Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

OAuth token abuse and machine identities: what IAM teams must address


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Attackers are increasingly weaponizing trust links such as OAuth tokens, service accounts, and consent flows to persist across SaaS and cloud environments, while Delinea Labs notes 524 identity-related CVEs in October, including 43 in identity products. The real failure is that identity programmes still assume trust boundaries remain stable long enough for review, rotation, and detection to catch up.

NHIMG editorial — based on content published by Delinea: Trust eroding, Delinea Labs November 2025 Threat Outlook

By the numbers:

Questions worth separating out

Q: How should security teams govern OAuth tokens and service accounts in cloud environments?

A: Treat OAuth tokens and service accounts as governable identities, not just technical artefacts.

Q: Why do machine identities increase blast radius when trust is reused across tenants?

A: Machine identities increase blast radius because they often carry reusable trust into multiple systems without human-style friction such as MFA prompts or step-up checks.

Q: What do security teams get wrong about app consent and low-code integrations?

A: Teams often treat consent as a one-time user action instead of a lifecycle-managed access grant.

Practitioner guidance

  • Map every trust-bearing credential Inventory OAuth tokens, service accounts, API keys, and connector grants together so the team can see where trust is delegated outside interactive authentication.
  • Review third-party consent and connector sprawl Re-certify app consents, low-code connectors, and delegated permissions on a fixed schedule and revoke anything that no longer has an owner or business purpose.
  • Treat machine identity ownership as mandatory Assign a named owner for every non-human credential, define the expected use case, and alert when it is used outside that pattern.

What's in the full article

Delinea's full blog covers the operational detail this post intentionally leaves for the source:

  • Monthly breach and vulnerability examples behind the trust-eroding theme, including how Delinea Labs grouped the evidence.
  • Specific examples of token abuse, machine identity exposure, and low-code consent misuse that informed the outlook.
  • The four priorities Delinea recommends for enterprises preparing for the next phase of identity attacks.
  • The article's framing of identity-focused ransomware and cross-tenant trust abuse in more detail.

👉 Read Delinea's November 2025 threat outlook on trust erosion and identity abuse →

OAuth token abuse and machine identities: what IAM teams must address?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Trust chains have become the new perimeter failure. This outlook is not really about passwords disappearing, it is about permissions and delegated trust replacing the login screen as the attacker’s preferred entry point. OAuth grants, SaaS connectors, and service accounts can all preserve legitimacy while transferring risk across systems. The practical conclusion is that identity governance now has to follow trust relationships end to end, not just user authentication events.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which means most teams are still trying to govern machine identity with partial inventories.

A question worth separating out:

Q: Who is accountable when a third-party connector expands the identity attack surface?

A: Accountability should sit with the business owner of the integration and the identity team that approved the trust relationship. If a connector can expose data or extend access, it needs a named owner, an approval record, and a revocation path when the relationship changes.

👉 Read our full editorial: Trust erosion is the new identity risk in cloud environments



   
ReplyQuote
Share: