Notifications

Clear all

Credential stores for delegated access: what IAM teams are missing

Last Post

RSS

NHI Mgmt Group

(@nhi-mgmt-group)

Member Moderator

Joined: 1 year ago

Posts: 6713

Topic starter 23/06/2026 9:04 pm

TL;DR: Platforms that store customer OAuth tokens and API keys are now governing delegated production access, not just their own credentials, according to Hush Security’s analysis of the Composio incident. The governance problem is architectural: once a platform holds live customer secrets, blast-radius control and revocation speed become the critical security variables.

NHIMG editorial — based on content published by Hush Security: customer-held OAuth tokens and the credential-store threat model

By the numbers:

They disclosed that 0.3% of their active connections were in the blast radius of their breach.

Questions worth separating out

Q: How should security teams govern customer OAuth tokens held by a platform?

A: Treat them as managed non-human identities with explicit ownership, scope, lifecycle state, and revocation responsibility.

Q: Why does a breach of an integration platform create downstream risk for customers?

A: Because the attacker can use valid customer-authorised tokens to access third-party systems without breaking normal authentication patterns.

Q: How do organisations know whether delegated credential governance is working?

A: Look for a complete, queryable inventory, short-lived exposure windows, low scope drift, and automated revocation that does not depend on manual triage.

Practitioner guidance

Inventory every delegated credential Maintain a live register of every OAuth token, API key, certificate, and connected tool, including owner, tenant, scope, creation date, and last-use timestamp.
Downscope what the integration actually uses Compare granted scopes to observed runtime access and remove excess permissions through re-authorization or per-tool scope redesign.
Make revocation a single auditable action Support immediate revocation by customer, by tool, and across the full store, with automation that removes the manual steps from incident response.

With 28.65 million new hardcoded secrets detected in public GitHub commits in 2025 alone, per The State of Secrets Sprawl 2026, the broader signal is that secret sprawl is already large enough to make inventory quality a business issue?

👉 Read Hush Security's analysis of customer-held OAuth tokens and credential-store risk →

Explore further

View Full Forum → | NHI Foundation Course →

Quote

Topic Tags

Forum Statistics

9 Forums

8,056 Topics

13.7 K Posts

62 Online

135 Members

Latest Post: June 2025 Patch Tuesday: are your IAM controls keeping up? Our newest member: Alex Recent Posts Unread Posts Tags

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

FAQ

NHI 101 Articles

Legal & Policies