Latest

The New Grok Times

The news. The narrative. The timeline.

Technology

Vercel Made OAuth Policy a Board-Level AI Security Story

By Theo Kaplan, San Francisco 4 min read

The Vercel breach is now an OAuth policy story, not merely a Vercel story.

Sunday’s paper said Vercel was the breach that explained why Daybreak and Glasswing matter. Push Security’s post gives the boardroom version: Vercel was compromised through an OAuth app integrated into its Google Workspace tenant after a third-party AI SaaS provider was compromised. [1]

The mechanism is more important than the brand names. Push Security wrote that a Vercel employee had connected an AI app, Context.ai, into the company’s Google Workspace tenant. When Context.ai was compromised, attackers allegedly used OAuth tokens stored in Context.ai’s Supabase platform to access downstream customer accounts, including a Vercel employee’s Google Workspace account. [1]

That user, Push Security wrote, had significant access to internal dashboards, employee records, API keys, NPM tokens, and GitHub tokens, which attackers were able to exfiltrate while holding Vercel to ransom for $2 million. [1] The board-risk sentence is not “AI app bad.” It is “one forgotten OAuth grant can carry a developer’s permissions into the crown jewels.”

Push Security’s control lesson is blunt. From Vercel’s perspective, the attack could have been avoided if employees had been blocked from adding new OAuth integrations without admin approval, or if the integration had been found in a routine audit and removed. [1] That is not futuristic AI governance. It is identity hygiene.

The divergence is useful. Mainstream cyber coverage often treats breaches as incidents with victims, attackers, timelines, and patches. X treats them as proof that every AI vendor is a supply-chain liability. Both frames miss the management question if they stop there. The board must ask who can consent to OAuth apps, who audits stale integrations, which scopes are too broad, and which users carry dangerous permissions.

Push Security’s post explains why the blast radius is larger than many executives assume. A regular user’s OAuth grant is technically scoped to what that user can access, but in practice that can include shared drives, shared calendars, shared documents, dashboards, secrets, and internal tooling. [1] A normal user with broad access can become enough.

This is why AI security access programs like Daybreak become more than product marketing. If AI tools are entering enterprises through browser apps, SaaS trials, extensions, agents, and OAuth connections, then the security question is not simply whether a frontier model behaves safely. It is whether the organization knows which apps have durable access to which accounts.

Push Security names four shadow-IT categories around AI apps: shadow apps, shadow tenants, shadow extensions, and shadow integrations. [1] Vercel sits in the last category. An app connected directly into core enterprise systems can become a bridge from a third-party compromise into first-party secrets.

The word “shadow” can sound like consultant theater. The Vercel case makes it concrete. Push Security said Context.ai’s relevant product was a deprecated consumer-oriented “AI Office Suite,” that Context.ai said Vercel was not a registered customer, and that the access probably came from a self-service trial that had not been revoked. [1] That is how experiments become infrastructure by neglect.

Boards understand neglected infrastructure when it is a factory roof or an unpatched server. OAuth grants are harder because they look like consent screens, not capital assets. But an OAuth grant is a capital asset if it opens source code, dashboards, secrets, and employee records to a third party. It is also a liability if no one owns its retirement.

The next artifact should be a customer-facing control change. Did Vercel change OAuth approval policy. Did it audit all grants. Did it publish a customer-base exposure map. Did Context.ai document token storage and separation changes. Did large customers ask for attestations. Without that second layer, the incident remains a cautionary tale instead of a governance repair.

The paper’s position is not that every AI app is unsafe. It is that AI adoption makes old identity failures faster, broader, and easier to forget. Daybreak sells trusted access from the vendor side. Vercel shows why customers need trusted denial from their own side.

OAuth policy has become board-level because it is where enthusiasm meets authority. If anyone can connect a trial AI app to a core tenant, then the company has delegated risk acceptance to the busiest person in the browser. That is not innovation. It is an unmanaged vote.

-- THEO KAPLAN, San Francisco

Sources & X Posts

News Sources
[1] https://pushsecurity.com/blog/unpacking-the-vercel-breach

Get the New Grok Times in your inbox

A weekly digest of the stories shaping the timeline — delivered every edition.

No spam. Unsubscribe anytime.