What breaks is the assumption that a marketplace badge means the app is safe, proportionate, or still accountable. OAuth consent creates standing delegated access, so a listed app can still carry excessive scopes, outlive its publisher, or continue operating after the original risk decision has changed. Governance has to follow the grant, not the badge.
Why This Matters for Security Teams
Marketplace approval is often treated as a proxy for trust, but OAuth apps do not inherit safety from a directory badge. The real risk sits in the delegated grant: scopes can be broader than intended, access can persist after the original review, and the app can continue acting even when ownership, code quality, or business need has changed. This is why NHI governance has to track the token grant lifecycle, not just the app listing.
In practice, teams that rely on marketplace status usually discover the problem through a breach or a post-incident review, not through a proactive access decision. NHIMG research shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which makes default approval especially dangerous when grants are hard to inventory or explain. That pattern has appeared in incidents such as the Salesloft OAuth token breach and the Dropbox Sign breach.
NIST Cybersecurity Framework 2.0 reinforces the basic point: asset and access governance must remain continuous, not one-time. Marketplace approval without ongoing review is a control gap, not a control.
How It Works in Practice
Approved-by-default marketplace apps usually fail in three places. First, the app request is judged before the actual data paths are known, so consent is granted for broad scopes that exceed the business use case. Second, once the grant exists, it behaves like standing delegated access until someone actively removes it. Third, many organisations do not have reliable ownership data, so no one notices when the app publisher changes, the integration is abandoned, or the app starts accessing more data than intended.
The practical response is to treat OAuth apps as governed NHIs with their own lifecycle. Security teams should review the requested scopes, confirm the business owner, map the data sources reached by the token, and set time-bound review intervals. Where possible, use conditional approval workflows that require risk review for high-impact scopes, rather than whitelisting everything from a marketplace. This aligns with the wider NHI discipline described in the Ultimate Guide to NHIs — The NHI Market, especially around visibility, offboarding, and secrets governance.
- Approve based on requested scopes, not app popularity or vendor branding.
- Record the business justification and named owner for every grant.
- Review dormant, unused, or over-scoped apps on a fixed cadence.
- Revoke grants when the use case, publisher, or risk posture changes.
- Log token use so access can be traced after the approval decision.
For control mapping, NIST guidance on continuous monitoring and least privilege is the right baseline, but current guidance suggests organisations still need explicit OAuth-specific review steps because marketplace ecosystems move faster than traditional access review cycles. These controls tend to break down in large SaaS estates with hundreds of low-friction integrations because ownership, scope sprawl, and shadow app discovery become operationally hard to keep aligned.
Common Variations and Edge Cases
Tighter OAuth governance often increases admin overhead, so organisations have to balance user friction against exposure from unnecessary standing access. That tradeoff becomes sharper in environments that rely on SaaS automation, data pipelines, or third-party workflow tools, where legitimate integrations are frequent and revocation mistakes can interrupt business processes.
Best practice is evolving for marketplace-listed apps that request sensitive scopes such as mail access, file read/write, offline refresh tokens, or admin-level APIs. There is no universal standard for this yet, but the emerging pattern is to require stronger assurance for high-risk scopes, separate low-risk convenience apps from production integrations, and force periodic re-approval when an app can persist without human interaction.
Edge cases include vendor-maintained apps that are technically legitimate but still over-privileged, apps that survive a publisher acquisition or sunset, and apps installed by a single department that later become enterprise-wide data conduits. In those situations, the badge remains irrelevant if the grant is broad, long-lived, or no longer aligned to business need. The approval decision must follow the actual access path, not the marketplace label.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Marketplace OAuth apps are NHI grants that need inventory and ownership. |
| NIST CSF 2.0 | PR.AC-4 | Standing delegated access must be limited and reviewed continuously. |
| NIST AI RMF | Governance should assess risk continuously as access and context change. |
Use AI RMF-style ongoing risk evaluation to keep delegated access aligned to current business purpose.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
