Insights

Tokenized Trust: Identity, Integrations, and Non-Human Access

Identity SecurityThird-Party RiskOAuthGovernanceZero Trust

Executive Summary

Credential abuse remains a leading driver of breaches, and basic web application attacks are still heavily credential-driven.

Third-party involvement has doubled to 30% in Verizon's 2025 DBIR reporting, which changes the governance problem from "our controls" to "our inherited access."

The fastest-growing risk is tokenized trust: OAuth apps, refresh tokens, session cookies, API keys, and service accounts that act like durable access passes.

Recent casework shows attackers do not need to break the platform if they can impersonate a trusted integration or hijack an authenticated session.

The practical governance move is to measure and improve revocation speed, token inventory completeness, and non-human identity lifecycle. MFA coverage is necessary but not sufficient.

What Changed, in Measurable Terms

1. Third-party risk is now a first-order breach driver.

Verizon's 2025 DBIR reports third-party involvement in breaches has doubled to 30%. That is not a niche concern. It implies nearly one-third of environments can inherit breach conditions through a partner, vendor, or integration.

2. Credentials and access are still the point of failure.

DBIR's executive materials repeatedly highlight credential exposure as a meaningful breach category, with credentials appearing in approximately 22% of breach patterns. Separately, in "Basic Web Application Attacks," about 88% of breaches in that pattern involve stolen credentials.

3. Initial access is shifting, but identity remains central.

Mandiant reports exploits remained the most common initial infection vector at 33% in 2024, with stolen credentials rising to 16% and surpassing email phishing at 14%.

This is not "passwords vs. patches." It is access paths everywhere. Those access paths increasingly persist as tokens.

Two Incidents That Define Tokenized Trust

Case 1: A Trusted Integration Becomes the Intrusion Path

Google Threat Intelligence Group documented a widespread data theft campaign targeting Salesforce instances through compromised OAuth tokens associated with the Salesloft Drift third-party application, with activity observed across an August 2025 window.

Why executives should care:

This was not a case of "Salesforce was broken." The attacker rode the trust chain of a third-party app and the OAuth token permissions granted to it.

Board-level translation:

If you cannot answer "Which OAuth apps have privileged scopes, who approved them, and how quickly can we revoke them?" you do not control your identity perimeter.

Case 2: Vendor Compromise in the Support Plane Exposes Sensitive Artifacts

Discord publicly disclosed an incident in which an unauthorized party compromised a third-party vendor (5CA) used for customer support operations. Discord itself was not breached, but a third party was.

Why executives should care:

Support systems and outsourced workflows often contain the most sensitive identity artifacts: verification documents, account recovery data, internal case notes, and investigative context.

Board-level translation:

You must treat support and trust-and-safety tooling as identity-critical systems, with controls equivalent to privileged administrative functions.

The "MFA Is On" Trap

Post-authentication is where many breaches live now.

Attackers are increasingly targeting proof of authentication rather than authentication itself. HP's threat research describes the growing trend of session cookie theft: the cookie is accepted as evidence of a valid logged-in session, so no password or MFA code is needed.

Okta's threat intelligence has also tracked phishing kits evolving to support voice-based social engineering (vishing) campaigns that bypass MFA entirely.

What this means operationally:

MFA is required. But the board metric should shift from "MFA adoption" to "How fast can we revoke sessions, tokens, and trusted app grants?"

Non-Human Identity Governance Is the Quiet Priority

Every automation, integration, and AI workflow tends to introduce one or more of:

  • Service accounts
  • API keys
  • OAuth grants
  • Long-lived refresh tokens
  • Secrets stored in repositories, pipelines, or configuration files

Non-human identity governance is the practice of owning, limiting, and controlling those access paths. Most organizations do not have a complete inventory of them.

GitGuardian's reporting on secrets sprawl highlights continued growth of exposed credentials and persistent remediation challenges in public code ecosystems, with 2025 reporting emphasizing large-scale exposure and year-over-year growth patterns.

Verizon's DBIR public sector snapshot also calls out slow remediation timelines, including a cited median time to remediate leaked secrets in a GitHub repository.

Board-level translation:

Non-human identity governance is not a tooling preference. It is risk containment. Ownerless, non-expiring credentials are standing access.

Secure by Design: The Procurement Lever That Scales

CISA's Secure by Design materials push the market toward security as a default property of products and services, not an optional configuration burden pushed downstream to buyers.

CISA and partners have also published "Product Security Bad Practices" guidance discouraging high-risk patterns including lack of vulnerability disclosure practices, insecure defaults, and similar behaviors.

CISA's Zero Trust Maturity Model places Identity as a core pillar alongside Devices, Networks, Apps and Workloads, and Data.

Procurement question that actually works:

"Is this secure by default, and can you show evidence?" Not: "Can we harden it if we have time?"

The Operating Model: What to Measure and How to Run It

1. Inventory Completeness

Minimum expectation:

  • OAuth apps inventory (who approved, scopes, last used)
  • Service accounts inventory (owner, purpose, expiry)
  • Secrets inventory (where stored, rotation schedule)

Metric: Percentage of tokens and non-human identities mapped to an owner and expiry date.

2. Revocation Speed

Minimum expectation:

  • Ability to revoke refresh tokens
  • Ability to terminate sessions globally
  • Ability to disable OAuth app grants quickly

Metric: Median time to revoke sessions and tokens after suspected compromise.

3. Vendor Access Inheritance

Minimum expectation:

  • Vendor access list for support, CRM, and security tooling
  • Privileged actions monitoring (vendor admin actions logged and reviewed)
  • Vendor access constrained by least privilege and conditional access

Metric: Number of vendors with privileged access, and number of privileged paths without logging or alerts.

4. Governance Cadence

| Frequency | Activity | | ---------- | -------------------------------------------------------------------- | | Weekly | Review new OAuth app approvals and privileged scope grants | | Monthly | Review vendor access and support-plane privileges | | Quarterly | Non-human identity lifecycle audit (owner, expiry, permissions) | | Semiannual | Token and session revocation exercise (tabletop and technical drill) |

Five Board Questions for Next Week's Meeting

  1. Which OAuth apps have privileged scopes, and who approved each one?
  2. What is our median time to revoke sessions and refresh tokens enterprise-wide?
  3. Which third parties can access our support plane, CRM, or identity admin functions?
  4. How many non-human identities exist, how many are ownerless, and how many never expire?
  5. Which Secure by Design requirements are we enforcing in procurement, and how do we verify defaults?

Closing

Tokenized trust is not a new category of risk. It is the modern shape of access.

The organizations that reduce risk fastest will not be the ones with the longest policy documents. They will be the ones that can inventory trust, limit it, monitor it, and revoke it quickly.

If you want help assessing your exposure, start with the free AI SMB Risk Index Survey. Five minutes. Immediate baseline score.

For the field guide version of what I publish here each week, pick up a copy of Exposed: Inside Risks and The New Architecture of AI Defense on Amazon.

NightFortress works with executives, founders, and mid-market organizations in Northern Virginia and the DC metro area to assess exposure, govern risk, and build security programs that match the actual threat landscape. Contact us to start a conversation.

The information in this article is for educational and informational purposes only. It is not intended as legal, compliance, or professional cybersecurity advice for any specific organization. Consult qualified professionals before making security or compliance decisions.

AI SMB Risk Index Survey