Aaron Rice, CIO at Vorboss

In today’s Sage Spotlight, Aaron Rice, CIO at Vorboss, explores the hidden risks of the shadow AI loophole and how the rapid shift toward agentic tools is changing the SaaS landscape. Aaron shares how Sagetap helps him navigate the “Wild West” of AI to find hungry, engineering-led startups, including a key partnership with Thoras that solved a complex Kubernetes optimization challenge where legacy FinOps tools fell short.

Key Takeaways

• Overseeing Technical Infrastructure at Vorboss: As CIO of a London fiber provider, Aaron leads technical strategy for software engineering and IT. He manages the internal systems and managed services that power Vorboss’s high-performance connectivity and cybersecurity.
• The Stealth Risk of Shadow AI: Aaron warns that shadow AI often hides inside sanctioned tools. This creates a loophole where teams unknowingly leak personal data to models like OpenAI through vendors the organization has already vetted and approved.
• Opportunities in Guardrails as a Service: With non-technical teams building products using AI, Aaron sees a massive opportunity for “guardrails as a service.” These solutions bridge the gap for creators who lack deep knowledge of security and compliance.
• Prioritizing Product Quality Over Sales Pitch: Before Sagetap, Aaron found that discovery skewed toward vendors with the best sales processes rather than products. He uses the platform to bypass cold outreach and find “diamonds in the rough” solving problems early.
• Optimizing Kubernetes with Thoras: While many vendors claim to automate cloud spend, Aaron found Thoras a standout for Kubernetes. By working with engineers over FinOps specialists, Vorboss guaranteed workload resilience while significantly reducing AWS spend.

Full Transcript

Aaron Rice: I'm the CIO at Vorboss. Vorboss is a B2B fiber internet connectivity provider based in London in the United Kingdom. We also offer IT managed services and cybersecurity services. 

I look after all technical decisions other than those that relate to our operational network. So I look after our software engineering function, I look after our IT function, and any of the other little random technical bits that pop up.

Meghan Lafferty: In all of your work, do you wish that the industry were talking about something more than it is?

Aaron: The industry is moving so fast at the moment, and by the industry, in this case, I actually mean a software and tooling industry rather than a telecommunications industry. Things that we weren't talking about weeks or months ago, we are talking about now. And my favorite thing that is popping up is shadow AI. 

So we have spoken a lot about shadow IT over the years in technical groups, where someone in the business who is not part of a technical team is bottlenecked. And so rather than wait for their technical team to have availability for them, they'll just go solve the problem themselves using their corp card. 

Shadow AI is actually more interesting to me, because shadow AI pops up in the tools that you have already sanctioned and that you have already approved. So, for example, Copilot is popping up in Word in our Microsoft suite of tooling. Or other popular SaaS products like Airtable, or monday, or Notion, they all have their own AI, their "something something" AI offering. And an employee could have access to that in a sanctioned, approved tool, but they could be then sending personal data into that, and you could leak information to one of their underlying models, whether that's AWS Bedrock or one of the OpenAI products.

Where that really interests me, actually, is for a business that hasn't approved, say, OpenAI in their business, for whatever reason, whether that's data sovereignty, whether that's just security and compliance, or whatever, but one of your vendors has and is using OpenAI as the model underneath their AI feature set in their product, suddenly, you're using OpenAI, and your team could be sending data to that. 

We're starting to talk about that a lot more, but I don't think we've had a big breach from it yet. We haven't had case law of, here's what goes wrong, and then we will start talking about it.

Meghan: So where does that leave vendors? Are there major opportunities for them?

Aaron: Oh, absolutely. We're in the Wild West right now for AI. It's massively changing our technical industry. And that’s not exactly a hot take. Everyone's talking about it at every possible opportunity. 

We also are getting indications that SaaS is changing. If you look at even just from a pricing perspective, SaaS product A that has existed for many years is charging twenty dollars per user per month, and we previously were happy paying that. But now also the alternative is you can get access to every piece of knowledge that has ever existed in the universe for twenty dollars a month. So even from just the pricing perspective, SaaS is changing. 

Separately, it's now a lot easier to go build competing SaaS apps. And businesses are starting to think about, well, do I go and buy something, or do I just go have the robot build it for me? So the world is changing significantly in that space, particularly for businesses that are now using nontechnical teams to build products in these agentic tools. They aren't aware of the security, compliance, the risks that come with building, shipping, and maintaining software. So I think there are opportunities for vendors in providing guardrails as a service.

Meghan: Before Sagetap, how did you use to identify the right vendors to evaluate and the right vendors for Vorboss?

Aaron: You know what? I hadn't realized how much being on the Sagetap platform has changed the way that I do this until only recently. 

Previously, I would be using word of mouth, whether that's on forums, whether that's on, literally searching Google for how my peers have solved the problem. I often ended up on Reddit, Product Hunt, ChatGPT, and speaking with peers, whether that's at conferences, whether that's at talks, whether that's on LinkedIn. 

I tried to steer away from cold outreach. In reality, I did lose good pitches in those because there's just so much of it. There's so many of them. And for every one good vendor, there are five that just happen to have a better sales process, but a worse product.

Meghan: You've been on Sagetap for a couple years now. Tell me about your journey with it.

Aaron: I thought it was a really interesting angle. The worst-case scenario is you are providing completely anonymous feedback to a vendor on their pitch, so they get huge value out of it either way. Best-case scenario is you actually find the diamond in the rough, right? 

I really like working with startups. I really like speaking with hungry founders. They want to go solve a problem. They've got maybe some seed cash. They've got a small team that are super engaged and want to go build cool things. Those are my favorite people ever to work with. And Sagetap has those in abundance. 

I had a lot of early success on Sagetap, just learning about the startups that are on the platform. And often I find that in learning about startups that are trying to solve a particular problem, I'm about to have that problem. They might just be a little bit further ahead than me in even experiencing that. 

Sagetap has definitely made the vendor search process a lot easier. Even in the ones that don't hit, the amount that I learn from what is out in the market is always beneficial to me.

Meghan: I know you have had success with the platform, officially. Can you tell me about your relationship with Thoras?

Aaron: It was fantastic, really from the beginning. The pitch felt organic. I was sort of ready to say, okay, but then what happens with our PII, or what happens with financials? And they were just on it every single time. 

Thoras helps us optimize the workloads that are running on our Kubernetes clusters in our public cloud provider. Ultimately, that saves us a fair amount of cash on our AWS spend, but the thing that excites me about Thoras is that they are all engineers and they really know their stuff. They are not just coming at it from a FinOps perspective. They're coming at it from a, we need to guarantee resilience and reliability of the workloads that are running in your Kubernetes cluster, and because you also need that as a customer, you have probably overprovisioned a little bit for safety's sake. 

So Thoras comes in and ensures that we maintain that resilience and that security and that safety, but also optimize the spend. And I've worked with a few vendors over the years that claim to do this, and Thoras are the only ones that have been able to pull it off. They're the only ones that I trusted from basically day one in knowing their technology inside and out. And then they provided a team of software engineers to work with my team to ensure that implementation and onboarding went fantastically. 

Meghan: So, if there is somebody in your shoes, picture yourself a couple years ago, they are not on Sagetap yet. Is there any advice that you would give them?

‍Aaron: I think you have to come at it from the angle of mutual value. If you come on to the platform from the perspective of: I am here to learn about these vendors, and if there is some mutual opportunity, great, and if not, I'm going to do my very best to ensure that I provide them enough feedback and value that for the next person that might be a slightly better fit, they nail it first time, then everyone's happy.