Your Agent's Access Is the Perimeter Now
Nobody in a heist movie attacks the vault. They steal the badge. In August 2025 somebody ran that movie against 700+ companies at once — and the badge belonged to a chatbot.

Every good heist movie teaches the same lesson, and it is never the lesson you think you are there for. You show up for the vault. You stay for the cons. And by the end you realize nobody in the movie ever actually attacked the vault.
Watch Ocean's Eleven again with this in mind and it becomes almost a training film. The crew does not drill the safe. They do not crack the door. Their entire labor, the thing the film is actually about, is becoming people the building already trusts: the maintenance tech with the right badge, the delivery crew nobody questions, the high-roller the pit boss wants to keep happy, the SWAT team that walks out with the money because who stops a SWAT team. The vault is engineering. The badge is the heist. Hollywood understood, decades before the security industry re-learned it at enormous expense, that you do not go through the wall. You go through the thing the wall was built to trust.

In August 2025, somebody ran that movie against more than seven hundred companies at the same time. And the badge they stole belonged to a chatbot.
The badge was an OAuth token
Here is the incident, and if you remember only one from all of 2025, I would make it this one, because it is the clearest illustration I know of where the perimeter actually is now.
Drift is an AI chat agent that thousands of companies embedded on their websites and wired into their Salesforce instances, so the bot could log conversations, create leads, and update records. Perfectly ordinary. Useful. To make that connection work, each company minted Drift an OAuth token. If that phrase means nothing to you, here is the only thing you need: an OAuth token is a durable digital badge, issued once, that tells a system "the holder of this is trusted to read and write our data," and unlike a password it is designed to keep working in the background forever, without anyone logging in, so the integration never breaks.
A threat group that Google's Mandiant tracks as UNC6395 stole those tokens from the Drift integration. And then they did the single smartest thing available to them, which was nothing dramatic at all. No malware. No zero-day. No alarm-tripping exploit. They simply used the badges. They ran ordinary database queries through legitimate, sanctioned interfaces, with custom labels to blend into normal traffic, and they bulk-exported Salesforce data from more than 700 organizations. The victim roster reads like the sponsor wall at a security conference: Cloudflare, Google, Palo Alto Networks, Proofpoint, Zscaler.
Read that list one more time, slowly. These are the companies that write the best practices the rest of us follow. Their walls were fine. Their walls were, in fact, excellent. The perimeter that failed was the badge, and the badge belonged to a bot, and a bot's badge has properties no human credential has. It never sleeps. It never travels to a suspicious location. It never fails a phishing simulation, because you cannot phish a token. And it is trusted by design, because the entire reason it exists is to let an integration act without a human in the loop. The attackers did not defeat the trust. They inherited it.
What were they actually after, underneath the CRM records? Mandiant's assessment: credentials. API keys, cloud passwords, data-warehouse tokens that customers had, over the years, pasted into support tickets and case notes. One AI agent's access had quietly become a master key to a warehouse of other keys. The heist crew did not crack a single vault at any of those 700 companies. They walked in wearing the bot's badge, because the whole point of the badge was that the building had agreed, in advance, not to ask questions of anyone holding it.
123456
Two months earlier, the same lesson had played out in a dumber key, and I tell the dumb version too because the contrast proves it is not about sophistication.
McDonald's runs its hiring through a platform called McHire, fronted by an AI chatbot named Olivia that screens applicants and collects their information. Two researchers, Ian Carroll and Sam Curry, went looking, found the login for a test administrator account, and tried a password. The password was 123456. It worked on the second guess. There was no second factor, no additional check, nothing. And from inside that account, using a flaw called an insecure direct object reference, which is a fancy name for "the applicant ID was just a number in the web address, and you could change the number," they were able to walk through the records of up to 64 million job applicants. Names. Emails. Phone numbers. And the full transcripts of every conversation those tens of millions of people had had with Olivia.
I do not tell this story to dunk on a vendor, whose response, to their credit, was fast. I tell it because of what the AI was and was not responsible for. Nothing about this breach required artificial intelligence to exist. Weak password, missing MFA, an ID you could increment: this is a 2013 breach wearing a 2025 outfit. The AI did not cause the hole. The AI's role was quieter, and worse. The chatbot was the reason 64 million people's most personal job-seeking conversations were concentrated in one place behind that one laughable credential in the first place. And that is the general law, the thing I want you to carry out of this essay: bolting an autonomous agent onto a system does not raise the system's security floor. It multiplies the blast radius of the system's weakest credential. The agent is a gravity well. Data pools around it because that is what makes it useful. Tokens accrue to it because it needs them to act. And whatever was flimsy in the vicinity, a test account, a stale password, a forgotten permission, is now flimsy at the scale of everything the agent touches.
If you want the pattern in its most naked form, look at what researchers found in January 2026 when they scanned the open internet for self-hosted instances of the viral OpenClaw agent: tens of thousands of them, a great many running with no authentication at all. One researcher demonstrated that a single exposed instance handed over the agent's model API keys, its messaging tokens, its chat access, and months of full conversation history, along with the ability to send messages as the owner and run commands with administrator rights. Think for a moment about what an agent fundamentally is: a process that accumulates every credential it has ever been handed, so that it can act on your behalf across all of them. Now put that process on the public internet with no password. Each exposed box was not a vulnerability waiting to be chained into an attack. It was a completed heist kit, pre-assembled, laid out neatly, with the badge sitting on top.

