DEV Community

Cover image for Shadow AI and OAuth: Why the OAuth Token Is Now Your Biggest Blind Spot
Ali-Funk
Ali-Funk

Posted on

Shadow AI and OAuth: Why the OAuth Token Is Now Your Biggest Blind Spot

#oauth #security #identity #ai

For decades, Shadow IT lived on the network: the rogue server under a desk, the unauthorized SaaS subscription bought with a corporate card, or the wireless access point plugged in without approval. Security teams knew how to respond.Scan networks, block IPs, disable ports, and tighten firewall rules.

Today, Shadow IT has evolved. It no longer lives on the network.

It lives inside delegated identity permissions granted through OAuth. These non-human identities (NHIs) are rapidly becoming one of the fastest-growing attack surfaces in enterprise environments.

Most organizations still aren’t monitoring them.

The Perimeter Has Moved

The explosion of AI productivity tools has changed how enterprise data leaves the organization. Employees no longer need to install software or provision infrastructure. They simply click “Sign in with Microsoft” or “Sign in with Google.”

Within seconds, a third-party application receives broad delegated access to corporate resources. The firewall sees nothing. Endpoint detection reports no anomalies. No malware runs. No suspicious connections appear.

Yet that application may now hold persistent access to email, OneDrive, SharePoint, calendars, Teams, Google Drive, and other critical systems.

The traditional perimeter hasn’t shifted — it has been quietly bypassed.

Figure 1: Modern AI SaaS integrations bypass traditional network controls by establishing persistent OAuth trust relationships. The refresh token — not the firewall — is now the critical security boundary.

The Core Problem: Delegated Trust and Non-Human Identities

OAuth was designed to solve a legitimate problem: users shouldn’t share passwords with every app. Instead, identity providers issue scoped tokens.

This model works well — until modern AI platforms demand deep access to deliver value. An AI assistant cannot summarize emails it cannot read, organize documents it cannot access, or automate workflows it cannot see.

As a result, many AI tools request broad permissions such as:

  • Mail.ReadWrite
  • Files.Read.All
  • Calendars.ReadWrite
  • offline_access (often the most dangerous)

The offline_access scope grants long-lived refresh tokens that survive password resets, MFA changes, and even delayed offboarding. These become persistent non-human identities — alongside service principals, workload identities, API keys, and automation accounts.

As AI adoption accelerates, the number of these identities is growing far faster than the number of employees.

What the employee sees: a helpful productivity tool.

What security teams should see: a persistent trust relationship with an external entity operating outside traditional governance.

The Anatomy of an AI OAuth Exploit

An operations manager discovers an AI platform promising automated meeting summaries, document classification, and customer sentiment analysis. The website looks professional, reviews are strong, and the company appears legitimate.

She signs in with her corporate Microsoft account and grants the requested permissions.

Nothing malicious happens that day. The tool works as advertised.

But from that moment, part of the organization’s security posture now depends on the vendor’s security maturity. If the vendor is breached, leaks refresh tokens, or falls victim to a supply-chain attack, the blast radius can be severe.

No phishing. No endpoint compromise. No stolen credentials.

The attacker simply inherits already-granted trust.

Real-World Precedent: The Drift/Salesloft Attack

This is not theoretical.

In 2025, UNC6395 threat actors compromised OAuth tokens tied to Drift (later acquired by Salesloft). Using legitimate access, they reached Salesforce environments across hundreds of organizations. The integrations were trusted. The tokens were valid. Traditional controls missed the abuse.

Recent data underscores the scale: ~87% of applications in the average enterprise are unmanaged, only ~21% sit behind SSO, and AI tool adoption surged 181% in 2025.

Why Traditional IAM Breaks Here

Most IAM strategies focus on human-to-system interactions with Conditional Access evaluating location, device compliance, and risk signals.

OAuth flips the model. After initial consent, interactions become system-to-system. An AI platform can make thousands of API calls at 3 AM from a foreign cloud IP and still appear legitimate.

This creates a dangerous blind spot: strong human identity controls paired with minimal visibility into delegated applications.

Hardening the Identity Perimeter

Security teams must treat delegated permissions and non-human identities as core parts of the attack surface.

1. Restrict End-User Consent

Require administrative approval for apps requesting sensitive scopes (Files.Read.All, Mail.ReadWrite, offline_access, etc.). Evaluate vendor reputation, business need, and permissions before granting.

2. Enforce Least Privilege

Challenge broad permissions. Push vendors for granular scopes, resource-specific access, and time-limited tokens.

3. Continuously Audit Active Tokens and Applications

Maintain ongoing visibility into:

  • Active OAuth apps and non-human identities
  • Refresh token usage
  • API call patterns and volumes
  • Permission changes
  • Abnormal data access behavior

Monitor long-lived apps with the same rigor as privileged accounts.

4. Automate Revocation and Response

Build playbooks for rapid token revocation, app disabling, and investigation. Manual processes don’t scale against fast-moving threats.

The New Perimeter Is Identity

Enterprise security has evolved: networks → endpoints → identity.

The next frontier is delegated identity and non-human identities.

Organizations should embrace AI tools — they deliver real value. But innovation without visibility creates unmanaged risk.

  • The firewall is no longer the perimeter.
  • The endpoint is no longer the perimeter.
  • The OAuth token is the new perimeter.

In the age of AI, trust is no longer granted only to people.

It is granted to software.

References

  • Cyera — The Stealthy Rise of OAuth Application Risk: Why Non-Human Identities Are the New Security Frontier

https://www.cyera.com/blog/the-stealthy-rise-of-oauth-application-risk-why-non-human-identities-are-the-new-security-frontier

  • Zylo — What Are Unmanaged SaaS Apps? Risks, Examples, and How to Manage Them

https://zylo.com/blog/what-are-unmanaged-saas-apps-risks-examples-and-how-to-manage-them

  • IETF RFC 9700 — OAuth 2.0 Security Best Current Practice

https://datatracker.ietf.org/doc/html/rfc9700

  • Microsoft Entra ID — Manage Application Consent and Permissions

https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent

  • Google Workspace Admin — Control Third-Party App Access

https://support.google.com/a

  • Google Threat Intelligence — Widespread Data Theft via Salesloft Drift

https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift

  • Palo Alto Networks Unit 42 — OAuth Abuse and Compromised Salesforce Instances

https://unit42.paloaltonetworks.com

  • OWASP Top 10 for LLM Applications

https://genai.owasp.org

Top comments (0)