Introduction: The Invisible Attack Surface
Your enterprise runs on SaaS. Salesforce manages your revenue. Workday manages your people. ServiceNow manages your operations. And increasingly, AI agents and co-pilots are doing the work, moving data between these systems, executing multi-step workflows, and making decisions at machine speed without a human in the loop.
Here is the critical insight most security teams are still catching up to: the vast majority of AI tools and agents are delivered as SaaS applications, or embedded within them. When your sales team activates an AI copilot inside Salesforce, when your engineering team connects a coding agent to GitHub and Jira, when your revenue operations team deploys an AI-powered data enrichment tool, these are all SaaS-to-SaaS integrations, authenticated via OAuth tokens and API keys, exchanging data through backend channels that your existing security stack was never designed to see.
This creates a vast, dynamic, and largely invisible attack surface. Gartner estimates that non-human identities (service accounts, OAuth tokens, API keys, and AI agents) already outnumber human identities by as much as 80 to 1.¹ The consequences are not theoretical. In late 2025, the Gainsight breach showed exactly what happens when backend "East-West" traffic goes unmonitored: attackers used compromised OAuth tokens to access Salesforce tenants for over three months, bypassing MFA entirely, before Mandiant and CrowdStrike were called in to scope the damage.² The Salesloft Drift breach demonstrated the same dynamic at supply chain scale, with a single set of compromised tokens cascading across Salesforce, AWS, Google Workspace, Snowflake, and Slack.³
The scale of the problem is now documented. Vorlon surveyed 500 U.S. CISOs for The Agentic Ecosystem Security Gap: 2026 CISO Report and found that 99.4% experienced at least one SaaS or AI ecosystem security incident in 2025, despite organizations deploying an average of 13 dedicated security tools across their SaaS and AI environments. Only three of the 500 CISOs surveyed reported zero incidents.
According to Gartner, "by 2027, over 50% of major SaaS-related breaches will exploit overprivileged OAuth tokens used by M2M integrations."⁴ The Vorlon survey shows that milestone is already arriving: 30% of CISOs experienced a supply chain attack involving a SaaS vendor or integration partner in 2025, and 30.4% experienced suspicious activity involving AI agents, in the first year of serious enterprise AI agent deployment.⁵
The gap between the speed of AI adoption and the maturity of AI security is the defining risk of this era.
"Understanding the risk and having the right architecture to address it are two different things. The SaaS and AI ecosystem has become the largest and fastest-growing attack surface in the enterprise, and it is the one most organizations are running without adequate supervision."
Amir Khayat, Co-founder and CEO, Vorlon
The Four Critical Questions
Question #1
"Can you show me a complete, living map of every integration, agent, and data flow across my entire SaaS and AI ecosystem, including the ones my team doesn't know about?"
Why This Question Matters
The most dangerous threats in your SaaS ecosystem are the ones you cannot see.
Traditional security tools focus on "North-South" traffic: the user-to-application path. They see a human logging into Salesforce. They can enforce policy on that browser session. But when an AI agent queries your data warehouse, enriches a record from a third-party tool, and pushes an update to your marketing platform, that is "East-West" traffic, flowing entirely through backend APIs. No browser is opened. No proxy is traversed. To your existing security stack, this activity simply does not exist.
This is exactly how the Gainsight attack worked. OAuth refresh tokens became an attack vector, and because no traditional tool monitored machine-to-machine connections, the attack went undetected for months. The Vorlon survey puts a number on this blind spot: 86.8% of CISOs say the inability to see what data AI tools are exchanging with SaaS applications is a limitation of their current tools, yet 78.6% of those same CISOs claim they have comprehensive real-time data flow mapping.⁵ That gap between perceived and actual coverage is precisely where breaches live.
Shadow AI compounds the problem. Gartner research shows 69% of organizations suspect employees are using prohibited public GenAI, and 52% suspect custom GenAI integrations being built without security review.⁶ Every unauthorized tool creates new OAuth connections, new data flows, and new identities outside the security team's field of vision.
Gartner is clear on what is required: "comprehensive visibility and mapping of agent activities" is the foundational first step to mitigating AI agent risks.⁷ Without a complete map, every other security control is built on incomplete information.
What a Strong Answer Looks Like
A vendor with genuine capability will demonstrate automatic discovery of all integrations and agents, including sanctioned, shadow, and embedded AI, without relying on manual inventories or pre-built catalogs. They will show near-real time relationship mapping across applications, identities, data stores, and AI agents, including AI agents like Salesforce Agentforce and Microsoft Copilot appearing in a unified identity inventory alongside human users, with full visibility into each agent's connectors, MCP server configurations, and what data it is accessing versus what it is authorized to access.
