The SaaS and AI execution layer is outpacing IAM controls

At a glance

What this is: Vorlon argues that the enterprise attack surface has moved into the SaaS and AI execution layer, where AI agents and integrations move data faster than legacy visibility and governance controls can follow.

Why it matters: IAM, NHI, and human identity teams need a shared view of runtime access because hidden SaaS integrations, OAuth tokens, and agent activity can bypass the controls built for static access models.

By the numbers:

• 99.4% of organizations experienced a SaaS or AI ecosystem incident in 2025.
• 86.8% still cannot see what data AI tools are exchanging with their SaaS applications.
• The average organization runs 13 security tools just to cover SaaS and AI.
• 1 in 3 encountered suspicious AI agent activity.

👉 Read Vorlon's session replay on securing the SaaS and AI execution layer

Context

The core issue is not that enterprises lack security tools. It is that most of those tools were designed for a perimeter, a login, or a static workload, while SaaS integrations and AI agents now move sensitive data through the execution layer in ways that are harder to see and govern. In practice, that means identity control has to follow the transaction, not just the account.

For NHI and IAM teams, the key question is how OAuth grants, service accounts, tokens, and AI-driven automations are being allowed to touch business data without a clean governance boundary. The article frames this as a visibility and accountability problem across the converged SaaS and AI ecosystem, which is why categories like SSPM and ITDR alone are no longer enough. The starting point is typical, not unusual: most enterprises have already grown into this model without redesigning controls for it.

The strongest internal reference point here is the Ultimate Guide to NHIs, which remains useful for mapping non-human access patterns across provisioning, rotation, and offboarding. This topic extends that baseline into the execution layer, where runtime data movement and hidden integrations become the real governance gap.

Key questions

Q: What breaks when SaaS and AI integrations are not governed as part of identity management?

A: Security teams lose sight of who can move data across systems, which means delegated access becomes a hidden privilege layer. The failure is not just weak inventory, it is weak accountability for OAuth grants, tokens, and agent activity that continue to operate after the original approval context is forgotten.

Q: Why do service accounts, tokens, and AI agents complicate zero trust in SaaS environments?

A: Because zero trust depends on continuous verification, but SaaS and AI integrations often inherit access through delegated trust rather than fresh authentication. That makes the real risk the downstream chain of authority, where one approved connection can expose multiple systems and datasets without a new decision point.

Q: How do security teams know if their SaaS and AI governance is actually working?

A: They should be able to trace every sensitive data flow to a named identity, a named owner, and a current business purpose. If the team cannot explain which integrations exist, what data they exchange, and how revocation propagates, governance is incomplete even if the control stack looks mature.

Q: What should organisations do first when AI agents and shadow integrations are spreading?

A: Start with discovery, then rank connections by data sensitivity and delegated authority. The immediate goal is to identify which non-human identities can access regulated or confidential data, because those paths define the highest containment priority when an incident occurs.

Technical breakdown

Why the execution layer breaks perimeter-era controls

The execution layer is where software actually performs actions, exchanges data, and chains authority across systems. In a SaaS and AI environment, that layer includes OAuth-connected apps, service accounts, copilots, and agents that can move data without a human sitting in the loop. Traditional controls such as CASB, SSPM, and point-in-time reviews were built to inventory assets and permissions, but they do not fully explain what happened between systems at runtime. That gap matters because abuse often shows up as legitimate-looking traffic, not obvious intrusion. Practical implication: security teams need runtime visibility into data flow, not just configuration state.

Practical implication: Map who can act, what data they can touch, and which connections exist at runtime, then compare that against what the control stack actually observes.

OAuth governance and hidden trust chains

OAuth turns delegated access into a durable trust chain, which is useful until the grant is overbroad, unreviewed, or extended into downstream apps. In the scenario described here, a single approved integration can create a much larger web of connected systems than the original reviewers understood. That is why “approval” is not the same as governance. Once tokens and consent grants propagate, the real attack surface becomes the downstream ecosystem, not the primary application. Practical implication: treat OAuth consents as living identity objects with ownership, scope, and revocation requirements.

Practical implication: Review downstream OAuth connections, not just the first-party app, and tie each grant to a named owner and revocation path.

AI agents as masked identities inside enterprise traffic

AI agents can look like ordinary users in logs while operating with machine speed and machine-to-machine access. That creates a detection problem because behaviour analytics built around human session rhythms miss the fact that the actor is neither stable nor predictable in the same way. The more important issue is that identity classification becomes ambiguous when agents share access paths with people, bots, and integrations. That makes policy enforcement harder and audit trails less reliable. Practical implication: classify AI-connected access separately from human identity and monitor for data access patterns that exceed human-like behaviour baselines.

Practical implication: Build separate controls for agent-mediated access so human behaviour analytics do not become your only detection layer.

Threat narrative

Attacker objective: The objective is to use trusted SaaS and AI identity paths to reach sensitive data and operational access without triggering perimeter-style detection.

