La Forge
Back to blog

AI Marketplace Apps Change Jira Trust Surface

How to evaluate AI-augmented Atlassian Marketplace apps safely before install

AI-augmented Marketplace apps introduce new security and trust considerations for Jira admins beyond traditional scope reviews. Learn what data flows to external models and how to verify vendor practices before installation.

Tempo's AI push on the Atlassian Marketplace is making headlines this week. But the more interesting question — especially for Jira admins evaluating any AI-augmented Marketplace app — isn't what Tempo announced. It's what a vendor's AI integration actually touches inside your Jira instance, and whether you can verify that before you install.

AI Features in Marketplace Apps Are a New Trust Surface

For years, evaluating a Marketplace app was a tractable problem. You reviewed the app's requested scopes, checked whether it held a Cloud Fortified badge, glanced at the security tab, and made a judgment call. The data model was mostly read-write on issues, projects, and custom fields. Bounded, auditable, familiar.

AI-augmented apps change that calculus in ways that aren't yet fully reflected in how admins evaluate installs.

When a Marketplace app embeds an AI layer, it typically needs to do at least one of the following:

  • Send Jira data to an external model — issue summaries, comments, custom field values, potentially attachment content — to generate predictions, suggestions, or automated actions.
  • Store embeddings or processed representations of your Jira content on vendor-operated infrastructure.
  • Take write actions informed by model output — updating fields, transitioning issues, posting comments — at a cadence and with a logic that isn't transparently encoded in a Jira workflow.

None of this is inherently wrong. But it's a materially different risk profile than a field renderer or a panel extension. And the Marketplace's current security disclosure norms weren't designed with it in mind.

What the Scopes Screen Doesn't Tell You

The OAuth 2.0 scopes declared by a Connect app give you a coarse view of what data a vendor can access. read:jira-work covers a lot of ground — it includes issue content across every project the app is installed in. For a pure UI app, that scope is largely theoretical: the app only reads what the user is currently viewing.

For an AI-augmented app that runs background jobs to build embeddings or generate suggestions, that same scope becomes a continuous pipeline. The distinction isn't visible in the scopes declaration. You can't tell, from the Marketplace listing alone, whether an app reads issues reactively or vacuums your backlog on a schedule.

A few things worth asking before approving an AI-augmented app for your instance:

  • Does the vendor publish a data processing agreement that covers AI model inputs — not just general data storage?
  • Is the AI processing performed on vendor infrastructure, or does it delegate to a third-party model provider (OpenAI, Anthropic, Google)? If the latter, your Jira data traverses a second vendor's systems.
  • What is the retention policy for model inputs and outputs? Embeddings can encode sensitive content; a standard "we delete data when you uninstall" policy may not cover cached embeddings.
  • Can you exclude specific projects or issue types from AI processing? For regulated content — legal holds, HR issues, financial data — selective exclusion is often a compliance requirement, not a preference.
  • What write actions can the AI take, and are they logged? An AI that can transition issues or post comments autonomously needs an audit trail. Check whether that log is accessible to you, the admin, or only to the vendor.

Cloud Fortified Remains the Right Floor — But the Ceiling Has Moved

Cloud Fortified is still the most meaningful security signal on the Marketplace. The Cloud Fortified program requires vendors to meet Atlassian's security requirements, maintain SLAs, and participate in the Marketplace Bug Bounty Program. For conventional apps, that's a strong baseline.

For AI-augmented apps, Cloud Fortified remains necessary but is no longer sufficient on its own. The certification predates the current wave of LLM-integrated Marketplace tooling. It doesn't currently evaluate how vendors handle third-party model delegation, embedding storage, or AI-specific data retention.

This isn't a criticism of Atlassian — it's an observation about the speed at which AI capabilities are being bolted onto Marketplace apps versus the pace at which trust frameworks evolve. Atlassian will likely tighten requirements over time, as they have done repeatedly with Connect scopes and data residency. But that's a future state; admins evaluating apps today need to ask the questions themselves.

A Practical Checklist Before Approving Any AI-Augmented App

This applies whether you're evaluating a time-tracking tool with AI forecasting, a project intelligence dashboard, or a workflow automation app with natural-language rule creation.

Before trial:

  • Locate the vendor's privacy policy and confirm it addresses AI/ML processing, not just general data handling.
  • Check whether the vendor discloses which AI infrastructure provider(s) they use.
  • Ask your vendor contact (or the support desk, before you install) whether a DPA covering AI inputs is available.

During trial:

  • Limit the trial to a sandbox project with non-sensitive data.
  • Monitor what the app writes back — comments, field updates, transitions — and verify it's consistent with documented behaviour.
  • If your instance has a security team, loop them in before moving from sandbox to production.

Before organisation-wide rollout:

  • Confirm whether the app respects Jira's project-level permissions for its AI processing, or whether it treats the instance as a flat namespace.
  • Verify that write actions by the AI are distinguishable in the audit log from human actions.

The Broader Point

The Atlassian Marketplace is becoming an AI distribution channel, not just a workflow extension channel. That's commercially logical — AI features accelerate user value and justify premium pricing. But it shifts significant responsibility onto admins who were never asked to become AI risk evaluators.

The right response isn't to block AI-augmented apps categorically. It's to hold them to a higher disclosure standard than conventional apps, ask pointed questions before approving installs, and not let a Cloud Fortified badge — or a polished listing — substitute for due diligence on how the AI layer actually handles your data.

The badge tells you the vendor clears a bar. The AI questions tell you whether that bar was set for the right event.