One Forgotten OAuth Grant. One Compromised Tool. One Client Wiped Out.
April 19, 2026. Vercel — a publicly-listed dev-tools company with a real security team — got breached. Not because someone broke in. Because one employee had connected a third-party AI tool that later got compromised, and the OAuth grant did exactly what it was designed to do: walk the attacker into the employee's Google Workspace, then into Vercel, then into customer systems.
Your clients are running the same architecture, with no security team, no IT review of installed tools, no quarterly OAuth audit. The first time most of them think about this is the morning after.