1. Entry begins with a legitimate SaaS integration, OAuth grant, or exposed credential that gives an attacker or abusive actor access to the execution layer rather than the network perimeter.
2. Credential abuse follows when the compromised token, API key, or delegated grant is used to query connected SaaS systems and move laterally through downstream apps.
3. Impact occurs when sensitive data, credentials, or business records are accessed, exfiltrated, or modified through trusted-looking automation paths that security teams failed to monitor in real time.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Execution-layer governance is now the control plane that matters. Legacy categories like SSPM and ITDR are still useful, but they do not fully describe how SaaS, AI, and NHI authority actually moves across systems. Once AI agents and integrations can browse, query, and transfer sensitive data inside the enterprise, the security boundary is no longer the application owner. Practitioners need to treat runtime data movement as the governance object, not an after-the-fact log artifact.

OAuth consent has become a hidden privilege layer. The article’s breach data points to a control problem that many programmes still understate: a delegated grant can create broad access without appearing like classic privileged access. That is not just an implementation gap, it is a governance gap in how identity authority is inherited across connected systems. Teams should read every consent as a standing trust relationship until it is bounded, owned, and reviewed.

Shadow AI and shadow SaaS collapse the assumption that the attack surface is knowable at onboarding. When employees can spin up integrations without IT approval, the enterprise no longer has a stable inventory of who can move data where. That breaks the old assumption that authorization decisions are made inside a managed change process. The implication is that identity governance must start with discovery and runtime correlation, or it will certify a surface that no longer exists.

AI agents need separate governance because human identity controls do not fit machine-speed execution. Human IAM relies on behavior patterns, review cadences, and operator accountability that assume a person is behind the session. Once AI agents are acting with delegated authority across SaaS systems, the same assumptions produce blind spots in audit, review, and containment. Practitioners should stop treating agent activity as a human proxy and start governing it as a distinct non-human control domain.

Data-in-motion is now the most useful named concept for this category. The important shift is not simply that data moves, but that it moves across identities, tools, and applications faster than static inventories can keep up. That means the programme question is no longer how many tools exist, but whether the control stack can see the transfer itself. The practical conclusion is to govern the movement path, not just the source and destination.

From our research:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
• 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
• That governance gap is why practitioners should also review Ultimate Guide to NHIs for a lifecycle view of non-human access control.

What this signals

Data-in-motion will become the clearest programme signal for SaaS and AI risk. If teams cannot explain where sensitive records flow after an OAuth grant or agent action, then inventory-based governance is already behind operational reality. The next maturity step is not more tool count, but stronger correlation between identity, connection, and data sensitivity across the execution layer.

With 80% of organisations reporting AI agents acting beyond intended scope in NHIMG research, the category is moving from theoretical exposure to routine governance failure. That means IAM and security architecture teams should expect agent-mediated access to appear alongside conventional NHI sprawl, not as a separate problem. The operational response is to make runtime visibility and revocation part of the same control conversation.

Shadow SaaS and shadow AI will keep expanding unless discovery is tied to ownership. The useful question is no longer whether an integration exists, but whether any named team can defend its purpose, data access, and revocation path. For practitioner programmes, that shifts the focus toward continuous discovery and evidence-backed accountability rather than periodic approval rituals.

For practitioners

• Map the converged SaaS and AI execution layer Inventory every sanctioned and shadow integration, then identify which identities, tokens, and agents can move sensitive data between systems without human approval. Prioritise downstream connections as the real trust boundary.
• Reclassify OAuth grants as governed identity objects Assign an owner, scope, and revocation process to each consent grant and API token. Review whether the actual downstream access matches the approved business purpose, not just the initial app registration.
• Separate AI agent monitoring from human behaviour analytics Create a distinct monitoring path for agent-mediated activity so human-like baselines do not hide machine-speed data movement. Watch for unusual app-to-app transfers, full-permission app creation, and unexpected data-access chains.
• Link revocation to downstream propagation Make sure token revocation and access removal propagate across connected SaaS apps, not just the originating platform. If downstream systems keep the grant alive, the compromise is only partially contained.

Key takeaways

• The article shows that the enterprise attack surface has shifted into SaaS and AI execution, where legacy perimeter-era tools do not fully see how data and authority move.
• The evidence is stark: 99.4% of organisations saw a SaaS or AI ecosystem incident in 2025, and 86.8% still lack visibility into AI data exchange with SaaS apps.
• The practical response is to govern OAuth grants, tokens, agents, and downstream connections as living identity paths, not static configuration items.

Key terms

• Execution Layer: The execution layer is the part of the enterprise where software actually performs actions, exchanges data, and chains authority across systems. In SaaS and AI environments, it includes integrations, tokens, agents, and automations that can move sensitive information beyond the original application boundary.
• OAuth Governance: OAuth governance is the discipline of controlling delegated app access after consent is granted. It covers ownership, scope, review, revocation, and downstream propagation, because the real risk often emerges after the initial approval when connected systems inherit trust.
• Shadow AI: Shadow AI is AI tooling or agent activity that exists outside formal security governance. It can be sanctioned by individuals but not by the security programme, which means it often creates hidden data flows, weak accountability, and incomplete auditability across connected systems.
• Data-in-Motion: Data-in-motion is sensitive information while it is being transferred between systems, identities, or applications. For SaaS and AI programmes, the main concern is not only where data is stored, but which identities can move it, transform it, or expose it during transit.

Deepen your knowledge

SaaS and AI execution-layer governance is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is still treating integrations as static assets, this is the place to close that gap.

This post draws on content published by Vorlon: The Front Door Is Locked. The Engine Room Is Wide Open. CSA Agentic AI Security Summit 2026 session replay. Read the original.