Meet Nudge Security's new OAuth Grant and Browser Extension Risk Analyst agents, built to catch SaaS risk sprawl no security team can review manually.
Today we're introducing two new AI agents in Nudge Security: an OAuth Grant Risk Analyst and a Browser Extension Risk Analyst, built to catch and act on risk that no security team could feasibly manage by hand.
Here's what that actually looks like. A few months ago, I reviewed a single high-risk OAuth grant in our own Nudge Security environment the way I always do. Pulled the app's profile: has our security team vetted it? Does the provider have the basics of a security and compliance program? Have they disclosed a breach in the last 12 months? Next, I checked the grantor's role to see if admin rights had been delegated to the app. I looked at the actual scopes requested against what's typical for that kind of integration and against our own data-sharing policy. I reached out to the grantor directly to understand the business need, and checked their MFA status to round out the picture. 45 minutes in, I had a verdict: too much risk for too little business value. Revoke it.
Last month, I ran the same data through the AI agent we built to do exactly this. 15 seconds later: Same verdict.
No amount of security expertise will make this manual analysis faster. Nudge Security gives you the most complete context possible, the best-case scenario for this kind of decision, and even then, someone still has to make that call. Multiply that across the tens, sometimes hundreds orthousands of OAuth grants in a typical enterprise, and no security team has the headcount to keep up. We're past the point where more manual effort helps. This makes AI agents a necessity, not a nice-to-have. It scales a rare skillset past what any one person or team can carry, and it frees security teams to spend their time on judgment instead of busywork.
This is why I’m very excited to share the new AI agents we’ve introduced to close some of the biggest risks enterprises face:
What makes OAuth grants and browser extension risk particularly challenging is the scale. Employees reach for browser extensions and OAuth grants daily to improve productivity, most often without any real change management process: connecting a scheduling tool to an inbox, installing a Chrome extension that promises to summarize meetings, granting a new app access to a calendar. Each of those is simple, common, and made without waiting on a review built to keep pace with it. That's what makes both attack surfaces decentralized by design, and it's exactly the gap attackers are counting on.
Ten years ago that behavior added up to a few dozen integrations per company. Today, we see on average a few thousand apps per org and 88 OAuth grants per employee, 31 of which have data-level permissions. At a 1,000-person company, that's 88,000 access paths, 31,000 with a real line to sensitive data. No security team is reviewing that manually, and realistically, no team would.
The recent Vercel breach is a clean example of what happens when that gap goes unaddressed, detailed in our breakdown. The root cause: a compromised OAuth token from Context.ai, a third-party AI tool that one Vercel employee had connected to their enterprise Google Workspace account. That single point of consent, granted months earlier, was enough for the attacker to get in.
The OAuth Grant Risk Analyst pulls context from the browser, inbox, identity provider, and connected apps to evaluate every new grant: who requested it, their role and user metadata, vendor posture, grant scopes, what the app can actually touch, and how that compares to what we already know about the vendor. It's built to catch what a simple risk score misses, like a brand-new hire who created a high-risk developer grant, because it looks at who created the grant, not just what the grant can do. Every analysis comes back with a clear verdict, a plain-language explanation, and a specific next step: review it with the person who created it, monitor it, or revoke it. From there, the agent will take lead on orchestrating the revocation process or other decisions. A person on the security team may make the actual call, the same one I made in my 45 minutes, just without the 45 minutes of manual effort.
The Browser Extension Risk Analyst pulls an extension's artifacts, in addition to the marketplace listing, and checks whether what it does matches what it claims to do. When it finds a mismatch, like an extension quietly sending data to a server it never disclosed, it rates the severity of what it found. If malicious or compromised, the agent may automatically disable the extension and nudge the right stakeholders to complete uninstallation or update policies.
These agents are built with the same guiding principle: analyze what's discovered, communicate the verdict to the security team, and take action to remediate or otherwise mitigate the risk with thoughtful human-in-the-loop approvals in familiar channels like Slack and Teams.
Your workforce will keep making daily technology decisions that carry risk. That's not going away. Attackers are already using AI to exploit OAuth grants and browser extensions given these surfaces have little to no security oversight, making them easy targets. Legacy, manual approaches can’t keep pace. Defenders need real agentic capabilities now, not just to reduce detection and response time, but to surface, analyze, and act on the risk they aren't managing today at all.
That's exactly the challenge these AI agents are built to address. Context is what makes an AI agent's judgment worth trusting: who has access to what, which vendors are already approved, what's normal for this specific company. We've spent years building that layer: over 200,000 vendor security profiles, discovery across the browser, inbox, identity provider, and connected apps. These two AI agents are the first place all of it comes together to act, not just report.
We shipped our first agent, the Vendor Risk Analyst, before "agentic" was the label everyone reached for, because we saw the value of this approach early. It's already cut manual vendor review by up to 90 percent for the teams using it. These two new agents point that same approach at the surfaces piling up fastest with the least attention. That's the whole bet.
Our new AI agents are currently available to select customers. Join the waitlist here.