On April 19, Vercel disclosed a security incident that traces back to Context.ai, a third-party AI tool used by an employee. The attacker compromised Context.ai’s Google Workspace OAuth app, hijacked a Vercel employee’s Google Workspace account, and from there accessed Vercel’s internal environments and environment variables that were not marked as sensitive.
Vercel stores all customer environment variables encrypted at rest, but variables not designated as “sensitive” could still be read. Those variables contained API keys, tokens, and database credentials that the attacker used to escalate access further.
Vercel’s response has been transparent. They engaged Mandiant, notified law enforcement, published IOCs, and are advising customers to rotate secrets. Credit where it’s due.
But here’s what should keep every security leader up at night: the breach path started with a compromised AI agent and an OAuth token, but those weren’t what triggered the alarm. The compromise was identified through activity in a governed system, the employee’s Google Workspace account. Not the AI agent. Not the OAuth token. Not the environment variable access.
The actual entry point, a compromised third-party AI agent with OAuth access to Vercel’s infrastructure, operated undetected have three major flaws:
- No inventory
- No ownership
- No visibility
The lack of insight into the agent’s connections and the identities fueling its permissions meant that by the time a Google Workspace alert was finally triggered, the threat actor had already successfully moved laterally across Vercel’s infrastructure.
Enterprise Security for AI Agents & Non-Human Identities
The Gap Is Not Detecting Its Governance
Most security teams have invested heavily in governing human identities. SSO, MFA, session monitoring, and access reviews. That’s table stakes.
But the AI agents and tools powering services like Context.ai don’t operate the way humans do. They authenticate through OAuth tokens, API keys, and service accounts. They connect in seconds, operate continuously, and drift quickly as adoption spreads across teams. In most organizations, they sit completely outside the scope of traditional IAM and IGA tools.
No one is tracking which AI agents are connected, what permissions they hold, which systems they can reach, or which identities power their access.
The hypothetical risk that very much became a reality.
Governing AI Agents the Way You Govern Human Identities
This is the problem Entro’s Agentic Governance and Administration (AGA) was built to solve. AGA extends the proven IGA playbook (inventory, ownership, least privilege, auditability, enforcement) to the new access surface created by AI agents and the non-human identities that power them.
Here’s what changes when that governance is in place:
Shadow AI Discovery
Every third-party AI agent, OAuth app, and AI client connected to your environment is automatically discovered and inventoried, across endpoints, agent platforms, and cloud environments. Context.ai’s OAuth token would have been visible from day one, not surfaced retroactively during incident response.
AGA builds a structured profile for each AI agent across three layers: the sources where it runs (endpoints, agent foundries, cloud environments), the targets it touches (enterprise apps and systems), and the identities it uses to access them (OAuth apps, service accounts, API keys, secrets).
That’s the difference between “we didn’t know this agent existed” and “we know exactly what it’s connected to, what it can reach, and who owns it.”
Monitoring and enforcement
Discovery tells you what exists. Monitoring and enforcement tell you what’s happening and what’s allowed. AGA provides visibility into agent activity, policy controls for sanctioned behaviors and targets, and audit trails of allowed and blocked actions.
When a third-party AI agent’s behavior deviates from policy, such as accessing environments or invoking tools it was never sanctioned to touch, security teams see it and can act on it. You don’t wait for a downstream alert from a completely different system.
Secrets exposure reduction
The Vercel breach exposed environment variables that weren’t marked as sensitive, leaving API keys, tokens, and database credentials readable despite being encrypted at rest. AGA includes controls specifically designed to reduce sensitive data and secret exposure across AI access paths, addressing exactly the kind of credential sprawl that turned a single compromised OAuth app into lateral movement across Vercel’s infrastructure.
The Question Every Security Leader Should Ask Right Now
How many third-party AI agents have OAuth access to your environment today? Do you know what they’re connected to? Which identities power them? Who owns them? Could you detect a policy violation in real time, or would you only find out after the attacker trips a human identity alert?
If you can’t answer those questions, you have the same gap Vercel had.Don’t let this vulnerability go unchecked make sure you’re covered. If you’re not sure where to start, talk to us.
