Netskope Threat Labs details OAuth authorization risk in AI agents

Netskope Threat Labs says OAuth token authorization patterns are creating persistent, hard-to-audit access paths that attackers can abuse, and that AI agents add additional exposure as token counts and autonomy grow. The research matters to enterprise IAM and security leaders working to govern agent access and reduce breach dwell time.

Research Overview

The post reports on Netskope Threat Labs research presented at Infosecurity Europe 2026, focusing on how OAuth authorization abuse shifts from third-party compromise scenarios into a systemic issue for agent-based systems. It frames the central problem as how authentication checks (such as MFA) do not address ongoing authorization carried by OAuth tokens after consent.

The vendor also describes how agent design and common authorization defaults can extend token validity and broaden scopes without recurring human review. It connects these properties to credential theft incidents and to risks that emerge when agents act on data they ingest.

Key Findings

The post cites breaches in which OAuth tokens enabled continued access after initial authentication, including a Salesloft/Drift AI chat agent breach affecting more than 700 Salesforce customers using a stolen OAuth token. It also cites an incident involving Gainsight tokens stolen in August 2023 that were undetected for three months before discovery.

For broader context, the post references Verizon DBIR 2025, stating that third-party involvement appeared in 30% of breaches, compared with 15% the prior year. It also references Proofpoint research that 59% of taken-over accounts had MFA enabled, with attackers operating past the MFA layer after obtaining access through OAuth.

Technical Breakdown

The post describes an authorization model in which MFA occurs once when a user consents to an OAuth grant, while the token continues to function without additional human checkpoints. It states that, in this design, OAuth tokens govern what can be done and can continue indefinitely depending on platform behavior.

Netskope estimates that an agent launched by a user can hold about 10 OAuth grants, and that scaling to 1,000 employees with five agents each can create exposure of about 50,000 active tokens. It says many platforms retain credentials until revoked, and that where expiry exists it is frequently opt-in or based on inactivity, leading to tokens remaining active for long periods without review or rotation.

Operational Impact

The post links agent execution to four structural properties that it says worsen the authorization risk compared with conventional third-party apps: persistent tokens, broad scopes granted at deployment, lack of human-in-the-loop approval, and opaque runtime visibility. It also describes arbitrary execution as creating a similar pattern to remote code execution risk due to open-ended workflows.

It further argues that typical IAM assumptions built around a single human identity do not map cleanly to autonomous agents, since agents can act continuously with broad permissions granted to their owner identity. The post then describes a confused-deputy style attack pattern in which malicious instructions planted in data are followed by the agent, which uses its own valid token to carry out attacker intent.

Token Placement and Governance Approach

The post proposes an architectural approach guided by isolation, short-lived tokens, strict scoping, and segmentation to reduce blast radius from stolen credentials. It lists design choices such as MCP-mediated access where credentials are issued per tool call with MCP enforcing boundaries, agent segmentation with separate task-specific credentials, and the use of gateways for access control and token or data exfiltration prevention.

It also presents a governance model comparing “today” agent configurations with an “with governance” state that includes narrower scope, shorter lifetimes (example given: 60-second JIT with auto-reaping), binding to specific agent and device, and additional control for destructive actions requiring re-approval. For monitoring and response, it describes establishing behavioral baselines, enabling anomaly detection and actions like blocking a session and revoking OAuth grants in real time, and using audit trails to increase visibility into agent interactions with tools and third-party applications.

Overall, the post argues that OAuth authorization patterns enable long-lived access paths that MFA does not address and that agent behavior increases the number and persistence of tokens and reduces review points. It emphasizes inventory, scope reduction, token lifecycle controls, and observable, revocable access as the governance steps for enterprise decision-makers. This “Blog Signals brief” is a fact-based summary of the vendor blog.