COMMENTARY: Invisible connections drive the modern enterprise. Today, beneath every automated workflow lies a complex web of API keys, OAuth tokens, and service accounts that let sensitive data move across apps and services.Many organizations are dangerously exposed.Recent high-profile breaches reveal a disturbing pattern: attackers target app-to-app access to move laterally and remain undetected. With third-party breaches surging to 30% of all incidents, recent events at GitHub and Snowflake confirm that non-human credentials are cybercriminals' new frontier.There are now thousands of these credentials spread across many SaaS and AI ecosystems.Recent events demonstrate the consequences of neglecting non-human access controls:The ShinyHunters campaign, which targeted Salesforce environments in 2024-2025, demonstrated a critical shift toward NHI exploitation. This sophisticated attack began with threat actors socially engineering employees into unknowingly authorizing a malicious third-party OAuth application. By tricking the victim into granting this authorization, the attackers obtained valid, persistent OAuth access tokens, which are non-human identities that represent the user's access rights.This API-based token access allowed the threat actors to bypass human controls like multi-factor authentication (MFA) and operate silently via the Salesforce API to exfiltrate vast quantities of customer data, effectively turning a simple social engineering trick into a strategic, long-term data breach. Initial estimates suggest more than 700 organizations may have been affected.In August 2025, threat actors breached Salesloft's infrastructure and stole valid OAuth and refresh tokens from the Drift chatbot integration. Using tokens that grant trusted, persistent access, the attackers bypassed MFA and API controls to infiltrate hundreds of customer Salesforce environments, including those of Google and Cloudflare.The attackers then systematically exfiltrated massive amounts of sensitive data, focusing specifically on harvesting high-value secrets such as AWS access keys, Snowflake credentials, and plaintext passwords. The data was too often mistakenly stored in support case notes, turning a compromise of a single third-party app into a cascading breach across multiple enterprises.Incidents like these share critical characteristics: attackers target machine credentials, exploit inadequate monitoring of non-human access, and leverage API connections for rapid lateral movement. In each case, the breach might have been prevented or contained with better visibility into API usage and automated credential management.Given these challenges, organizations require a systematic, machine-focused strategy to manage non-human access:Security must move beyond human identity alone to secure the app-to-app attack surface and keep pace with machine-driven data.Organizations that fail to treat API keys and OAuth tokens as first-class security concerns are fighting yesterday's war. Mastering AI agent and NHI security management has become essential for preventing the next attack and for securely adopting AI and automation technologies that drive competitive advantage. Amir Khayat, co-founder and CEO, VorlonSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
AI agents amplify the risk
The rise of AI usage amplifies the challenge. AI tools and agents often inherit the same API access as humans, but they operate at machine speed and scale. They process vast data and trigger complex, multi-service workflows, all while flying under the radar of legacy security monitoring.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Consider an AI productivity tool connected to Google Workspace, Salesforce, and Slack. The AI agent holds tokens granting it access to emails, customer data, and communications. If these tokens are compromised, the attacker gains a rapid, cross-application foothold across the entire SaaS and AI ecosystem, often without triggering the human-focused behavioral analytics designed to spot suspicious activity.The growing attack vector
The security community has invested heavily in monitoring and enforcing constraints around activities based on human identities. Now it’s time we increase visibility and control over the more prevalent and insidious non-human identities (NHIs), including AI agents, which are now powering the business.NHIs are fundamentally different from user accounts in that they:- Don't log in through traditional portals.
- Bypass typical authentication flows.
- Often hold broader, more persistent access than any individual.
- Discovery and inventory: Map and catalog all AI Agents, API connections, tokens, and service accounts, and learn what data the NHIs touch.
- Risk assessment: Prioritize credentials based on the data sensitivity and the scope of permissions they hold.
- Lifecycle management: Ensure security from creation to retirement by implementing automated processes for provisioning, rotating, and revoking tokens, and conducting regular audits to clean up dormant or over-privileged access.
- Behavioral monitoring: Deploy AI-powered monitoring tools to spot anomalous usage patterns, data volume spikes, or unusual cross-application flows, all of which are indicators that suggest compromise.
- Signal stacking with data layer context: This becomes especially valuable in enterprise environments where teams perform Identity Threat Detection and Response (ITDR) across thousands of NHIs. For example, incidents where identities exhibit anomalous behavior are worth investigating, but when these same identities touch or begin exfiltrating your most sensitive data, that's a break-glass moment.
- Automated response: When serious threats are detected, trigger full token revocation (rotation) across the SaaS and AI ecosystem, isolate affected services, and alert security teams, integrating with existing SIEM/SOAR/ITSM platforms as appropriate.
- Detailed activity logs: Essential for compliance and audit requirements, support forensic investigations, and demonstrate control effectiveness.
