Five OAuth Controls Your Enterprise Needs Before the Next Vercel-Style AI Tool Breach
A quick look inside the Google Workspace admin console may tell security teams more about their AI risk than another policy review. The third-party app list under Security, then API Controls, then App Access Control, shows everything employees have authorized with corporate accounts. Some are expected SaaS tools. Some are probably AI tools. The uncomfortable question is how many of them have broad OAuth access, including "Allow All" permissions.
That is what every security team should have done in the week following the Vercel breach. Most companies find the picture uncomfortable.
Vercel was in the news in April 2026, reporting an attacker using a third-party AI tool, Context.ai, to gain access to their internal systems. The attack vector was not a CVE, not phishing, and definitely not a cloud misconfiguration. A Vercel employee used a corporate Google Workspace account to sign up for Context.ai and authorized "Allow All" OAuth permissions. In February, Context.ai was breached by Lumma Stealer malware. The attacker used the stolen OAuth tokens to pivot from Context.ai to Vercel's Google Workspace, and from there into Vercel's internal systems. A threat actor claimed to offer the stolen data for sale on BreachForums for $2 million.
In this case, many controls behaved exactly as configured. The control gap was a missing decision about who controls what AI tools can access in the enterprise. This can be fixed by applying five controls.
The breach has been disclosed and reported already. These five controls are what every enterprise should run this week to avoid the same chain.
1. OAuth consent should move out of employee hands
The first place to tighten control is OAuth consent. Employees should not be able to grant broad third-party application access to corporate Google Workspace or Microsoft 365 accounts without a security review.
In Google Workspace, that means moving App Access Control toward an allowlist model under Admin Console, then Security, then API Controls. In Microsoft 365, Entra ID should require admin consent for new enterprise applications. Any AI tool requesting sensitive scopes, such as Gmail, Calendar, Drive, or Admin Directory access, should be reviewed before approval, not discovered after the fact.
This is not optional hygiene. This is a fix for entry points.
2. The AI tool inventory has to start with OAuth grants
Perform an extensive OAuth audit on Google Workspace and Microsoft 365. Look specifically for the Context.ai OAuth app ID published by Vercel (110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com) and investigate if you find this within your environment.
And continue your search for any linked AI tools. Most environments discover more AI tool integrations than the security team was aware of. Each one is an OAuth scope that becomes a breach path if the AI vendor is compromised.
Build a living inventory. Document and classify each tool based on the OAuth scopes it possesses, the type of data it is permitted to access, and whether it was approved by security or self-provisioned by an employee.
3. Broad scopes should be the exception, not the default
The Vercel employee granted Context.ai "Allow All" permissions. That is about as bad as giving a master key to a contractor to do a job that only requires access to one room.
Review the OAuth scopes given to each AI tool in your inventory and cut them down to the bare minimum the tool needs to work. For example, an AI writing tool that needs to access Google Docs should not be granted scopes for Gmail, Calendar, or Admin Directory. An AI coding tool that only needs access to one repo should not have an org-wide GitHub token.
The same least-privilege discipline that applies to service accounts and API keys applies to AI tools. They are no different. They are service accounts with natural language interfaces.
4. AI vendors need a different third-party risk review
Most third-party risk management programs review SaaS vendors for SOC 2 compliance, data handling, and SLAs. AI tools require additional criteria.
Ask the AI tool provider how they handle employee endpoint security. Context.ai's breach started with an employee downloading malware. Ask how they store and rotate OAuth tokens. Ask about their incident notification SLA if their systems are compromised. Ask whether they support scoped OAuth grants or just "Allow All" permissions.
If the AI tool vendor cannot answer these questions, that is a risk decision the security team needs to make explicitly, not one employees implicitly accept by clicking "Allow."
5. Detection has to include the behavior of approved AI tools
The Vercel breach had a dwell time of two months. Context.ai was breached in February, and Vercel became aware of the breach in April. The attacker used OAuth tokens to enumerate Vercel's internal systems with what Vercel described as "surprising velocity".
SIEM and CASB detections should account for AI tool OAuth grants with broad scopes, unusual API call patterns from authorized AI tools, AI tool access from unexpected IP ranges, and bulk data access by AI tool service accounts outside normal patterns. These indicators may reduce dwell time from months to hours.
The accountability decision most enterprises have not made
The five controls are technical. The more complex issue is organizational: who is accountable for the security of the AI tools?
In the case of the Vercel breach, the employee who gave the OAuth permissions was not breaking a policy. There wasn't a policy to begin with. The security team was not monitoring AI tool integrations. The IT team was not reviewing OAuth grants. Nobody was wrong because nobody was assigned.
This is the gap I keep running into. AI tools cross into security, IT, data governance, and application development. When something spans all of these, it becomes no one's responsibility until the breach.
The Coalition for Secure AI's AI Shared Responsibility Framework, on which I am a reviewer, formalizes the answer: exactly one accountable party per component. You don't require formal frameworks to be proactive. You only need one answer: who owns this?
Go to the admin console. Count the AI tools. Review the scopes. Make the assignment. The next Context.ai is already integrated with your enterprise.