In 2025, a threat actor obtained a single OAuth token from a Drift chat integration. That one credential, already trusted inside hundreds of Salesforce environments, became the skeleton key to AWS credentials, Snowflake tokens, and whatever else was lying around. Nobody hacked anything. The access was already there, sitting in a marketing tool nobody remembered provisioning.
That token was a non-human identity. It's the same type of identity your marketing team creates every time they connect an AI agent to your CRM, ad platform, or analytics dashboard. And unlike the Drift token, which at least had a vendor behind it, most marketing AI agents are running with permissions nobody documented, access nobody reviewed, and an owner who may have already left the company.
Machine identities now outnumber human users by as much as 50 to one in enterprise environments, according to the Non-Human Identity Management Group. Marketing created a big chunk of those. Every chatbot, every ad optimizer, every content generator, every CRM connector gets an API key, a set of scopes, and a permanent seat at the table. Most of them are still active long after the campaign that justified them ended.
Here's what that costs you: organizations where AI significantly expanded the number of identities in their environment reported a 43% breach rate over the previous year. Organizations where AI didn't change the identity footprint? 11%. That gap isn't a coincidence. It's the difference between knowing what has access to your data and hoping nothing does.
Your Marketing Stack Is the New Attack Surface
Marketing teams are the worst offenders here, and it's not really their fault. The job demands speed. Launch the campaign, connect the tool, deploy the chatbot, integrate the agent. Security review is a bottleneck nobody has time for, especially when the tool looks harmless on paper. It's just a chatbot. It just writes emails. It just optimizes bids.
But each one of those "justs" comes with credentials.
The Drift incident proved how this works in practice. A single OAuth token, trusted by default, became the bridge between a marketing chat widget and enterprise infrastructure. The attacker didn't need to exploit a vulnerability. The trust was already there. They just walked through the door someone else left open.
This is the pattern. Marketing deploys an AI agent. The agent gets credentials. The credentials get scopes. The scopes touch data. The data connects to other systems. Nobody maps the chain because nobody owns the chain. When you don't have an authorization framework for AI agents, every new deployment quietly extends the attack surface in a direction nobody is watching.

The Permission Problem
The Hacker News reported that enterprise AI agents frequently run with broad permissions that allow actions beyond what the deploying user can do themselves. That's not a bug. It's how agents are designed. They need wide access to be useful.
Your marketing AI agent that optimizes ad spend probably has read access to your entire customer database. The one that generates content might have write access to your CMS. The chatbot on your site is connected to your CRM with full contact export permissions. Each of these is a non-human identity with standing access to sensitive data, and each one is a potential entry point.
The problem compounds because AI agents can create their own downstream identities. An agent spinning up a sub-agent to handle a specific task generates a new credential, inherits permissions from the parent, and starts operating. That sub-agent might exist for ten minutes or ten months. Nobody's tracking which is which.
Security teams don't see this because it lives in marketing's tool stack. Marketing teams don't see it because they don't think in terms of identity governance. The result is a control gap where nobody is responsible for managing the credentials that matter most.

The Numbers Don't Lie
The Netwrix 2026 Data and Identity Security Report found something unsettling. Organizations where AI rapidly expanded identity counts reported a 43% breach rate. Even organizations with strong governance practices got breached. They invested in monitoring. They tracked shadow AI. They governed non-human identities. They still got hit.
That means the problem isn't just awareness. It's structural. The volume of identities is outpacing the speed of governance, and even organizations doing the right things can't keep up.
Consider what a typical mid-size marketing operation looks like right now. A chatbot platform with API access to the CRM. An ad optimization agent with spend authority connected to Google Ads and Meta. A content generation tool with CMS write access. A social listening agent pulling from platform APIs. An email personalization engine connected to the ESP and the customer database. An analytics agent reading from Snowflake.
That's six AI agents, each with its own credentials, each touching different systems, each created by a different team member at a different time. How many of those credentials have been reviewed in the last 90 days? How many have scopes beyond what they actually need? How many would you even know to revoke if one were compromised?
Most marketing leaders can't answer these questions. Most CISOs can't either, because they don't know the marketing agents exist.
When It Breaks
Here's what happens when one of these identities gets compromised, because that's not a hypothetical at this point. The attacker gets a valid credential. They don't need to exploit a vulnerability or social-engineer an employee. They just use the access that's already been granted.
From there, it's lateral movement. The marketing agent's CRM access becomes a path to customer data. The ad platform credentials become a way to read campaign performance data and competitor intelligence. The analytics connection becomes a bridge to the data warehouse. One trusted identity becomes the path to several more, exactly like what happened with the Drift token.

By the time anyone notices, the damage isn't just a marketing problem. It's a data breach that touches customer PII, proprietary strategy, and potentially the entire enterprise data environment. The CMO gets called into the incident response room. The CISO asks who authorized this agent. The marketing team points to the vendor. The vendor points to their terms of service. Nobody has a clean answer.
Who Owns the Problem
The accountability gap is the hardest part. When a human employee leaves, IT disables their accounts. When a vendor contract ends, procurement flags the renewal. When an AI agent outlives its usefulness, nobody does anything, because nobody knows it still exists.
The Non-Human Identity Management Group found that some machine identities remain active for years after the application that created them has been forgotten. These are ghost credentials. They have access to your systems. Nobody owns them. Nobody reviews them. Nobody knows they're there.
Marketing teams need to own this because marketing teams created it. Every tool connection, every API integration, every agent deployment added a new identity to the environment. Security teams can't govern what they can't see, and right now, most of marketing's AI infrastructure is invisible to them.
This means marketing leaders need to start asking four questions about every AI agent in their stack:
What identities does this agent have?
Who owns each one?
What can they access?
When should they stop existing?
If you can't answer those four questions for every AI tool in your marketing stack, you have an identity problem. The breach data says you're likely to find out about it the hard way.
What Actually Helps
You don't need to rip out your marketing AI stack. You need to know what's in it.
Start with an inventory. Every AI tool, every agent, every integration your marketing team has deployed needs to be documented with its credentials, scopes, and owner. Not a spreadsheet that someone updates once and forgets. A living inventory that gets reviewed quarterly.
Then tighten scopes. Most marketing AI agents have permissions far beyond what they need. The content generator doesn't need write access to your entire CMS. It needs write access to a drafts folder. The analytics agent doesn't need full database access. It needs read access to specific tables. Tighten everything.
Finally, set expiration dates on credentials. Every API key, every OAuth token, every service account should have a defined lifespan. When it expires, someone has to consciously decide to renew it. That single step eliminates the ghost identity problem.
None of this is complicated. It's just identity hygiene applied to a category of identities that most organizations forgot they had. The prompt injection risks get the headlines, but the boring credential problem is the one actually getting people breached.
The Question That Should Keep You Up
The marketing teams that get breached in the next 12 months won't be the ones running the most sophisticated AI. They'll be the ones running the most AI agents they forgot they had.