Critically, the solution should provide Blast Radius Analytics: the ability to scope, within minutes, exactly which data was exposed, which identities were involved, and which downstream systems are at risk when a vendor or token is compromised. In the Gainsight breach, that forensic process took weeks and required two external firms. The right solution cuts that to hours.
Look also for Stitch ID capability: the ability to reconstruct full agent conversation timelines across application boundaries. When an employee prompts Copilot to pull Salesforce opportunity data, ask follow-up questions, and schedule calendar meetings, traditional tools log these as three disconnected events across three applications. A strong solution correlates them into a single, reconstructable timeline. That is not log aggregation. It is true session-level observability.
"We discover integrations from our pre-built catalog." "We monitor network traffic at the proxy layer." "We provide per-app posture management." Any of these answers means your East-West traffic is invisible to them.
| Indicator | Strong | Weak |
| Discovery scope | Entire ecosystem, including shadow AI/agents | Per-app configuration or catalog-based |
| Identity coverage | Human + non-human with connectors, MCP servers, traffic visible | Human identities only, or NHI inventory without behavioral context |
| Blast radius | Automated, scoped in minutes | Manual log correlation, days or weeks |
| Agent session reconstruction | Full cross-app conversation timelines with correlation IDs | Per-app session logs, no cross-application stitching |
Question #2
"How does your solution detect when an authorized agent or integration starts behaving maliciously, not just when an unauthorized one appears?"
Why This Question Matters
The most sophisticated SaaS and AI attacks do not involve unauthorized access. They involve the unauthorized use of authorized credentials.
In the Gainsight breach, the OAuth tokens were valid. The application was legitimate. From a posture-management perspective, everything was "configured correctly." The behavior (bulk data exports from anomalous IPs, unusual API call patterns, queries against sensitive entities at irregular times) was the tell, and no tool was watching for it.
The Vorlon survey makes the scale of this gap concrete: 89.2% of CISOs claim strong or comprehensive OAuth token governance, yet 27.4% were still breached through compromised OAuth tokens in 2025, meaning roughly one in three organizations claiming strong governance were breached through the very mechanism they believed they had under control.⁵ Meanwhile, 83.4% report that the inability to distinguish between human and non-human behaviors is a limitation of their current tools.⁵
This challenge is amplified by AI agents. Agents operate at machine speed, execute multi-step workflows autonomously, and hold static, overprivileged permissions that rarely change. Gartner projects that "through 2029, over 50% of successful cybersecurity attacks against AI agents will exploit access control issues, using direct or indirect prompt injection as an attack vector."⁸ When an agent is compromised, it continues operating with its full permission set, using the same credentials for malicious actions as for legitimate work.
The right question is not whether this identity has access. Rather, it is: Is this identity behaving the way it should, given its history, the sensitivity of the data it is touching, and the trustworthiness of the systems it is connected to?
What a Strong Answer Looks Like
A vendor with genuine detection capability will contextualize activity across three planes simultaneously:
- Identity behavior: Privilege escalation, credential misuse, dormant identity reactivation, access from anomalous networks, all tracked across applications, not just within one.
- Data movement: Sensitive data classified at the API endpoint level (PII, PCI, PHI, IP, credentials), with anomalous movement patterns, bulk exports, and transfers to previously unconnected systems surfaced in the context of that data's sensitivity.
- Supply chain connections: Every connector and MCP server attached to each AI agent inventoried and monitored. When a new connector is added to an Agentforce or Copilot deployment, the solution detects it immediately and assesses the risk.
Detection should be powered by ML-based behavioral baselines per entity, not static thresholds. And detection should lead directly to action: not a raw alert in a SIEM queue, but contextual, step-by-step remediation delivered to the right owner through the tools they already use. The platform should also enforce continuous least-privilege optimization based on observed behavior, not periodic manual access reviews.
Detection limited to login or MFA anomalies. Anomaly detection that works only within a single application. Static rules without behavioral baselines. Alerts with no clear path to remediation.
| Indicator | Strong | Weak |
| Detection scope | Post-authentication behavior across the ecosystem | Authentication events and per-app rule matching |
| Context dimensions | Identity + data sensitivity + supply chain signals | Single dimension |
| NHI coverage | Full behavioral monitoring of agents, tokens, API keys | Token inventory without behavioral analysis |
| Remediation path | Prescriptive, contextual, role-based | Raw alerts requiring manual triage |
Question #3
"What latency does your solution add to my agent and integration workflows, and how does your architecture scale for machine-to-machine traffic volumes?"
Why This Question Matters
This is the most important architectural question you can ask, and it is the one most vendors hope you will not.
AI agents execute multi-step workflows in milliseconds. SaaS-to-SaaS integrations process thousands of API calls per minute. This traffic is orders of magnitude larger than human-generated traffic, and it flows directly between application backends, bypassing network enforcement points.