Issued scope is a promise. Realized access is a fact.
Now come inside the enterprise, where there is no attacker in the story yet, because the most important version of this problem is the one that is already sitting quietly in every company running agents, doing nothing wrong, waiting.
In our conversations with governance and security teams over the past year, two examples come up so often they have become furniture. The first: an agent holding standing read access to a customer PII database that its actual job has never, not once, required it to query. The access was granted at creation, "just in case," and has sat there ever since like a loaded weapon in an unlocked drawer nobody remembers loading. The second: an agent with full administrative rights on a storage bucket, because eight months ago, during a sprint, someone needed it to read a single folder, and admin was the fastest way to unblock the ticket, and access granted in a hurry has no natural expiry date. It just persists, forever, until someone goes looking, and nobody goes looking.
Ask how this survives a security review, and you arrive at the mechanism this whole essay has been circling. Access reviews audit what was granted. A reviewer pulls the list of permissions, compares each against a policy, confirms that each grant had a justification at some point, checks the box, and the review passes, cleanly, honestly. And the entire time, nobody asks the other question, the only question an attacker will ever care about: what has this agent actually touched?
Issued scope is a promise about the future, a statement of what the agent is permitted to do. Realized access is a fact about the past, a statement of what it actually did. And nearly every security process in existence audits the promise and ignores the fact. The distance between the two is what I have started calling scope debt, and like every kind of debt it compounds silently and invisibly. Every quarter that agent holds PII access it never uses is another quarter of pure downside carried on nobody's balance sheet, generating no benefit, accumulating only risk, costing exactly nothing right up until the single day it costs everything.
And that day, when it comes, will be quiet. Straiker, a security vendor that sells agent detection and therefore has a real commercial dog in this fight, published a number this summer that is worth sitting with even after you discount it for the source. Among the attacks that succeeded against productivity agents in their testing, 91 percent ended in silent data exfiltration. Silent, meaning nothing crashed and no alarm fired and no dashboard turned red. The agents did things they were permitted to do, using access they had been granted, on behalf of the wrong principal, and every one of those actions sailed straight through a permission model that only ever checked whether the access was allowed, never whether it was appropriate in the moment. You cannot catch that by reviewing grants. You can only catch it by knowing what an agent's normal realized access looks like, and then noticing when the shape of it changes. Almost nobody measures the normal, which means almost nobody can see the abnormal.
And before anyone reaches for it: yes, agent identity helps, and the industry's recent push to give every agent a strong, verifiable identity is genuine progress that I am glad to see. But identity answers who the agent is. It does not answer what it has touched, and it does not answer who answers for it. The Drift tokens were perfectly valid identities, cryptographically sound, correctly issued. That was the entire problem. Identity told those 700 companies exactly who was exfiltrating their data, in real time, with a valid badge, and it did not help at all, because knowing the name on the badge is not the same as knowing whether the badge-holder should be in the building at 3am.
One agent. One week. Try it.
I am going to leave you with an exercise instead of a conclusion, because unlike most things a vendor tells you, this one is checkable, tonight, for free, and it will tell you more about your real exposure than any report I could write.
Pick one production agent in your company. Just one. Ideally the one everybody likes and trusts, the reliable workhorse nobody worries about. Now try to write down, from the systems and tools you already have, three things. Every credential that agent currently holds. Every data source those credentials can reach. And then the hard one, the one that separates a promise from a fact: every data source that agent actually reached in the last seven days, with reads separated from writes.
If you can produce all three in under an hour, you are genuinely ahead of nearly every enterprise we have ever scanned, and I mean that without a trace of irony. Go tell your team they did something right.
If you cannot, then sit with the arithmetic for a second, because it is the whole essay compressed into one uncomfortable fact. You are defending a vault. You have spent real money on the vault door, and the door is probably excellent. And you cannot currently produce a list of who holds badges, or a record of where the badge-holders have actually been walking around at night.
The vault door is fine. It is always fine. That was never where the movie ended.
Go count the badges.
Counting the badges, and mapping what they have actually touched, is the first thing Guard0 does when it connects. It takes about fifteen minutes, which is less time than Danny Ocean's crew spent on wardrobe.
References
- Google Cloud / Mandiant: data theft from Salesforce instances via Salesloft Drift
- Unit 42 threat brief on the compromised Salesforce instances
- FINRA alert on the Salesloft Drift supply chain attack
- McHire breach writeup, AI Incident Database #1179
- INCIBE-CERT on the McDonald's AI recruitment exposure
- Infosecurity Magazine: researchers find tens of thousands of exposed OpenClaw instances
- Kaspersky advisory on OpenClaw exposure
- Straiker STAR Labs research
Get Started
Start free on Cloud
Dashboards, AI triage, compliance tracking. Free for up to 5 projects.
Start free →Accountability at scale
SSO, RBAC, CI/CD gates, self-hosted deployment, SOC2 compliance.