Patrick Opet’s open letter to software providers makes one thing clear: SaaS is eating the enterprise, and attackers are eating SaaS.

As companies increasingly plug into SaaS-based workflows, the attack surface shifts. It’s no longer just about people, it’s now about the machines acting on the human’s behalf. The service accounts. The scripts. The tokens. The OAuth apps. The API keys.

These Non-Human Identities are the pipes that make third-party SaaS integrations work.

But unfortunately, most providers treat them as invisible.

The Basics First: AAA (Authentication, Authorization, Accounting)

You’d expect mature vendors to get this right. But here’s what the reality looks like:

  • Authentication: Many SaaS apps rely on long-lived credentials like API tokens, which often lack fine-grained controls, device awareness, or geographic restrictions.
  • Authorization: Tokens frequently carry broader access than needed - read-only often means read everything.
  • Accounting: Logging for NHIs is spotty at best. GitHub doesn’t log reads of Personal Access Tokens. Okta doesn’t log read operations for API tokens. Slack charges extra for logging, only available in their Enterprise Grid plan.

It’s oversight at best, and a pricing strategy at worst.

And it’s not like we haven’t seen this before.

SSO, a basic control, was once locked behind enterprise plans. The community pushed back. Now we're seeing the same pattern with NHI auditing:

  • Want logs for sensitive NHI activity? Upgrade to Enterprise.
  • Want to revoke access quickly? Good luck finding the button.
  • Want to know which OAuth apps are calling your APIs? Some providers won’t even show you.

In essence, security now becomes a privilege, not a default.

Third-Party Integrations Now Bypass Your Architecture

Opet points out how SaaS integrations break traditional security boundaries. And he’s right.

A third-party AI scheduling tool asking for "read-only calendar access" can easily tunnel into your most sensitive internal data. It’s not hypothetical, and we actually see it daily.

OAuth scopes and API tokens are now the de facto integration layer for modern SaaS. These NHIs connect directly into your crown jewels, and often without any sort of enforcement or oversight.

There’s no VPN. No proxy gateway. No segmentation. Just a simple token.

When Providers Ignore Abuse, Customers Pay the Price

Our research showed that attackers exploit leaked AWS access keys within minutes, even when those keys are quarantined automatically. But what about the secrets in even less obvious places like Slack, CircleCI, or Salesforce?

Some platforms don’t log access. Others don’t auto-revoke. A few charge for alerts. One big-name provider even suggested we upgrade our account if we wanted to see which IPs used our keys.

So What Now?

If you’re a software provider reading this:

  • Default to secure configurations.
  • Don’t just offer logging, enable it by default.
  • Don’t charge for basic security features.
  • Treat NHIs as first-class citizens in your access model.

If you’re a customer:

  • Demand transparency from your vendors.
  • Ask where secrets are stored, how they’re used, and whether you can see the logs.
  • Don’t settle for marketing pages. Ask to see the audit trail.

You Can’t Secure What You Don’t See

At Clutch, we built a platform that discovers and protects every NHI, from API keys and tokens to service accounts and secrets, across your cloud, SaaS, on-prem, and CI/CD environments.
We provide rich context, map ownership, monitor and validate consumer behavior, improve security posture, and detect threats in real time.
Not just visibility, but actual control.

Because today, a single leaked key can bring your supply chain to its knees.

The systems are interconnected. The threats are real. And the clock is ticking.

Let’s stop pretending that rotating secrets every 90 days will save us.

Let’s build security into the fabric of every SaaS product, starting with the identities no one sees.