OAUTH tokens granted to Google or Microsoft apps are described as persistent, with no expiration and little if any centralized visibility, a pattern the article says leaves organisations exposed as employees connect AI tools, workflows, and productivity apps.
According to Material Security, new research shows a growing gap between awareness and action, with 80% of security leaders deeming unmanaged OAuth grants as a critical or significant risk and many organisations failing to monitor grants at scale (45% do nothing, 33% rely on manual spreadsheets).
The Drift incident illustrated the threat in practice: a threat actor tracked by Palo Alto Unit 42 as UNC6395 obtained valid OAuth refresh tokens and accessed Salesforce environments across more than 700 organisations, bypassing MFA by presenting stolen tokens rather than logging in. The article argues that monitoring must focus on continuous behavioural analysis of API calls and the blast radius of each account, not only on the permissions granted at installation.
It promotes Material Security’s OAuth Threat Remediation Agent, which continuously monitors OAuth-connected apps and can revoke high-risk tokens immediately or notify security teams with full context for lower-certainty cases. Finally, it stresses that OAuth visibility and active monitoring are essential as the number of OAuth grants will continue to grow with AI adoption.