Traditional inline security tools (proxies, gateways, CASBs) have three compounding problems in this environment:
- Latency kills agent workflows. When agents are chained, one agent's output feeding another's input, even small per-hop delays compound into broken workflows and timeouts.
- Inline tools cannot see backend traffic. As Gartner notes, SASE/SSE platforms "were not built to secure" this class of AI agent traffic.¹ Most agent-to-agent communication never touches a network enforcement point.
- Scale becomes a bottleneck. With non-human identities outnumbering humans 80:1, each generating far more API calls than any user, inline inspection architectures degrade, drop traffic, or cover only a fraction of activity.
The Vorlon survey reflects the architectural consequences: 85.8% of CISOs report that too many siloed tools with no unified view is a limitation of their current stack, and 85.4% say their tools cannot coordinate response across multiple SaaS applications.⁵ These are not workflow complaints. They are symptoms of an architecture designed for a world that no longer exists.
The question is not whether your security tool can inspect agent traffic. It is whether it can inspect agent traffic without becoming the bottleneck that prevents your agents from delivering business value.
What a Strong Answer Looks Like
The right architecture monitors in parallel, not in line, adding zero latency to any agent operation or integration workflow. It covers 100% of backend API-to-API and machine-to-machine traffic, including the traffic that never touches a proxy. It deploys without endpoint agents, browser plugins, or network configuration changes. And it intervenes surgically, like a circuit breaker, only when risk is confirmed, rather than making a binary block-or-allow decision on every transaction.
Strong solutions operate at three dimensions of scale: horizontal (hundreds of apps and regions, no network projects required), vertical (tens of thousands of identities and billions of events), and deployment (full operational capability within weeks, not months).
"We add minimal latency." "We inspect traffic at our cloud enforcement point." Deployment timelines are measured in months.
| Indicator | Strong | Weak |
| Architecture | API-based, parallel monitoring | Inline proxy, gateway, or MITM interception |
| Latency | Zero | Adds milliseconds per transaction (compounds at scale) |
| Backend traffic coverage | 100% of API-to-API and M2M traffic | Limited to traffic at proxy or enforcement point |
| Deployment | Agentless, no proxies, full coverage in weeks | Requires endpoint agents or network changes, months to deploy |
Question #4
"When you detect a threat, how does the response actually work? Who gets told what, how fast can we contain it, and does it plug into the tools my team already uses?"
Why This Question Matters
Detection without coordinated response is expensive surveillance.
When an AI agent is compromised, the blast radius crosses application boundaries, identity systems, and data stores at once. The Salesforce admin is not the same person as the AI agent owner, who is not the same person who can revoke the OAuth token. The Vorlon survey found that when a SaaS vendor announces a breach, there is no industry consensus on who owns the impact assessment, with no single team (out of nine options) cited by more than 21.8% of respondents.⁵ Only 51.2% of CISOs have an automated incident response playbook for an active SaaS exfiltration event; 39.4% still rely on manual SOC routing.⁵
This is not a people problem. It is an architecture problem. Most security tools were built to govern access within individual applications, not to orchestrate response across an interconnected ecosystem.
"The AI agent security incident is the new SaaS breach, and enterprises are discovering that the tools they have were designed to govern access, not to explain what happened after access was used."
– Justin Lam, Senior Research Analyst at 451 Research (S&P Global Market Intelligence)
Gartner's third pillar for AI agent risk mitigation is "automated real-time remediation"⁹ for good reason: human-speed coordination cannot keep pace with machine-speed attacks. The real test of any vendor is not whether they detect the problem. It is whether they can drive the response to completion across your existing workflows.
What a Strong Answer Looks Like
The right solution automatically routes role-specific, actionable guidance to the right owner through the tools they already use. The Salesforce admin gets Salesforce-specific steps via ServiceNow or Jira. The SOC gets the full investigative timeline in Splunk or Microsoft Sentinel, enriched with data-layer context ("This token can access 50,000 customer records in Salesforce and 200,000 transactions in Stripe"). The identity team gets revocation instructions in Okta or Entra ID. Nobody has to forward context or manually figure out who owns what.
Containment should be executable in seconds, directly from the platform: token revocation, integration suspension, identity quarantine, scope reduction, all through two-click actions that do not require opening a separate admin console or submitting a support ticket. And the solution should verify that remediation actually happened. When a task is marked complete, the platform should confirm the change and automatically reopen the task if it was not reopened. Self-reported closure is not enough.
Integration depth matters enormously here. A solution that only pushes one-way webhook data to a SIEM is not a response platform. Look for bi-directional integration with your existing SIEM, SOAR, ITSM, and identity tools (the leading solutions support Splunk, Sentinel, ServiceNow, Jira, Okta, Entra, Tines, Torq, and XSOAR natively), and ask directly about their process for adding new integrations. Security stacks evolve fast. A vendor who takes months to support a new tool will create a gap in your response chain.
