Analysis of 22,332 OAuth-connected apps finds that 91% of AI and automation apps in the dataset appeared in just the last 16 months, while nearly half have been dormant for 90 days or more

SAN FRANCISCO, CA / ACCESS Newswire / June 24, 2026 / Material Security, the leading provider of cloud workspace security, today released findings from a study showing the stark reality of unmanaged OAuth exposure across Google Workspace environments. The report, "OAuth & Google Workspace Risk Report," analyzed 22,332 OAuth-connected applications across 21 enterprise Google Workspace environments. The findings show that OAuth has become a persistent and poorly governed access layer connecting AI tools, productivity applications, internal automations and third-party services to sensitive workspace data.

Notably, the report found that 91% of AI and automation apps in the dataset appeared in just the last 16 months, a pace of adoption that reflects individual employees connecting tools on their own rather than any coordinated IT rollout. At the same time, 47.2% of all applications analyzed had recorded no active usage in 90 days or more, with their OAuth authorizations still fully intact. While the applications analyzed are not necessarily malicious or being abused, together these findings reveal a rapidly widening gap between the access organizations have authorized and their ability to monitor and manage it.

As attackers are turning their attention to exploiting over-permissioned access and long-lived OAuth tokens, many organizations lack a practical way to identify, assess, and remediate their exposure. OAuth authorizations are persistent by design, but governance processes often remain manual, fragmented, or incomplete. As a result, once-legitimate grants can remain in place long after an app falls out of use, an employee leaves the company, or a new application is adopted outside formal IT processes, a risk made more urgent by the rapid spread of new AI tools.

"OAuth has become one of the main ways modern work gets connected, but it is also one of the hardest parts of the workspace to monitor," said Abhishek Agrawal, CEO of Material Security. "The risk is the accumulation of perfectly reasonable authorizations that have fallen by the wayside. Security teams need a way to identify dormant access, connect OAuth revocation to offboarding, and govern AI adoption without slowing the business down."

Key findings from the report include:

AI App Adoption Is Surging: 91% of AI and automation apps in the dataset appeared in the last 16 months (325 of 356 first observed since January 2024). The average AI-connected app has been running for 9 months, 42% have been connected for over a year, and more than half hold sensitive or restricted scopes. 149 have been connected for 12+ months with no review on record.

One in Four Apps Holds Restricted Google Scopes: 24.5% of all 22,332 applications (5,461) hold at least one active restricted scope type, based on Google's own classification rather than a third-party risk model. Among public, governable apps, 53.4% hold sensitive or restricted scopes, with Gmail and Drive the most common and often appearing together.

Nearly Half of All Apps Are Dormant: 47.2% of applications (10,545) recorded no active usage in the past 90 days, and 25.8% (5,752) have not been used in 180 days or more. In every case, the OAuth authorization remains intact, and the app retains the permissions it was originally granted.

Zombie Tokens Outlive the Users Who Created Them: 1,064 applications show zero active users but still hold live tokens, issued by employees who left, changed roles, or stopped using the tool. 463 of those (43.5%) hold sensitive or restricted scopes, including full Gmail and full Drive access on accounts no active employee is monitoring.

"OAuth has quietly become an important control plane in the enterprise, especially as AI tools connect deeper into email, files, and workflows," said Gabe Bello, Staff Security Engineer. "This research makes clear that OAuth grants cannot be treated as one-time approvals. Security teams need continuous visibility, clear ownership, and automated revocation when access is no longer needed."

To close the visibility gap, the report recommends connecting OAuth revocation to employee offboarding, creating a governed pathway for application adoption, and setting a dormancy threshold, starting with apps unused for 90 days or those with no current users and sensitive or restricted scopes.

Secure Material's OAuth Remediation Agent helps security teams operationalize this process by continuously discovering OAuth-connected apps, evaluating their permissions and behavior, and revoking risky, dormant, malicious or over-privileged access before it becomes a persistent backdoor into the cloud workspace.

The full report is available at material.security/oauth-risk-report.

About Material Security

Material Security Inc. is the leading provider of cloud workspace security solutions. Material's platform helps lean security teams wrap their arms around workspace security, providing a unified platform to address email security, file protection, and identity threat mitigation. Material is backed by Andreessen Horowitz and protects the world's fastest-growing and agile companies like Figma, Mars, DoorDash, Lyft, and more.

Media Contact:

Carmen Mantalas
Verdis on behalf of Material Security
carmen@verdis.xyz

SOURCE: Material Security