On January 31, 2026, researchers disclosed that Moltbook, a social community constructed for AI brokers, had left its database huge open, exposing 35,000 electronic mail addresses and 1.5 million agent API tokens throughout 770,000 lively brokers.
The extra worrying half sat contained in the non-public messages. A few of these conversations held plaintext third-party credentials, together with OpenAI API keys shared between brokers, saved in the identical unencrypted desk because the tokens wanted to hijack the agent itself.
That is the form of a poisonous mixture: a permission breakdown between two or extra functions, bridged by an AI agent, integration, or OAuth grant, that no single software proprietor ever licensed as its personal threat floor.
Moltbook’s brokers sat at that bridge, carrying credentials for his or her host platform and for the surface providers their customers had wired them into, in a spot that neither platform proprietor had line of sight into. Most SaaS entry evaluations nonetheless look at one software at a time, which is the blind spot attackers are studying to focus on.
How Poisonous Combos Kind
Poisonous mixtures are hardly ever the product of a single dangerous determination. They seem when an AI agent, an integration, or an MCP server bridges two or extra functions by means of OAuth grants, API scopes, or tool-use chains, and all sides of the bridge appears to be like tremendous by itself as a result of the bridge itself is what nobody reviewed.
For instance, think about a developer installs an MCP connector so their IDE can submit code snippets right into a Slack channel on request. The Slack admin indicators off on the bot; the IDE admin indicators off on the outbound connection; neither indicators off on the belief relationship between supply enhancing and enterprise messaging that exists the second each side are stay. It runs in each instructions: immediate injections contained in the IDE push confidential code into Slack, and directions planted in Slack circulate again into the IDE’s context on the subsequent session.
The identical form seems wherever an AI agent bridges Drive and Salesforce, a bot wires a supply repository right into a crew channel, or any middleman makes two apps belief one another by means of a grant that appears regular in every.
Why Single-App Critiques Miss Them
Standard entry evaluation hardly ever catches this form. It strains within the territory fashionable SaaS has opened up: non-human identities like service accounts, bots, and AI brokers with no human behind them, belief relationships that kind at runtime reasonably than at provisioning time, and OAuth and MCP bridges are wired between apps with out the governance catalog understanding.
Answering “who holds this scope plus those two other scopes, and what can those scopes accomplish together” turns into a lot tougher as soon as the scopes in query stay on a token no person provisioned by means of any identification system to start with.
The telemetry hole is widening fairly quick.
AI brokers, MCP servers, and third-party connectors now sit throughout two or three adjoining apps by default, and non-human identities outnumber human ones in most SaaS environments. The Cloud Safety Alliance’s State of SaaS Safety 2025 report found that 56% of organizations are already concerned about over-privileged API access across their SaaS-to-SaaS integrations.
Things Worth Thinking About
Closing the gap is largely a matter of shifting where review happens, from inside each app to between them. Here are a handful of things worth thinking about to address this type of issue:
| Area to review | What it looks like in practice |
|---|---|
| Non-human identity inventory | Every AI agent, bot, MCP server, and OAuth integration sits in the same register as a user account, with an owner and a review date. |
| Cross-app scope grants | A new write scope on an identity that already holds read scopes in a different app is flagged before approval, not after. |
| Bridge review on creation | Every connector that links two systems has a review trail naming both sides and the trust relationship between them. |
| Long-lived token hygiene | Tokens whose activity has drifted from the scopes they were originally granted are candidates for revocation, not renewal. |
| Runtime drift monitoring | Cross-app scope anomalies and identities operating across a new app combination are the tells a toxic combination is forming. |
These are procedural disciplines more than product choices, and they work with whatever access review tooling is in place. The reality is that seeing these connections at scale is hard without a platform built to watch the runtime graph continuously. Manual review doesn’t scale past the first few dozen integrations.
Where Dynamic SaaS Security Platforms Fit In
Dynamic SaaS security platforms automate the cross-app view that procedural review sets up. Where IGA inventories roles for onboarded systems, dynamic SaaS security watches the runtime graph continuously: which identities exist, which apps they touch, what scopes live on which tokens, and which trust relationships have been wired in after the last provisioning review.
The monitoring has to run continuously, because the bridges these platforms need to catch are created at the speed of an MCP install or an OAuth consent click.
Reco is one example of this category. Its platform connects identities, permissions, and data flows across the whole SaaS environment, so a combination of scopes in Slack, Drive, and Salesforce is evaluated as one exposure rather than three separate approvals.
The first step is discovering every AI agent, integration, and OAuth identity operating across the environment, so the inventory any cross-app review depends on actually exists. Agents that security teams did not know were there, or agents that quietly gained new connections after initial onboarding, surface alongside the sanctioned ones.
 |
| Reco’s AI Agents Inventory, showing discovered agents connected to GitHub. |
Once the agents are inventoried, Reco’s Knowledge Graph maps every human and non-human identity to the apps it reaches and the bridges between them. When an MCP server connects an IDE to a messaging channel, or an AI agent wires a document store into a CRM, the graph surfaces the combination automatically and flags it as a permission breakdown no single app owner authorized.
 |
| Reco’s Knowledge Graph, showing a toxic combination between Slack and Cursor. |
From there, Reco catches the moment an integration starts behaving outside what it was approved for, and revokes risky access before anyone gets a chance to use it. The chain, rather than the app, becomes the thing you review, and that shift is what makes toxic combinations visible in the first place.
The next breach at most organizations won’t announce itself with a new zero-day. It will look like an agent doing exactly what it was authorized to do, all the way through to exfiltration. Whether that gets caught at approval time or written up in a post-mortem comes down to whether anyone can see the full chain.
Seeing the full chain is what Reco’s Dynamic SaaS Security platform was built to do.
