TL;DR: SaaS and AI risk converged in 2025 as third-party AI tools, OAuth integrations, and browser-based adoption expanded the attack surface, while high-impact SaaS breaches showed how trusted identities can propagate compromise across hundreds of organisations, according to Valence Security. The control gap is now about delegated access, browser context, and remediation speed, not perimeter defence.
At a glance
What this is: This analysis argues that SaaS and AI security are converging around identity, integrations, and browser-level context, with 2025 breaches showing how trusted access can spread across connected systems.
Why it matters: For IAM and NHI practitioners, the lesson is that OAuth grants, sessions, and agentic access now need governance that is continuous, contextual, and tied to blast-radius reduction.
👉 Read Valence Security's analysis of why SaaS and AI security will diverge in 2026
Context
SaaS and AI security now sit inside the same identity problem space. The practical issue is not only how applications are discovered, but how access is delegated through OAuth, browser sessions, and connected workflows that can spread compromise beyond a single application. For IAM and NHI teams, this shifts the control question from who logged in to what that access can silently trigger across SaaS and AI systems.
Valence Security's December 29, 2025 analysis uses 2025 breach patterns and adoption trends to argue that traditional point controls no longer map cleanly to modern SaaS ecosystems. That starting position is increasingly typical, not exceptional, because third-party AI tools are entering through the same identity pathways as SaaS, while the underlying trust model remains fragmented.
The result is an expanding governance gap. Security leaders now need to account for machine-speed changes, delegated authorization, and downstream access propagation, which means browser context and lifecycle controls matter as much as posture scoring.
Key questions
Q: How should security teams govern AI agents that use SaaS integrations?
A: Security teams should govern AI agents as non-human identities with explicit owners, bounded scopes, and revocation paths. Each agent should have a documented purpose, approved OAuth grants, and monitoring for unexpected tool use. If an agent can change data or trigger workflows, it needs lifecycle controls, not just application-level permissions.
Q: Why do SaaS and AI environments increase identity risk?
A: SaaS and AI environments increase identity risk because access is delegated through OAuth, sessions, and integrations that can propagate beyond the original user or app. A single granted permission can expose multiple systems if it is reused across workflows. The result is larger blast radius and slower detection of misuse.
Q: What is the difference between posture management and identity governance in SaaS security?
A: Posture management shows whether a configuration looks safe at a point in time. Identity governance controls who or what can actually act, for how long, and under what conditions. In SaaS and AI environments, posture without governance leaves trusted access paths open even when settings appear compliant.
Q: When does browser context matter more than API monitoring?
A: Browser context matters more when user sessions, interactive approvals, and AI-assisted actions determine what happens next. API monitoring can show a request, but browser data can reveal intent, session reuse, and real-time misuse. For modern SaaS risk, both are needed, but browser context often closes the visibility gap.
Technical breakdown
Why OAuth grants and browser sessions create hidden SaaS trust chains
Modern SaaS risk is often defined by delegated access rather than direct account compromise. OAuth grants let one application act on behalf of a user, while browser sessions preserve access without forcing repeated authentication. When AI tools are added through the same pathways, the trust chain becomes longer and harder to inspect. The security problem is not merely authentication. It is authorization persistence across services that were never designed to be evaluated as a single control plane. That is why a narrow app-by-app review misses the real blast radius.
Practical implication: Map and review delegated access paths as identity assets, not just application settings.
How AI agents change SaaS and NHI governance
AI agents are not just another integration. They can execute actions, chain tool calls, and operate across SaaS platforms with permissions that resemble service accounts but behave more dynamically. That creates a governance mismatch. Traditional periodic access reviews assume a stable human user or a static service identity. Agentic systems can expand scope through workflows, plugin calls, and ambient trust in browser sessions or OAuth scopes. In effect, the identity is active, but the decision-making is distributed across tools and prompts.
Practical implication: Treat AI agents as governed non-human identities with explicit scope, review, and revocation controls.
Why remediation now matters more than visibility in SaaS security
Visibility remains necessary, but it does not reduce risk on its own. SaaS environments change too quickly for dashboards to be the end state. The harder problem is translating discovery into policy-driven action, such as revoking risky grants, limiting session scope, and shortening time-to-remediate after exposure is identified. In environments where one compromise can cascade across connected customers or systems, delayed response creates residual trust debt. Governance is therefore measured by how quickly the organisation can change access, not by how much it can observe.
Practical implication: Build remediation workflows that can revoke, constrain, and re-evaluate access continuously.
Threat narrative
Attacker objective: The objective is to turn a limited foothold into broad downstream access by exploiting trust relationships inside the SaaS and AI ecosystem.
- Entry begins through browser-based adoption, OAuth grants, or trusted integrations rather than a conventional exploit path.
- Escalation occurs when the attacker uses delegated access or stolen session context to move through connected SaaS workflows and associated identities.
- Impact is reached when compromise propagates across downstream systems, customers, or linked applications through trusted authorization chains.
