote its legal framework from the ground up. The revised Terms of Service, published June 4 by VP of Legal Wendra Liang, introduce the first explicit liability structure for AI agents acting inside a customer's Vercel account, and the structure places every consequence, including runaway billing costs, squarely on the customer who granted access.

The timing is not coincidental. On April 19, 2026, Vercel disclosed that attackers had used a compromised third-party AI tool called Context.ai to breach its internal systems, accessing employee accounts and, from there, environment variables belonging to a limited subset of customers. The breach required no novel technique, no zero-day exploit, and no credential phishing. It required one employee who had connected a SaaS AI tool to a corporate Google Workspace account with broad OAuth permissions — and one attacker willing to work the chain. The new terms are Vercel's contractual answer to the question that breach raised: when the agent acts, who owns the outcome?

Under the revised framework, the answer is unambiguous. "Vercel is not responsible for any loss, damage, liability or other consequence arising from actions taken on your behalf by any Third Party Tools or AI Functionality," the updated Terms state. That sentence covers two distinct categories Vercel has newly defined. AI Functionality refers to Vercel's own AI-powered services — v0, Vercel Agent, WAF natural language rules, and AI Gateway. Third-Party Tools refers to any non-Vercel automation, script, or service a customer connects to their account, whether AI-powered or not — including CI/CD pipelines, GitHub bots, and autonomous coding agents.

OAuth Supply Chain Attacks Turn Third-Party AI Tools Into Liability

The April breach illustrates precisely why Vercel needed contractual language for this scenario. The attack chain began months earlier, when infostealer malware — specifically Lumma Stealer — infected an employee at Context.ai, a third-party AI tool connected by at least one Vercel employee. The malware harvested OAuth tokens that Context.ai's application held for its users' external accounts. One of those tokens was tied to a Vercel employee's enterprise Google Workspace account, to which the employee had granted Context.ai broad OAuth permissions.

Trend Micro's analysis of the breach explains the mechanism: OAuth 2.0 is a delegation protocol. When a user authorizes a third-party application to access their accounts, that application receives a token it can use on the user's behalf. Crucially, the token does not require the user's password and is not blocked by multi-factor authentication. Once the attacker held the stolen token, they authenticated as the Vercel employee without triggering any login alert. From the employee's Google Workspace, they moved laterally into Vercel's internal environment, where they found and exfiltrated environment variables that had not been marked as "sensitive" in Vercel's dashboard — a designation that controls whether variables are encrypted at rest. Credentials below the sensitive threshold were stored in a readable format accessible to anyone with internal project-level permissions.

Vercel's CEO Guillermo Rauch described the adversary as highly sophisticated, and the company brought in incident response experts and notified law enforcement. Multiple security firms noted afterward that the attack pattern — infostealer infection at a vendor, OAuth token theft from that vendor's user base, lateral movement into a downstream cloud platform — followed the same structural path as the 2024 Snowflake campaign, in which infostealer-sourced credentials enabled breaches at dozens of downstream organizations.

Vercel AI Agent Liability: What Developers Now Accept

The June 4 terms update formalizes the liability lesson of the April breach into binding contractual language. If a customer enables a third-party AI tool and grants it access to their Vercel account — by providing an API key, credentials, or access to a code repository — the customer "authorize[s] and agree[s] to be legally bound by the actions taken on your behalf by those Third-Party Tools." The customer is also "responsible for any costs incurred through such tools' use of the Services."

The terms go a step further by invoking a doctrine from electronic commerce. They designate any connected third-party tool as an "electronic agent" as defined in the Uniform Electronic Transactions Act (UETA), a model law adopted by 49 of 50 U.S. states. Under UETA, conduct by an electronic agent is attributed to the person who deployed it. Proskauer Rose LLP, analyzing UETA's application to agentic AI, noted that the law's own commentary states "the employer of a tool is responsible for the results obtained by the use of that tool since the tool has no independent volition of its own." Vercel has effectively written that doctrine into its customer agreements before a court had to impose it.

For Vercel's own AI Functionality, the terms are equally explicit: customers control its scope through their account settings, are responsible for reviewing and authorizing its actions, and bear responsibility for evaluating its outputs against their own requirements.

Cloud Platform AI Billing: Vercel Acceleration Clause

The billing update may be the most operationally significant change for engineering teams managing AI workloads. Fees are no longer exclusively tied to subscription plans — services such as AI Gateway credits can now be purchased and charged independently. The clause that enterprise procurement teams are most likely to flag reads as follows: "If your account shows unusually high or suspicious usage, Vercel may charge accrued fees ahead of your regular billing cycle."

