The rapid adoption of AI productivity tools is exposing a dangerous blind spot in enterprise security architecture. Organizations invest heavily in firewalls, SSO, and MFA not yet leave one of the most effective back doors wide open: persistent, unmanaged OAuth tokens.
The disconnect between technical execution and strategic risk management has never been clearer. We are building massive walls while leaving the vault unlocked.
The Core Problem
Every time an employee connects an AI tool, automation, or SaaS application to Google Workspace or Microsoft 365, a persistent OAuth token is created. These tokens:
- Do not expire when employees leave the company
- Do not reset when passwords change
- Completely bypass traditional MFA
- Often remain active for years with broad permissions
This is not a misconfiguration. This is how OAuth is designed to work — and most security programs were never built to handle it at the scale of Shadow AI.
Material Security’s 2026 research highlights the gap: 80% of security leaders consider unmanaged OAuth grants a critical or significant risk. Yet 45% of organizations still do nothing to monitor them at scale, while many others rely on manual spreadsheets and ad-hoc reviews.
Spreadsheets are not a security control. They are documentation of risk you don’t fully understand.
Real-World Proof: The Drift Incident
In August 2025, threat actors (UNC6395) stole OAuth refresh tokens from the Salesloft Drift integration. Using these legitimate tokens, they accessed Salesforce environments of over 700 organizations, including Cloudflare, PagerDuty, and others.
No passwords were cracked. No MFA was triggered. The attackers simply used already-approved, trusted integrations.
This incident demonstrates the new reality: a legitimate application today can become a serious weapon tomorrow.
What Effective OAuth Security Must Look Like
We need to move from point-in-time approval to continuous oversight with three key capabilities:
Behavioral Monitoring: Track what the application actually does (API calls, data volume, access patterns)
Blast Radius Assessment: Understand who approved the token and how much sensitive data it can reach.
Intelligent Response: Automatically revoke high-risk tokens and escalate ambiguous cases for human review
The Leadership Gap
The market no longer needs only people who can configure firewalls or write code. It needs leaders who can securely integrate powerful AI tools into enterprise architectures — without creating massive hidden risks.
True security leadership today means combining technical excellence with strategic governance: systems that continuously audit, assess, and respond to OAuth risk in real time.
Sources and Further Reading:
Material Security Research OAuth Grant Management Gap
https://material.security/resources/automating-oauth-grant-management-materials-research-shows-the-growing-gap-between-awareness-and-action
Palo Alto Networks Unit 42 Threat Brief Salesloft Drift OAuth Compromise
https://unit42.paloaltonetworks.com/threat-brief-compromised-salesforce-instances/
Google Threat Intelligence Widespread Data Theft via Salesloft Drift
https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift
OAuth 2.0 Security Best Current Practice IETF RFC
https://datatracker.ietf.org/doc/html/rfc9700
NIST Special Publication 800 63B Digital Identity Guidelines
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63B-4.pdf
Top comments (0)