Hidden OAuth Grants Draw New AI Agents: Nudge Security Targets A Cyber Insurance Blind Spot

Estimated reading time: 4 minutes

Two breaches rode trusted app connections into hundreds of Salesforce environments. Nudge Security says AI agents can police those connections. Its CEO says insurers should start asking about them.

Nudge Security has announced two AI agents aimed at OAuth grants and browser extensions. The Austin-based vendor calls these two of the fastest-growing attack surfaces in the enterprise. We put a few questions to Co-founder and CEO Russell Spitler about the launch. One answer should interest underwriters most. He believes OAuth governance belongs on cyber insurance applications.

Broken connection between user and cloud icons illustrating OAuth grant risk, with Nudge Security CEO Russell Spitler quote that the exposure existed the day the grant was approved.

What Nudge Announced

The OAuth Grant Risk Analyst reviews app-to-app access grants, flags anomalies, and recommends revocations. The Browser Extension Risk Analyst surfaces risky extensions on employee devices. Both join an existing Vendor Risk Analyst agent. The agents automate analysis while keeping humans in the approval loop.

“These new agents help teams immediately surface what’s hidden, prioritize what matters, and take action at machine speed,” said Jaime Blasco, CTO at Nudge Security.

The Breaches That Made OAuth An Insurance Problem

The Salesloft Drift breach of August 2025 compromised data at more than 700 organizations. Attackers stole OAuth tokens and rode trusted integrations into customer Salesforce environments. Spitler says the more recent Klue incident followed the same shape.

“The attacker never touched Salesforce directly,” Spitler said. “They compromised the vendor instead.”

His agent works at two points in that chain. It evaluates scopes when a grant is created. It also re-evaluates every grant tied to a vendor the moment that vendor discloses a compromise. The core argument is about timing. “The exposure existed the day that grant was approved, not the day it was abused,” Spitler said.

See also  GoSecure to Provide Incident Response Services for Northbridge Insurance Policyholders

Accountability Stays Human

Agentic AI security tools raise the same liability question as agentic underwriting. Who owns the mistake? Spitler’s answer keeps the human on the hook.

“The ultimate decision-making remains in the control of the security team,” he said. Consequential actions require approval. A bad revocation that breaks a business-critical integration follows the same accountability model as a manual call. “It sits with whoever approved it,” Spitler said.

The distinction matters. Research from MIT and Carnegie Mellon documented AI agents executing tasks correctly by their own logic while producing unintended outcomes. Spitler says his agent correlates signals a human reviewer would pull, “at a speed no person can match.” He also says it knows its limits. “For anything ambiguous, it still routes to a person, rather than claiming certainty it doesn’t have,” he said.

The Underwriting Question

Should insurers ask about OAuth governance on applications? “Yes, and it’s overdue,” Spitler said. Insurers already ask about MFA, EDR, and patching. By his company’s count, the average enterprise carries 88 OAuth grants per employee, 31 of which touch data directly.

“‘We ran a point-in-time audit’ isn’t a strong enough answer anymore,” Spitler said. “The exposure changes daily, and the review has to keep pace with it.”

A CISO should know how many active grants exist, which touch sensitive data, and whether review is continuous. That framing echoes what AI risk expert Erin Kenneally told the Cyber Insurance News podcast. The market adopts AI faster than it governs AI.

Availability And Pricing Remain Open

The agents are available to select customers via waitlist. “We will be broadening access to the OAuth Grant Risk Analyst and Browser Extension Risk Analyst throughout the summer,” Spitler said. No general availability date has been set. Pricing and packaging are still being worked out.

See also  AIG Cyber Insurance on Hook for Hack of Norsk Hydro

Why It Matters

OAuth grants are standing access paths that survive password resets and bypass MFA. The Salesloft Drift attackers proved that at scale. Underwriters who ask about endpoint controls but not connected apps are rating half the attack surface. Whether the answer is Nudge’s agents or a manual process, the question is coming. Kroll’s 2026 data already ties AI incident rates to governance maturity. OAuth governance is the next proxy fight.

FAQ – OAuth Grant Risk

What did Nudge Security announce?

Nudge Security launched two AI agents. One analyzes OAuth grants and recommends revocations. The other surfaces risky browser extensions on employee devices. Both are in limited availability via waitlist.

What is an OAuth grant?

An OAuth grant gives one application standing access to another without sharing passwords. Attackers who steal the underlying tokens inherit that access. Stolen tokens bypass MFA until revoked.

Why do OAuth grants matter for cyber insurance?

The Salesloft Drift breach used stolen OAuth tokens to reach data at more than 700 organizations. Nudge Security CEO Russell Spitler argues insurers should ask about OAuth governance on applications, alongside MFA and EDR.

When will the Nudge Security agents be generally available?

No date has been announced. Access broadens through summer 2026. Pricing and packaging remain undetermined.

Leave a Comment

×