OAuth token abuse and machine identities: what IAM teams must address

TL;DR: Attackers are increasingly weaponizing trust links such as OAuth tokens, service accounts, and consent flows to persist across SaaS and cloud environments, while Delinea Labs notes 524 identity-related CVEs in October, including 43 in identity products. The real failure is that identity programmes still assume trust boundaries remain stable long enough for review, rotation, and detection to catch up.

NHIMG editorial — based on content published by Delinea: Trust eroding, Delinea Labs November 2025 Threat Outlook

By the numbers:

• Across the ecosystem, 524 identity-related CVEs were recorded in October, including 43 within identity products themselves.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should security teams govern OAuth tokens and service accounts in cloud environments?

A: Treat OAuth tokens and service accounts as governable identities, not just technical artefacts.

Q: Why do machine identities increase blast radius when trust is reused across tenants?

A: Machine identities increase blast radius because they often carry reusable trust into multiple systems without human-style friction such as MFA prompts or step-up checks.

Q: What do security teams get wrong about app consent and low-code integrations?

A: Teams often treat consent as a one-time user action instead of a lifecycle-managed access grant.

Practitioner guidance

• Map every trust-bearing credential Inventory OAuth tokens, service accounts, API keys, and connector grants together so the team can see where trust is delegated outside interactive authentication.
• Review third-party consent and connector sprawl Re-certify app consents, low-code connectors, and delegated permissions on a fixed schedule and revoke anything that no longer has an owner or business purpose.
• Treat machine identity ownership as mandatory Assign a named owner for every non-human credential, define the expected use case, and alert when it is used outside that pattern.

What's in the full article

Delinea's full blog covers the operational detail this post intentionally leaves for the source:

• Monthly breach and vulnerability examples behind the trust-eroding theme, including how Delinea Labs grouped the evidence.
• Specific examples of token abuse, machine identity exposure, and low-code consent misuse that informed the outlook.
• The four priorities Delinea recommends for enterprises preparing for the next phase of identity attacks.
• The article's framing of identity-focused ransomware and cross-tenant trust abuse in more detail.

👉 Read Delinea's November 2025 threat outlook on trust erosion and identity abuse →

OAuth token abuse and machine identities: what IAM teams must address?

Explore further

View Full Forum →  |  NHI Foundation Course →