text

Small Companies, Big Risks

text

OpenAI’s $6.6 billion deal and resulting $157 billion valuation grabbed headlines and, as the largest venture deal ever, rightly so. Hiring nearly 3000 people in the last year – growing headcount 7x in that time – OpenAI is expanding across all functions, including small but mighty corporate security and risk management teams. However, many more venture capital billions are invested with ultra lean companies with no comparative investment in headcount of any kind, much less in risk management.

Take French AI startup Mistral. Valued at €5.8 billion with only 55 employees, Mistral is worth €105 million per employee. Wall Street darling and chipmaking giant Nvidia, by comparison, is worth around €100 million per employee. And it can get even more extreme. Safe Superintelligence (SSI), newly co-founded by OpenAI’s former chief scientist Ilya Sutskever, has a similar valuation but with just 10 employees, meaning over $500 million in value per employee. Companies with values of $10m+ per employee, but far less name recognition, abound: Poolside, Typeface, Cohere, Adept and many many others.

With so few employees, even if these startups have a philosophical commitment to risk management, are there sufficient resources dedicated to protecting these venture capital billions – and game-changing IP – from insider risk, fraud and misconduct?

This lag between growth and risk management is nothing new. Studies found that more than 30% of high growth companies don’t have HR structures or a Code of Conduct – much less a security organization – after five years of existence. What is new, however, is the scale of the investment and the intensity of competition. The race for access to human capital and technical infrastructure has created a kind of wild west of AI – few protections and enormous bounties awaiting the winners.

The risks are not theoretical. AI startups have been targeted by competitors using fake identities to steal IP. Investors have lost millions to criminal fraud (and billions to negligence). And the US Government’s Disruptive Technology Strike Force brought criminal charges in 20+ trade secret theft cases since its inception in 2023.

Investors and startups fear the “bureaucracy” of risk management systems. But in this environment, with so much money at stake, having no systems is as damaging as having too many. When done right, investing in risk management doesn’t stifle growth, it sustains it. That’s our approach: right-sized security, for every stage of growth.