SAN FRANCISCO — In the span of about eighteen months, OpenAI and Anthropic have gone from research labs shipping chat interfaces to the center of a rapidly consolidating enterprise technology stack. Anthropic's Claude models now ship inside AWS Bedrock, Google Cloud Vertex AI, Microsoft Foundry, GitHub Copilot, Snowflake Cortex, and IBM's watsonx. OpenAI's models sit inside Microsoft's Azure OpenAI Service, Apple's on-device intelligence features, and a growing GPT Store of third-party applications. Both companies have signed formal testing arrangements with the U.S. AI Safety Institute at NIST, both co-founded the Frontier Model Forum alongside Google and Microsoft, and both now route pre-release models through independent evaluators such as METR and Apollo Research before publishing model cards.
None of this is a footnote to the AI story — it is the story. The competitive frontier in generative AI has quietly shifted from "whose model scores highest on a benchmark" to "whose model is embedded in the most systems of record." And that shift carries a direct, underappreciated implication for application security teams: every partnership announcement is also a new integration point, a new set of credentials, a new piece of third-party code, and a new node in the software supply chain that AppSec is expected to defend.
The partnership wave, in facts
The pattern is easiest to see by lining up what has actually happened rather than what vendors say about it.
Anthropic open-sourced the Model Context Protocol (MCP) in November 2024 as a standard way for AI models to connect to external tools, databases, and APIs. What began as an Anthropic-only specification became a cross-industry standard within months: OpenAI announced support for MCP across its Agents SDK and ChatGPT desktop app in March 2025, and Google DeepMind confirmed MCP support for Gemini shortly after. A protocol that started as one vendor's plumbing is now the de facto interface layer connecting frontier models from competing labs to the same universe of third-party tools and connectors.
At the infrastructure layer, Anthropic's model distribution now runs through all three major hyperscalers — AWS, Google Cloud, and Microsoft Azure — each of which is also a strategic investor in the company. Anthropic has separately partnered with Palantir and AWS to bring Claude models to U.S. government and defense customers, with IBM to integrate Claude into watsonx, and with GitHub to make Claude models selectable inside Copilot. OpenAI's distribution runs primarily through its deep alignment with Microsoft Azure, its integration into Apple's operating systems, and a marketplace of GPTs built by outside developers, plus newer partnerships extending into defense and hardware, including a publicly announced collaboration with Anduril Industries.
Layered on top of the commercial partnerships is a parallel track of safety and standards partnerships: both labs signed memoranda with the U.S. AI Safety Institute in August 2024 granting early model access for government-led safety testing; both are founding members of the Frontier Model Forum; and both routinely disclose in their model cards that dangerous-capability evaluations were run by outside groups like METR and Apollo Research before a model shipped.
Taken together, this is not a story about two chatbots. It is a story about two model vendors that have each become deeply embedded — commercially, technically, and procedurally — in the infrastructure other companies build on.
What the trend signals for AppSec
Three things follow from this pattern, and none of them are hypothetical.
First, the AI vendor relationship is now a supply chain relationship. When a company adopts Claude via Bedrock, or GPT-class models via Azure OpenAI, or plugs either into its stack through MCP, it is not adopting a single API — it is inheriting the security posture, dependency graph, and incident history of every layer underneath: the model provider, the cloud intermediary, the connector or MCP server code, and any third-party plugin the integration touches. That is the same trust chain AppSec teams already manage for open-source packages and container base images. The difference is that most organizations do not yet have an inventory process for "which AI vendor partnerships touch our environment" the way they do for software dependencies.
Second, the interoperability push is expanding the attack surface faster than governance is catching up. MCP's rapid, multi-vendor adoption is a genuine engineering win — a shared protocol means AI agents can reach tools without bespoke integration work for each model. But security researchers have already documented concrete risk in that same ecosystem: in April 2025, researchers at Invariant Labs published findings on "MCP tool poisoning," showing that malicious or compromised MCP servers can smuggle hidden instructions to an AI agent through tool descriptions the end user never sees. That is a textbook software supply chain problem — untrusted third-party code (a community-built MCP server) executing with the trust level of a first-party integration — wearing an AI costume. The GPT Store has faced its own version of this since launch in January 2024: third-party GPTs built and distributed by outside developers, with the platform vendor responsible for the trust boundary between user, model, and plugin.
Third, the vendors are visibly trying to substitute process for certainty, and AppSec teams should read that signal correctly. Independent red-teaming by METR and Apollo Research, participation in the Frontier Model Forum, and voluntary testing agreements with NIST's AI Safety Institute are real, verifiable governance commitments — but they are evaluations of model behavior, not security audits of the surrounding integration layer. A model that passes dangerous-capability evaluations can still be deployed behind an insecure MCP server, an over-permissioned API key, or a connector with no code provenance. The safety story and the security story are adjacent, not identical, and enterprise buyers who conflate the two are the ones most likely to be surprised later.
Why this matters beyond the AI headlines
For AppSec and platform security teams, the practical takeaway is that "AI vendor" now belongs in the same risk register as any other critical third-party dependency — and it needs to be tracked with the same rigor. That means treating cloud-hosted model access (Bedrock, Vertex AI, Azure OpenAI, Foundry) as a vendor relationship with its own data flow diagram; treating every MCP server, plugin, or GPT the organization installs as third-party code subject to review, not a magic capability that arrived for free; and recognizing that a vendor's safety commitments — however genuine — do not substitute for the organization's own visibility into what code, credentials, and data actually cross that integration boundary.
The signal from the OpenAI and Anthropic ecosystem buildout is not "AI is now safe because major vendors are cooperating on safety." It is "AI is now infrastructure, and infrastructure needs a supply chain security program." Every new hyperscaler deal, every MCP connector, every plugin store submission is another edge in a graph that already looks a lot like the open-source dependency trees AppSec teams have spent a decade learning to secure — except this graph is younger, moving faster, and mostly undocumented inside the average enterprise.
How Safeguard Helps
Safeguard was built for exactly this kind of expanding, fast-moving dependency graph. As organizations plug AI models, MCP servers, and third-party connectors into production systems, Safeguard extends the same supply chain security discipline that AppSec teams already apply to open-source packages and container images:
- Dependency and connector visibility — Safeguard inventories the third-party code, packages, and integration points (including emerging categories like MCP servers and AI plugins) that flow into an application, so security teams have an accurate, current picture of what is actually connected to their environment instead of relying on vendor documentation alone.
- Provenance and integrity verification — by validating where code and components actually come from, Safeguard helps teams distinguish a vetted, first-party integration from an unvetted third-party MCP server or plugin before it is trusted with production data or credentials.
- Continuous risk monitoring — as AI vendor ecosystems evolve weekly with new connectors and partnerships, Safeguard continuously rescans the dependency and integration surface rather than treating vendor risk as a one-time procurement checkbox.
- SOC 2-aligned reporting — for compliance and security teams that need to show auditors and customers how third-party AI integrations are governed, Safeguard maps supply chain findings to the control evidence those audits require.
The OpenAI-Anthropic ecosystem race will keep producing headlines about new partnerships, new protocols, and new safety commitments. Safeguard's role is to make sure that every one of those integrations is visible, verified, and monitored — so the next AI vendor security partnership signal your organization needs to react to comes from your own security tooling, not from a headline.