Accountability usually sits across the app owner, the identity team, and the business approver because the risk is created by delegated trust and then sustained by governance gaps. The organisation remains responsible for how grants are approved, monitored, and revoked. Regulators and auditors will usually ask whether the access was necessary, monitored, and removed in time.
Why This Matters for Security Teams
A third-party OAuth breach is rarely a single-team failure. It sits at the intersection of app governance, identity controls, and business approval, which is why accountability is shared even when the technical trigger is external. The organisation still owns the grant lifecycle, the scope of delegated access, and the conditions for revocation. The practical problem is visibility: according to The State of Non-Human Identity Security, 85% of organisations lack full visibility into third-party vendors connected via OAuth apps. That gap makes it hard to prove necessity, enforce least privilege, or detect abuse before data moves out.
Security teams should also treat OAuth apps as NHIs, not just “applications.” They act with delegated authority, often long after the original approval, and that authority can survive staff changes, vendor changes, or a weak offboarding process. Current guidance suggests the accountable parties are the app owner, the identity team, and the business approver, but auditors will expect evidence that each did its part. In practice, many security teams discover over-broad OAuth grants only after data exposure has already occurred, rather than through intentional governance.
How It Works in Practice
Accountability becomes clearer when the organisation maps the full lifecycle of the OAuth grant. The business approver should justify why the app needs access, the identity team should enforce policy and logging, and the app owner should confirm that the integration is still in use. If a breach occurs, the question is not only who clicked “approve,” but who allowed the grant to remain active, who monitored token use, and who failed to revoke it when conditions changed.
A workable operating model usually includes:
- Inventorying all OAuth apps and tying each one to an owner and a business purpose.
- Reviewing scopes against actual need, then removing excess permissions.
- Using short-lived tokens and rapid revocation paths for dormant or risky apps.
- Logging consent, token issuance, and admin changes so investigators can reconstruct responsibility.
- Requiring re-approval for high-risk scopes or vendor changes.
This is consistent with the risk patterns seen in real incidents such as the Salesloft OAuth token breach and the Dropbox Sign breach, where delegated access turned into an enterprise exposure path. It also aligns with the OWASP Non-Human Identity Top 10, which treats unmanaged machine identities and over-privileged credentials as recurring failure points. These controls tend to break down when SaaS sprawl and shadow IT make it impossible to maintain a trustworthy app inventory.
Common Variations and Edge Cases
Tighter OAuth governance often increases operational friction, requiring organisations to balance speed for the business against stronger approval and review controls. That tradeoff matters most in fast-moving environments where teams add SaaS tools quickly, because a rigid process can push users toward unsanctioned apps.
There is no universal standard for this yet, but current guidance suggests three common edge cases. First, if the app was approved by a business leader but not reviewed by security, accountability still extends to the approval chain because the risk was accepted without technical validation. Second, if the token was issued through a vendor platform, the vendor may be a causal factor but not the accountable owner of the enterprise grant. Third, if the breach involved a compromised third-party integration rather than malicious intent by the app owner, the organisation still owns its monitoring, scope limitation, and revocation duties.
Practitioners should also distinguish between blame and control ownership. The external vendor may have caused the initial exposure, but the enterprise controls the trust boundary. That is why post-incident reviews should reference both the The 52 NHI breaches Report and the Shai Hulud npm malware campaign: third-party trust often fails at the seams between approval, monitoring, and offboarding.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | OAuth apps are delegated machine identities that need least-privilege control. |
| NIST CSF 2.0 | PR.AC-4 | Covers access approvals and ongoing authorization of third-party app access. |
| NIST AI RMF | Governance is needed to assign accountability across autonomous delegated access. |
Define ownership, oversight, and escalation for any third-party integration with enterprise data.
Related resources from NHI Mgmt Group
- Who is accountable when a third-party NHI causes PCI scope exposure?
- Who is accountable when a user grants a risky third-party app access?
- Who is accountable for third-party access after a campaign or project ends?
- Who is accountable when a third-party integration keeps an NHI active after the business need ends?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