Bi-directional enforcement matters too. The right solution can revoke a compromised token at the identity layer while simultaneously signaling your network security layer to block associated traffic, total containment across both planes in seconds. Every action, every data flow, and every decision should be captured in a persistent, forensic-ready audit trail, built for compliance review and board-level reporting without manual reconstruction.
"We send alerts to your SIEM, and your team takes it from there." "We offer customizable playbooks." Remediation that requires action in each application's native console. No mechanism to verify that fixes were actually applied.
| Indicator | Strong | Weak |
| Remediation routing | Automatic, role-based, through existing tools | Manual alert triage, team forwards context by hand |
| Containment speed | Seconds, two clicks from the platform | Days always requires a ticket to the app owner |
| SIEM/SOAR integration | Bi-directional, enriched with data-layer context | One-way log export or webhook |
| Remediation verification | Platform verifies completion, reopens if not done | Self-reported closure |
| Integration velocity | Named integrations shipping, clear roadmap, fast add cycle | Long lead times, no stated roadmap |
Conclusion
The Vorlon survey found that 99.4% of CISOs experienced a SaaS or AI ecosystem security incident in 2025, despite deploying an average of 13 dedicated security tools. The problem is not the budget. It is not awareness. It is architecture.
"What this data reveals is not that CISOs are complacent. It reveals that the market has given them tools that create the appearance of coverage without delivering its substance. Configuration audits look like monitoring. Permission reviews look like governance. Single-application detection looks like ecosystem visibility. The gap between what those tools report and what they actually see is where breaches live."
Amir Khayat, Cofounder and CEO, Vorlon
- Can you map my entire ecosystem in near real time, including what I don't know about? Per-app snapshots and catalog-based discovery leave your East-West traffic blind.
- Can you detect authorized-but-malicious behavior, not just unauthorized access? Authentication-layer detection misses the attacks that matter most.
- Does your architecture work at machine speed and scale without becoming a bottleneck? Inline tools cannot see the traffic they need to inspect and slow down the workflows they need to protect.
- Does your response actually work across my tools and my teams? Detection that generates alerts without driving coordinated containment is not security. It is noise.
The organizations that ask these questions today will be the ones prepared for the agentic security challenges of tomorrow. The ones that do not will be reading about their own breaches in the next round of industry reports.
Ready to see how Vorlon answers these questions for your environment? Request a Demo →Download the full survey findings: The Agentic Ecosystem Security Gap: 2026 CISO Report
Vorlon. Built for the engine room.
Most security was built for the front door. The threat has moved to the engine room. AI agents move freely across systems. OAuth tokens transfer sensitive data between applications at machine speed. One compromised integration cascades across your SaaS supply chain.
Vorlon is the Agentic Ecosystem Security Platform. Its patented DataMatrix™ technology builds a live model of how sensitive data, identities, and integrations interact across your agentic ecosystem — giving security teams the visibility, forensics, and remediation to manage sensitive data exposure and deploy AI at scale.More at: vorlon.io
References
All statements in this document referencing Gartner represent Vorlon's interpretation of data or viewpoints published as part of a syndicated subscription service by Gartner, Inc., and have not been reviewed by Gartner. Each Gartner publication speaks as of its original publication date (and not as of the date of this white paper). The opinions expressed in Gartner publications are not representations of fact and are subject to change without notice.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
- Gartner, SASE/SSE Platforms Must Adapt to Secure the Rise of Agentic AI and (NHI) Non-Human Identity Access, Charanpal Bhogal, Charlie Winckless, Neil MacDonald, John Watts, 4 December 2025.
- Vorlon Security Research, Attack Paths from Major SaaS Breaches: The Gainsight Breach, 2025. Based on Salesforce Advisory and CrowdStrike/Mandiant investigation findings.
- Gartner, Mitigate Risks in SaaS-to-SaaS and Machine-to-Machine Connections, Craig Lawson, 4 December 2025.
- Ibid.
- Vorlon, The Agentic Ecosystem Security Gap: 2026 CISO Report, February 2026. Survey of 500 U.S. CISOs at organizations with 500 or more employees, conducted January 27 to February 9, 2026, by an independent research firm.
- Gartner, CISOs Must Bring Shadow AI Into the Light, Andrew Walls, Jeremy D'Hoinne, John Watts, 4 July 2025.
- Gartner, Quick Answer: Mitigate New Risks and Security Threats From AI Agents, Avivah Litan, Tom Coshow, Jeremy D'Hoinne, 9 August 2024.
- Gartner, Cybersecurity Trend: Agentic AI Demands Program Oversight, Jeremy D'Hoinne, Craig Porter, 14 January 2026.
- Gartner, Quick Answer: Mitigate New Risks and Security Threats From AI Agents, Avivah Litan, Tom Coshow, Jeremy D'Hoinne, 9 August 2024.