In a market where agentic tools are already generating severe cost overruns, TechCrunch reported on June 5 that Uber burned its entire 2026 AI budget by April, and that one unnamed enterprise accumulated a $500 million Claude billing in a single month. The FinOps Foundation, quoted in the same report, described companies discovering they were three times over their annual AI budget before the end of April. Vercel's ability to collect early on high-usage accounts means a runaway deployment loop, an infinite-iterating agent, or a compromised integration generating phantom compute could trigger an invoice before a customer's security team has finished investigating.

Third-Party Tool Developer Responsibility Expands to Marketplace Vendors

The revised Marketplace terms add a requirement that directly affects developers distributing integrations on the Vercel Marketplace. The concept of Authorized Users — the parties whose actions bind the customer — now explicitly includes Third-Party Tools. Actions taken by Authorized Users are bound to the customer, who is also responsible for reporting any unauthorized Authorized User activity.

The practical implication is that customers can no longer treat a Marketplace integration as a passive component whose actions are the vendor's concern. Every tool connected to a Vercel account — including integrations listed and maintained by third-party vendors — is treated as acting on the customer's behalf. This puts direct pressure on marketplace vendors to document and disclose what their integrations do autonomously, and puts pressure on customers to read those disclosures before connecting any tool with production access.

What Developers Should Do Now About AI Agent Access on Vercel

The ToS update arrives in a regulatory environment that is also accelerating. The FTC issued its first comprehensive AI enforcement policy statement in March 2026, applying Section 5 of the FTC Act to AI systems across their entire lifecycle. Colorado's AI Act takes effect June 30. Against that backdrop, Vercel's decision to preemptively codify the UETA electronic-agent doctrine gives both customers and courts a clear allocation of responsibility that predates any specific enforcement action.

For developers with active AI integrations on Vercel, the terms are already live. Anyone who has connected a CI/CD agent, an autonomous coding tool, a GitHub bot, or any third-party automation with API key or credential access has, under the new terms, authorized and legally bound themselves to that tool's actions. Given the attack chain that exposed the April breach — an OAuth grant, a compromised upstream vendor, a lateral move that bypassed all perimeter controls — the most urgent review is not of the terms themselves but of which tools currently hold OAuth access to corporate accounts connected to Vercel deployments.

Vercel is almost certainly not the last deployment platform to adopt this framework. As agentic tools become production infrastructure across the cloud industry, the question of who owns the damage when an agent acts is one every platform-as-a-service provider must answer contractually. Vercel answered it after a breach demonstrated exactly what happens when that question is left open — and its answer is: the customer who granted the access owns every consequence that follows.

Frequently Asked Questions

If a third-party AI tool runs up a large bill on my Vercel account without my explicit instruction, am I responsible?

Yes, under the revised terms. By connecting any third-party tool and granting it access to your Vercel account — including providing an API key or credentials — you authorize and accept legal responsibility for all costs it incurs. Vercel's terms now also permit early billing if usage appears unusually high or suspicious, which means a runaway agent could trigger an invoice before the billing cycle ends.

What counts as a third-party tool under Vercel's updated terms?

Any non-Vercel automation, script, service, or agent that you grant access to your Vercel account. This explicitly includes CI/CD pipelines, third-party AI agents, GitHub Actions bots, integration scripts, and any other tool you connect by providing API keys, secrets, or code repository access — whether it is AI-powered or not.

How did the April 2026 Vercel breach happen through a third-party AI tool?

Attackers compromised Context.ai, an AI SaaS tool used internally by a Vercel employee. Via infostealer malware, they harvested OAuth tokens that Context.ai's application held for its users' Google accounts. Using a stolen token tied to a Vercel employee's grant, they authenticated into that employee's Google Workspace without a password or multi-factor authentication bypass, then moved laterally into Vercel's internal systems and accessed unencrypted environment variables.

What steps should I take to protect my Vercel account from AI agent risks under the new terms?

Audit which third-party tools currently hold OAuth access or API credentials for accounts connected to your Vercel deployments. Rotate any credentials that may have been accessible during the February through April 2026 window. Mark all sensitive environment variables as "sensitive" in Vercel's dashboard so they are encrypted at rest. Treat every OAuth grant to a third-party AI tool as a high-risk vendor integration requiring the same scrutiny you would apply to a cloud service provider.