Plenty of companies worry — and rightfully so — about staff using AI tools that haven’t been cleared by the organization. The rise of “shadow AI,” where workers feed confidential information into tools like ChatGPT, Claude, or various other AI chatbots, is a real and pressing issue. But honestly, it’s not even the most dangerous threat out there.
When someone at your company hooks an AI application into Google Workspace, Microsoft 365, Salesforce, or any other critical business platform, they’re essentially building a constant, automated link between your internal systems and an outside party.
That link doesn’t disappear just because the person stops actively using the tool. And if that outside vendor suffers a breach, the connection turns into an open door straight into your infrastructure.
This exact situation recently unfolded with the Vercel incident. Context.ai’s AI product was tested by someone on Vercel’s team, who had given it permission (through OAuth) to access their Google Workspace account. When Context.ai was compromised, Vercel was dragged into the mess as collateral damage.
The AI gold rush is supercharging shadow SaaS risks
Shadow IT isn’t exactly a new headache. The vast majority of businesses now rely heavily — if not entirely — on SaaS tools accessed through browsers, with hundreds of applications in play across a single enterprise. Unmanaged, employee-initiated app adoption has been frustrating security professionals for years. But the AI boom is acting like a turbocharger on this problem.
There are several distinct categories of shadow IT to watch out for when it comes to AI tools:
-
Hidden apps: These are applications employees have registered for and are actively using for work tasks without any formal sign-off from the company. This covers scenarios where people sign up using either their corporate credentials or a personal account.
-
Ghost tenants: Cases where employees log into approved services with personal accounts, essentially building invisible instances of that app outside the organization’s oversight — even when the app itself has official approval.
-
Stealthy extensions: A large number of AI tools ship alongside browser add-ons, and there’s an enormous ecosystem of third-party extensions that range from questionable to outright harmful. Browser extensions introduce yet another dimension to the threat landscape by creating visibility not just within the app itself but across broader browsing behavior.
-
Unseen integrations: OAuth links between applications that nobody in your security team has vetted or authorized. Even when a particular app gets the green light, connecting that app directly into your core enterprise platforms — along with all their sensitive data and capabilities — isn’t automatically approved too.
The Vercel situation falls squarely into the unseen integrations category. That said, every single one of these poses a serious danger to your organization.
The Vercel breach: a textbook case of OAuth permissions spiraling out of control
The Vercel incident perfectly demonstrates how unmonitored AI integrations can blow up.
A staff member at Vercel had linked an AI tool — specifically an outdated consumer-level “AI Office Suite” from Context.ai — to their Google Workspace. Vercel wasn’t even an official paying customer of Context.ai.
This was probably a quick self-service trial that someone set up, used briefly, and then ignored — quietly adding a hidden node to the company’s attack surface.
By installing the Context.ai tool, that Vercel employee unknowingly introduced Context.ai’s own staff and infrastructure as a new security dependency for Vercel.
When Context.ai was later breached (reportedly because an employee picked up an info-stealer infection while searching for Roblox cheat codes — believe it or not), the attacker used OAuth tokens stored within Context.ai’s systems to jump into customers’ downstream accounts.
That included the Vercel employee’s Google Workspace account, which turned out to be heavily permissioned — granting access to internal dashboards, staff records, API keys, NPM tokens, and GitHub credentials.
Vercel is far from the only one: OAuth attacks are surging
This tangled web of OAuth connections isn’t limited to just AI tools. Threat actors have been exploiting these links for a while now, and the pace is rapidly picking up:
-
In 2025, a group called Scattered Lapsus$ Hunters pulled off OAuth-driven supply chain assaults targeting Salesforce and Google Workspace customers after infiltrating Salesloft (specifically the Salesloft Drift component) and Gainsight. More than 1,000 organizations were hit — names like Google, Cloudflare, Rubrik, Elastic, Proofpoint, JFrog, Zscaler, Tensable, Palo Alto Networks, CyberArk, BeyondTrust, Qualys, and plenty of others — with north of 1.5 billion records exfiltrated.
-
Several Snowflake customers were affected following a breach at Anodot, a company specializing in data anomaly detection, where the attacker tried to use stolen authentication tokens to break into Salesforce data. Rockstar Games was one of the more notable victims caught up in that incident.
In addition to piggybacking on existing OAuth links during supply chain attacks, adversaries are now weaponizing OAuth-focused phishing as the entry point into target environments. A major Salesforce campaign from last year kicked off using device code phishing, where attackers manipulated victims into registering an attacker-controlled app into their Salesforce environment, handing over full API access for large-scale data theft.
