OAuth grants can outlive the original login and keep working through refresh tokens even after a password changes. That means the security problem is delegated persistence, not just authentication failure. If users can approve broad scopes without review, the organisation inherits long-lived access that is hard to see and harder to unwind.
Why This Matters for Security Teams
OAuth grants are often treated like ordinary login events, but the real risk is delegated access that persists after the original user context changes. Refresh tokens, broad scopes, and third-party app approvals can keep a pathway open long after a password reset, MFA challenge, or account suspension. That turns a single approval into an ongoing control problem across identity, logging, revocation, and vendor exposure. The gap is especially visible in third-party integrations, where Astrix Security & CSA found that 85% of organisations lack full visibility into OAuth-connected vendors. NIST’s NIST Cybersecurity Framework 2.0 reinforces the point: access governance is not secure if the organisation cannot inventory, review, and revoke what it cannot see. In practice, many security teams encounter OAuth abuse only after data has already been exported or a connected app has already been weaponised, rather than through intentional review.How It Works in Practice
OAuth grants create risk because they separate authentication from authorisation and then extend that authorisation over time. A user may consent once, but the app can continue using refresh tokens to obtain new access tokens without re-prompting the user. If the app requested broad scopes, it may inherit the ability to read mail, files, CRM data, or messaging history even when the original need was narrow. That is why incidents such as the Salesloft OAuth token breach and the Dropbox Sign breach matter: they show how trusted integrations can become durable access paths into core systems.Operationally, good control means more than password resets. Teams should pair consent review with token inventory, app allowlisting, scope minimisation, conditional access, and revocation workflows that actually reach third-party integrations. A practical approach is to classify grants by sensitivity, then require periodic re-authorisation for high-risk scopes and remove stale apps automatically. Where possible, align the process with identity governance and logging so that an inherited grant is treated like any other privileged entitlement. OWASP’s OWASP NHI Top 10 and NIST CSF both support this direction, but current guidance suggests the exact review cadence should be risk-based rather than fixed across every app.
These controls tend to break down when OAuth is embedded in business workflows with dozens of shadow integrations, because ownership and revocation authority are unclear.
Common Variations and Edge Cases
Tighter OAuth governance often increases friction for users and administrators, so organisations have to balance consent speed against access durability. Some teams try to solve the problem with blanket denial, but that can push users toward unmanaged alternatives and create even less visibility. The more common edge case is a legitimate workflow that depends on long-lived access, such as background sync, support tooling, or automation accounts. In those environments, best practice is evolving toward time-bounded approval, scoped service principals, and explicit re-certification rather than indefinite user consent. There is no universal standard for this yet, so policy should reflect the sensitivity of the target system and the blast radius of the integration.OAuth grants also become harder to govern when they are tied to external vendors, because revocation inside the enterprise does not always stop the vendor-side process that already copied or cached data. That is why NHI visibility matters as much as login security. The Top 10 NHI Issues and Ultimate Guide to NHIs — Key Challenges and Risks are useful reminders that granted access, not just authenticated sessions, is what must be governed. In practice, the hardest cases are the ones that look like normal productivity tooling until a compromised token turns them into a quiet data-exfiltration path.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | OAuth grants behave like long-lived NHI credentials and need rotation/revocation. |
| NIST CSF 2.0 | PR.AC-4 | Access management must cover delegated OAuth entitlements, not just logins. |
| NIST AI RMF | Persistent delegated access is a governance risk that needs oversight and accountability. |
Assign ownership for delegated access, monitor it continuously, and require documented approval.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
