AI tooling SaaS (multi-tenant credential aggregation, US)

A new sector pattern surfaced this week: AI tooling SaaS as a multi-tenant credential aggregation surface. Two parallel incidents make the architecture explicit. Braintrust (AI evaluation / observability) — confirmed 2026-05-04 AWS account compromise; the compromised account held organisation-level API keys customers use to connect upstream LLM providers (OpenAI, Anthropic, Azure OpenAI); Braintrust instructed every customer to rotate organisation-level provider credentials regardless of confirmed exposure; one customer confirmed compromised, three reported anomalous AI usage spikes consistent with credential abuse (TechCrunch, 2026-05-06 · SecurityWeek, 2026-05-08 · daily 2026-05-10). LiteLLM Proxy CVE-2026-42208 — the database holds every virtual key, upstream-provider credential, and team binding configured into the proxy; pre-auth SQLi exposes them all; CISA KEV deadline Monday 2026-05-11. Cross-finding pattern: AI-evaluation, AI-observability, AI-gateway, prompt-management, and agent-evaluation platforms all aggregate organisation-level upstream-provider credentials for many tenants per vendor, so a single SaaS-tier compromise propagates into a multi-provider credential event for every downstream tenant. European public-sector AI pilots in 2026-W20 should inventory which AI-tooling SaaS vendors hold organisation-level upstream-provider keys, require per-environment scoping, and require provider-side anomaly alerts.