Executive Summary
Cohere is a Canadian AI company providing enterprise LLM infrastructure, claiming SOC2 Type II, GDPR, and CCPA compliance with "Privacy-by-Design" principles. However, BLACKOUT runtime scans of cohere.com reveal 47 third-party vendors firing, with 17 loading PRE-CONSENT including B2B deanonymization platforms (6sense, Demandbase, ZoomInfo, RB2B) that identify anonymous visitors. Only 14 vendors appear in their Trust Center subprocessor list. This represents a fundamental gap between Cohere's enterprise security posture and their actual website practices - the AI vendor selling privacy-first solutions deploys aggressive visitor identification before consent.
Revenue Threat Profile
4 COLLAPSE VECTORSHow this vendor creates financial exposure. Each score (0-100) reflects observed runtime behavior and documented business practices.
CAC Subsidization
Cohere's deployment of 6sense, Demandbase, and HockeyStack creates attribution pollution where visitor intent signals are captured and potentially shared before consent, corrupting the measurement integrity that enterprise AI buyers expect from a privacy-first vendor.
Signal Corruption
B2B deanonymization vendors (6sense, Demandbase, ZoomInfo) receive visitor identity and behavioral signals that can be used to identify which companies are evaluating AI solutions, creating competitive intelligence leakage for prospects visiting cohere.com.
Legal Tail Risk
47 third-party JavaScript libraries create a substantial attack surface. MetaPixel, GoogleAds, DoubleClick, and multiple advertising networks increase exposure to supply-chain attacks while expanding the blast radius of any vendor compromise.
GTM Attack Surface
Claims to honor GPC and comply with GDPR/CCPA, but 100% of detected vendors fire pre-consent. The gap between Trust Center claims and runtime behavior creates regulatory exposure under GDPR Articles 7 and 28, plus CCPA opt-out requirements.