Since then, device code phishing attacks have skyrocketed by a factor of 37 this year alone, with over a dozen criminal phishing-as-a-service kits actively circulating.
The message couldn’t be clearer: OAuth integrations have become one of the most consistently abused attack vectors in modern enterprise settings, and every new AI tool an employee connects widens that attack surface a little more.
From adversary-in-the-middle phishing and ClickFix to rogue OAuth apps and session hijacking, browser-based attacks are behind many of today’s most devastating breaches.
Get up to speed on the newest tactics threat actors are deploying in real-world campaigns.
Get your copy
The tangled web of OAuth goes well beyond Google and Microsoft
The Vercel incident is eye-opening, but it really only hints at how deep this problem runs.
Keeping OAuth in check within your primary cloud workspace (say, M365 or Google Workspace) is relatively manageable — both platforms give administrators tools to audit and govern OAuth connections. The Vercel breach could have been entirely prevented if employees had been restricted from adding new OAuth integrations without admin authorization — there’s a simple toggle in the Google admin console for that. Alternatively, if a routine audit had caught the connection and someone had revoked it.
But trying to enforce the same level of control across every SaaS application is significantly more challenging. You don’t just need a thorough, current inventory of every app in use — you also need admin privileges for each one (which you might not have for employee-adopted tools), and the app itself needs to give administrators the power to limit or revoke OAuth grants on behalf of users in your tenant.
Consider how a typical AI tool works. If you want it to genuinely automate processes — grab data from one app, pull it together and analyze it somewhere else, display the results in a report, dashboard, or presentation, and then send it out — that’s quite a few integration points just in a single workflow. MCP connections rely on OAuth to create these same kinds of cross-app links, just like any other SaaS product.
We used to say that automation platforms like Zapier were a jackpot for attackers. Well, AIApplications are rapidly becoming more deeply entangled with each other, widely adopted in daily workflows, and increasingly vulnerable to exploitation by malicious actors.
AI-focused apps are highlighted in orange.
Recommended actions for security teams
Restrict OAuth permissions by default. Implement a deny-first policy that prevents employees from authorizing new app integrations into your core enterprise systems without formal approval. This mirrors guidance we’ve recently shared regarding browser extension governance—individuals shouldn’t be able to create new trusted connections to external services on their own.
Review existing integrations regularly. Conduct recurring reviews of all OAuth connections already active in your environment to verify they remain genuinely necessary. Every unnecessary integration widens your potential attack surface and may inadvertently give threat actors broad access to sensitive resources.
Expand your focus past Google and Microsoft. While managing OAuth within your main enterprise cloud environment is essential, it doesn’t cover the full picture. Inter-service SaaS connections tend to be far less transparent and generally come with weaker safeguards. You need comprehensive visibility into all OAuth authorizations occurring across every application in your stack.
Keep in mind, this isn’t solely an issue with uncongoverned AI use, even though AI adoption is a major driver of this expanding complexity.
How Push Security delivers value
As described above, the challenge is multifaceted. Push Security addresses every aspect of it.
Push monitors every application login your employees perform within their browsers, creating a complete map of how SaaS and AI tools are used throughout the organization. This covers the authentication methods they choose and how resilient those methods are: was MFA enforced, what type of MFA was used relied on a vulnerable or leaked password, did they authenticate through SSO, and more.
Push also monitors OAuth integrations across your environment and empowers you to govern and revoke them, delivering one unified platform to monitor, manage, and protect application usage across the enterprise.
This simplifies the process of uncovering security weaknesses and identifying governance gaps—and taking immediate corrective action.
However, Push’s most powerful differentiator is its capability to monitor and intercept OAuth authorization requests even beyond your core enterprise applications. With Push, you can identify and prevent OAuth integration attempts at the browser level as they occur.
This application-independent control capability is essential for containing the spread of unmanaged OAuth integrations.
Push’s browser-native security platform also identifies and thwarts browser-based attacks in real time—such as adversary-in-the-middle phishing, credential stuffing campaigns, rogue browser extensions, device code phishing, ClickFix techniques, and session hijacking—covering the primary infostealer delivery channels (responsible for the Context.ai breach).
Push examines every webpage across all browser sessions and tabs instantaneously, with zero impact on user experience.
Explore how Push can help secure your Shadow AI environment, and schedule a live demonstration with our team.
Sponsored and written by Push Security.
