Notifications
Clear all
Topic starter
12/05/2026 2:33 pm
TL;DR: Attackers compromised Drift, harvested Salesforce OAuth tokens, and then used scripted tools to exfiltrate customer records across finance, HR, and SaaS environments, according to Salesloft and Google Threat Intelligence. The breach shows that OAuth-connected AI chat integrations can become shared non-human identity blast radii unless access, ownership, and revocation are tightly governed.
NHIMG editorial — based on research published by Entro Security.
Questions worth separating out
Q: How should security teams govern OAuth-connected AI integrations?
A: Treat them as non-human identities with owners, scopes, and a lifecycle.
Q: Why are OAuth tokens risky in SaaS integrations?
A: OAuth tokens are risky because they can preserve delegated access after the original user action is long gone.
Q: What is the difference between a SaaS app permission and a human user session?
A: A human session is usually short-lived, interactive, and constrained by user context.
Practitioner guidance
- Map every OAuth-connected AI integration Inventory each integration, record the business owner, the data it can access, and the exact scopes granted.
- Reduce standing privilege in token scopes Remove broad scopes that are not required for daily operation and prefer narrower delegated permissions where the platform supports them.
- Build API exfiltration detections Alert on unusual query volume, bulk record export behaviour, and token use from atypical automation patterns.
With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security, the programme-level response has to be continuous discovery, not annual review?
👉 Read Salesloft's analysis of the Drift OAuth token breach and Salesforce exposure →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
12/05/2026 2:33 pm
A few things worth adding from our research at NHI Mgmt Group.
OAuth-connected AI tools should now be treated as first-class NHIs, not helper apps. They hold delegated authority, persistent scopes, and revocation risk just like service accounts and API keys. The governance mistake is assuming that a user-installed integration is lower risk than a backend identity. Practitioners should place these apps inside the same ownership, review, and monitoring model used for other non-human identities.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: How can organisations detect token abuse before data loss becomes large?
A: Baseline normal API behaviour for each integration, then alert on bulk exports, unusual query volume, unusual timing, and repeated access across many records. Pair that monitoring with fast token revocation and owner notification. The goal is to spot machine-speed extraction while it still looks abnormal enough to stop.
👉 Read our full editorial: OAuth token abuse shows how AI chat integrations widen NHI risk
