An integration becomes too risky when it has broad scopes, no clear owner, no recent use, or access to sensitive data that exceeds its purpose. If the token cannot be justified, monitored, and revoked quickly, the cost of keeping it usually exceeds the business value.
Why This Matters for Security Teams
The risk question is not whether an integration is still “useful.” It is whether the integration still has a defensible security purpose, with an owner who can explain its scope, approve its access, and revoke it fast enough to matter. That decision becomes more urgent when the integration sits on customer data, admin APIs, or production systems. NHI governance guidance from Top 10 NHI Issues and the NIST Cybersecurity Framework 2.0 both point to the same practical reality: asset visibility, ownership, and access review are baseline controls, not optional extras.
What teams often underestimate is the difference between “an integration exists” and “an integration is still justified.” A token with broad scopes can be harmless for months and then become the easiest path to data exfiltration once the vendor relationship, business process, or ownership changes. NHIMG research shows that 97% of NHIs carry excessive privileges, which is a strong signal that many integrations are left with more access than their actual use requires. In practice, many security teams encounter overprivileged, unowned integrations only after an incident forces a cleanup, rather than through intentional lifecycle management.
How It Works in Practice
A practical risk test starts with four questions: who owns it, what does it access, when was it last used, and how quickly can it be revoked? If the answers are vague, the integration is drifting toward unacceptable risk. The strongest pattern is to treat each SaaS integration like any other non-human identity: assign an accountable owner, define the exact business purpose, scope the token to the minimum permissions, and set a review date that forces a decision before the token becomes permanent.
When teams can, they should prefer short-lived secrets, JIT credential provisioning, and explicit approval paths over standing tokens. That aligns with NIST guidance on least privilege and continuous monitoring, and it fits the operational lessons in Salesloft OAuth token breach, where long-lived access became a direct route to sensitive systems. It also mirrors the broader NHI pattern highlighted in Ultimate Guide to NHIs — Key Challenges and Risks: secrets that are hard to discover, rotate, or revoke tend to become dormant attack paths.
- Reduce scopes to the exact SaaS objects and actions the integration needs.
- Set a hard TTL for secrets and renew only after business validation.
- Log use, owner, and last-verified date so stale tokens are obvious.
- Revoke immediately when the workflow changes, the vendor changes, or the owner leaves.
These controls tend to break down in legacy SaaS ecosystems where token rotation is manual, service ownership is split across teams, and revocation can silently break critical workflows.
Common Variations and Edge Cases
Tighter revocation rules often increase operational overhead, requiring organisations to balance reduced exposure against workflow stability and support load. That tradeoff is why current guidance suggests a risk-based threshold rather than a single universal expiry date for every integration. A low-risk reporting connector is not the same as a token that can modify payroll, delete records, or pull regulated customer data.
The hardest edge cases are “shadow” integrations, inherited tokens from departing employees, and vendor-managed connections where internal teams do not control the credential lifecycle. In those situations, the key question is not whether the integration still works, but whether it can be proven safe under OWASP NHI Top 10-style controls and monitored through a recognised security framework such as the NIST Cybersecurity Framework 2.0. If ownership is unclear, the scope is broad, and revocation would require a cross-team fire drill, the integration is already operating beyond a reasonable security posture. That is especially true when the integration touches high-value SaaS platforms similar to the BeyondTrust API key breach pattern, where a single credential can unlock much larger trust chains.
There is no universal standard for when every integration must be retired, but the practical line is clear: if the access cannot be justified, monitored, and quickly removed, keeping it is a business convenience, not a security decision.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Focuses on credential lifecycle and revocation for non-human identities. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access and access review map directly to risky SaaS integrations. |
| NIST AI RMF | Governance and accountability principles support decisions on whether integrations remain justified. |
Review each SaaS integration for scope, ownership, and rotation, then retire tokens that cannot be promptly revoked.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 27, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
