Accountability sits with the organisation that owns the delegated access path, even if the token originated from a third-party service. Security, application, and SaaS owners all need a defined revocation process and an incident playbook. If the integration can reach customer data, it must be governed like any other privileged identity.
Why This Matters for Security Teams
When a saas integration exposes customer data, the failure is rarely just “a bad token.” It is usually a governance gap across delegation, revocation, and ownership of the access path. The organisation that approved the integration must treat it like any other privileged identity, because the blast radius follows the data path, not the vendor brand. NHIMG research shows that 92% of organisations expose NHIs to third parties, which makes delegated access a common and repeatable exposure point. The same pattern appears in incidents such as the Salesloft OAuth token breach and the BeyondTrust API key breach, where the integration path became the attack path.
Security teams often assume that a third-party SaaS provider “owns” the risk once an OAuth grant or API key is issued. Current guidance suggests the opposite: the business that uses the integration remains accountable for the data it can reach, the scopes it has, and the speed of revocation when something goes wrong. That is why integration review, secrets handling, and incident response must be owned jointly by security, application owners, and the SaaS product owner. In practice, many organisations only discover the weakness after an unexpected data access event, rather than through intentional integration governance.
How It Works in Practice
Accountability should follow a simple operating rule: whoever can approve, renew, or revoke the delegated access path is accountable for its security. That means the integration owner needs documented approval for scopes, a named revocation contact, and a tested process for disabling access without waiting for the vendor. For OAuth-based integrations, the important control is not just token issuance but token lifecycle management, including short expiry, refresh-token protection, and revocation on employee offboarding, app decommissioning, or abnormal behaviour.
For API-key and service-account based integrations, the same logic applies with even more urgency because long-lived secrets often outlive the system they were created for. NHIMG’s Ultimate Guide to NHIs — Why NHI Security Matters Now notes that 96% of organisations store secrets outside secrets managers in vulnerable locations, which turns a delegated integration into a durable exposure if revocation is weak. NIST guidance on least privilege and continuous authorization supports the same model, while OWASP’s NHI guidance and the CISA Zero Trust Maturity Model reinforce the need to verify access continuously rather than trusting the initial grant.
- Map each integration to a named business owner, technical owner, and security reviewer.
- Record the exact scopes, data classes, and systems reachable by the token or key.
- Use short-lived credentials where possible and rotate or revoke on a fixed schedule.
- Test revocation in production-like conditions before an incident forces the first attempt.
- Log token use, unusual geographies, and data access volume for rapid response.
This guidance tends to break down in environments where SaaS applications share a single service account across many workflows, because revocation becomes operationally disruptive and ownership is diluted across teams.
Common Variations and Edge Cases
Tighter delegation controls often increase operational overhead, requiring organisations to balance faster integration delivery against stronger accountability and revocation discipline. There is no universal standard for shared SaaS integrations yet, so current guidance suggests treating edge cases explicitly rather than relying on informal “it is just a vendor app” assumptions.
One common exception is multi-tenant SaaS where the provider controls the underlying platform but the customer controls configuration, scopes, and connected apps. In that case, accountability is split, but customer-side exposure is still owned by the organisation that enabled the connection. Another edge case is a marketplace app that can only read limited metadata. Even then, metadata can become sensitive when combined with customer records, so access review should be based on effective reach, not vendor marketing descriptions.
For organisations handling high-value customer data, the safest pattern is to govern integrations like privileged NHIs and to align response playbooks with lessons from incidents such as the 52 NHI Breaches Analysis. When an integration is mission-critical, best practice is evolving toward runtime policy checks, scoped tokens, and immediate disablement paths that do not depend on vendor support. The real-world failure mode is usually not a missing policy, but a policy that exists on paper and cannot be executed quickly enough when customer data is already exposed.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Revocation and rotation gaps drive SaaS integration exposure. |
| NIST CSF 2.0 | PR.AC-4 | Delegated SaaS access must be managed as least privilege. |
| NIST Zero Trust (SP 800-207) | AC-4 | Zero Trust requires continuous verification of integration access. |
Assign owners, rotate secrets, and revoke delegated access immediately when scope or risk changes.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 7, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
