The dangerous AI agent is not necessarily the one that hallucinates. It may be the one that authenticates.

Vercel's April security bulletin describes a breach that began with Context.ai, moved through Google Workspace access, reached internal Vercel environments and exposed non-sensitive environment variables. [1] Monday's paper called the incident the AI-agent OAuth warning label. Tuesday's stronger lesson is procurement: every company buying an office agent is also buying an identity perimeter.

Context.ai's own update supplies the key verb. OAuth tokens for users of its AI Office Suite were compromised, and one token appears to have been used to access a Vercel employee's Google Workspace account after the employee had granted broad permissions. [2] That is not a science-fiction failure mode. It is a normal SaaS consent pattern, made more dangerous by an agent whose commercial promise is to act across tools.

The Register put the same chain in plain language: Vercel blamed Context.ai; Context.ai said an agentic OAuth tangle enabled access; the path ran through Workspace permissions and environment variables. [3] The detail that matters is not whether the variables were marked sensitive. It is that an external AI tool became an attack path into a developer platform's internal systems.

This is where the AI safety debate often sounds misdirected. Hallucination matters when a model advises a doctor, drafts a contract or writes code that someone trusts. But the Vercel incident belongs to a more prosaic danger class. An AI office tool asks to read documents, draft presentations, summarize mail, create files and perform actions. To do that, it needs tokens. Tokens are power.

The divergence is now obvious. Mainstream security coverage has a breach-response story: rotate credentials, review environment variables, contact affected customers. [1][3] Security X has a systems story: AI agents are being attached to corporate identity faster than companies can inventory their scopes. The paper's position is narrower than panic and harsher than marketing. If an agent can act, procurement must treat it as a security principal.

That changes the checklist. A vendor review can no longer ask only whether the model is accurate, whether data is retained, or whether prompts train future systems. It must ask what OAuth scopes the agent requests, whether those scopes are user-limited or tenant-wide, how tokens are stored, how revocation works, what logs catch token refreshes, and whether the company can answer a simple question: which AI tools can currently act inside our workspace?

Vercel's incident also shows why environment hygiene is security policy, not janitorial work. Marking secrets as sensitive before an incident is dull until a valid token walks into the environment. Credential rotation is cheap until it is performed under uncertainty. OAuth app inventory is boring until the unremembered app becomes the front door.

The broader AI-state-power thread has been about deployment surfaces, not leaderboards. Cloudflare makes Kimi usable when it puts the model behind developer endpoints. Figma discovers counterparty risk when an AI partner can become a design competitor. Vercel discovers agent risk when a third-party tool's permissions become a production path. The same lesson recurs: capability matters after distribution, identity and dependency make it durable.

None of this proves that companies should ban AI agents. It proves they should stop treating them as browser extensions with better demos. The agent is a user, a vendor, a workflow and a permission bundle at once. That hybrid status is exactly why the breach should travel from the security team to the purchasing desk.

The next procurement form should have a blunt question: what happens if the agent's token is stolen? If the answer is vague, the vendor has not sold an assistant. It has sold an attack path with a friendly interface.

That question should travel beyond security questionnaires. Legal needs it because consent language becomes liability language. Finance needs it because a cheap agent can create expensive incident work. Product needs it because every promised integration is also a new boundary that someone must defend.

The agent era will be governed less by slogans about intelligence than by inventories of permission. Whoever owns that inventory owns the risk, and whoever ignores it inherits the incident.

-- DAVID CHEN, Beijing