Breaches seen in the wild
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
- Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
SaaS and AI security has become an identity governance problem, not a tooling category problem. The article is right to treat SaaS, AI, browser context, and integrations as one ecosystem because attackers already do. Separate control silos will keep missing the propagation path that matters most. Practitioners should reorganise around delegated access, reviewable trust, and rapid revocation.
Browser context is emerging as the missing layer in SaaS governance. Access logs and posture data tell only part of the story when sessions and user actions drive risk in real time. Without session context, teams cannot tell whether access was benign, automated, or abused. The practical conclusion is that browser-level telemetry belongs in the NHI and IAM control model.
Ephemeral access without lifecycle control creates a new form of trust debt. AI tools may appear temporary, but their OAuth grants, sessions, and shared credentials can persist longer than intended. That makes cleanup and offboarding as important as initial approval. Teams should design for revocation speed, not just onboarding speed.
The market is moving toward continuous governance for machine actors. Static review cycles are misaligned with the pace of SaaS change and agentic automation. That does not mean every workload needs the same control, but it does mean organisations need policy-based guardrails that can follow the access wherever it moves. The field should expect more convergence between NHI governance, SaaS security, and agentic AI controls.
Identity blast radius should become a core operating metric. Once trusted integrations can propagate compromise across customers, the question is no longer whether a system is exposed but how far a single identity failure can travel. That is the metric boards and security leaders should pressure-test. Practitioners should measure containment by blast radius, not by incident count alone.
From our research:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, even though 92% agree governing AI agents is critical to enterprise security.
- That gap makes Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs a useful next step for teams formalising ownership and offboarding.
What this signals
Identity blast radius: the practical unit of SaaS and AI risk is no longer a single app, but the chain of delegated access that app can trigger. As organisations add more browser-mediated automation, they will need controls that measure how far a compromised session can travel. That is a governance problem, not just a detection problem.
With 70% of organisations already granting AI systems more access than they would give a human employee performing the exact same job, per the 2026 Infrastructure Identity Survey, the access model is already out of sync with traditional least-privilege assumptions. Security teams should expect more pressure to inventory agent permissions, not just human entitlements.
The response pattern should shift from static review cycles to continuous revocation and re-approval. That is where IAM, NHI, and SaaS security converge in practice, because the control objective is to shorten the time a risky grant remains valid. Teams that cannot do that will continue to see visibility without containment.
For practitioners
- Define delegated-access inventory Catalog OAuth grants, browser sessions, service accounts, and AI tool connections as governed identities with owners, purpose, and revocation paths.
- Add browser context to access reviews Incorporate session activity, high-risk app interactions, and real-time usage signals into periodic entitlement reviews so approvals reflect actual behaviour.
- Automate revocation workflows for risky grants Tie detection of unusual SaaS or AI access to immediate revocation, step-up verification, or scoped re-approval rather than waiting for manual remediation windows.
- Treat AI agents as non-human identities Assign each agent a bounded identity, explicit tool scope, and documented offboarding process so automation cannot outlive its business purpose.
Key takeaways
- SaaS and AI now share the same trust pathways, so identity governance must cover OAuth grants, sessions, and integrations together.
- The scale problem is already visible: 70% of organisations give AI systems more access than a human would receive for the same job.
- Practitioners should prioritise continuous revocation, browser context, and blast-radius reduction over isolated posture checks.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | AI agents expanding access scopes match agentic AI identity risk concerns. | |
| NIST CSF 2.0 | PR.AC-4 | Delegated SaaS access and session control align with least-privilege access management. |
| NIST Zero Trust (SP 800-207) | ID | The article centres on continuous verification across dynamic SaaS trust chains. |
Treat delegated sessions and OAuth paths as identities that require continuous verification.
Key terms
- Delegated Access: Delegated access is permission that lets one application or service act on behalf of a user or another identity. In SaaS and AI environments, it often travels through OAuth grants, sessions, or integrations, which means the real security question is how far that delegated power can spread.
- Identity Blast Radius: Identity blast radius is the amount of damage that can result when one identity is compromised. In modern SaaS and AI ecosystems, it describes how quickly a single grant, token, or session can propagate into connected applications, customers, or workflows.
- Browser Context: Browser context is the session and interaction data generated while users work in SaaS and AI tools. It helps security teams understand intent, automation, and misuse more accurately than configuration data alone, especially when identity, approvals, and workflows all happen in the browser.
- Non-Human Identity: A non-human identity is any digital identity used by software rather than a person. It includes service accounts, API keys, tokens, certificates, bots, workloads, and AI agents. These identities need lifecycle controls because they can act, inherit trust, and accumulate privilege just like users.
Deepen your knowledge
SaaS and AI identity governance is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is trying to connect delegated access, lifecycle controls, and AI oversight, it is worth exploring.
This post draws on content published by Valence Security: Why SaaS and AI Security Will Look Very Different in 2026. Read the original.
Published by the NHIMG editorial team on 2026-01-15.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
