#1745920: Protecting AI Agents in O365 and Google Workspace
| Description: |
AI agents need data to be useful, but do we have the right tools to get them access? OAuth seems like the way forward, but it was never a security protocol. Just handing it over to agents is a recipe for disaster. Pre-existing conditions The governance failures AI agents will exploit are not new. "I don't think this is really an AI-specific problem," said Nate Lee of TrustMind. "It's more about the concentration of data, the lack of granularity in the controls, and the lack of oversight into how that data is being accessed." AI is accelerating how much data organizations want to share and how quickly, he added, compounded by the fact that the business value of sharing is often high enough that companies are willing to "overlook (and/or understate) the risk." Tim Shelton of HAWK Network Defense described the inventory most environments are already carrying: "too many stale permissions, shared mailboxes, overprivileged accounts, old files nobody remembers, and OAuth relationships that were approved once and never looked at again. The AI itself is not really the problem... It's the fact that organizations are about to give automated systems access to data environments they barely govern today." Architecture over rollout The fix isn't slowing down deployment. "What has to change is the architecture, not the rollout pace," said Ashish P. of Defendermate. He outlined two paths: constrain the agent with narrow scope, fixed logic, and a predictable surface, which is safe today but "gives up most of the productivity story," or build agents their own identity layer and treat them as "a new principal class, not a user, not a deterministic service." Daniel Gorecki, CISO at NGC Risk, pushed in the same direction from the infrastructure side. "OAuth is a connection protocol, not an authorization framework," he said. "The control surface has to move to the data layer — classification, tagging, scoped data products — not the access layer anymore. We're going to need to redesign ACLs for how agents actually consume data, not bolt them onto legacy permission models." Access isn't legitimacy Having access to data shouldn't mean an agent can automatically use it. "Employers have access to this data, but access is not legitimacy," said Steve Tout of Identient. The question he posed is practical: will employees trust agents crawling through years of inboxes in the name of productivity? His answer centers on digital twins, not as another agent rummaging through the enterprise but as "a proxy for humans — a governed representation of interests, context, permissions, and boundaries. Something that stands between people and enterprise data to determine what gets shared or withheld." Tony Gonzalez, CRISC, CDPSE, QTE of Innervision Services LLC framed the companion problem as "the hoard vs. purge equation." AI may push organizations to keep as much data as possible, but "the perils of keeping too much are clear," he said. When you have too much, you create a bigger surface area for attack, and that heightens the risk of a breach. Not to mention the problem of higher storage costs and greater complexity in data privacy administration. Data has a half-life The tension between data hoarding and exposure risk predates AI. "It's a problem, but not a new one," said Aaron Stanley of dbt Labs. "Security and legal teams have spent years balancing data hoarding against the risk of discovery and exposure." What AI may finally deliver, he said, is both the incentive and the tool. His hope is "that we can finally use AI to continuously interrogate our data to find latent risk, identify what no longer has business value, and drive aggressive data minimization strategies." Daniel Gorecki, CISO at NGC Risk, made the prerequisite explicit. "Data has a half-life, but we have typically failed at enforcing it properly," he said. "AI creates the forcing function we've been deferring around properly executed data retention." For Tony Gonzalez of Innervision Services, AI may push organizations toward hoarding as much data as possible on the theory that it might become useful. While we have all the aforementioned problems, the real underlying problem, he said, is authorization. Having data doesn't mean it should be shared with every model and agent that asks for it. Please listen to the full episode on your favorite podcast app, or over on our blog, where you can read the full transcript. If you're not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now. Listen to the full episode here. Thanks Material Security for sponsoring. And thanks to Malanta for providing this week's security tip on threat intelligence. |
|---|---|
| More info: | https://www.linkedin.com/pulse/protecting-ai-agents-o365-google-workspace-cisoseries-57xvc/ |
| Date added | July 17, 2026, 12:35 a.m. |
|---|---|
| Source | |
| Subjects |
|
