Daily Cyber Insight: Shadow permissions are a material risk

Welcome reader, here’s today’s Daily Cyber Insight.

Brought to you by:

👣 Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

 📊 LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

Forwarded this email? Join 70,000 weekly readers by signing up now.

#OpenToWork? Try our AI Resume Builder to boost your chances of getting hired!

—

Access all deep dives, weekly cyber intel reports, premium research, the AI Resume Builder, and more — $299/year. Corporate plans available.

Most enterprises still treat SaaS sprawl as an inventory problem. At Fortune 100 scale, the real danger isn’t the number of apps — it’s the delegated permissions those apps quietly accumulate. The Gainsight/Salesforce issue isn’t an outlier; it’s a structural weakness in OAuth itself. A single third-party app can inherit “read/write all data” or “offline access” and silently bypass your entire IAM program, no matter how mature your controls are.

The second-order risk: OAuth tokens survive password resets, session revocations, conditional access policies, and even incident response playbooks. They persist across reorganizations, mergers, and offboarding cycles — which means your board-level exposure is growing in places no one is accountable for.

If you haven’t mapped delegated permissions to business-critical workflows, assume you’re already carrying unmodeled blast radius.

Action: Block “offline access” and “full data” scopes by default. Treat delegated permissions as material risk, not IT hygiene.