When AI Agents Serve Shared Workspaces, Authorization Must Follow The Audience
Okta, Wednesday, February 4th, 2026
AI agents retrieve data using the permissions of whoever they authenticate as (checked), but output to shared workspaces where recipients have mixed permissions (not checked).
For example, a CFO's agent in a Slack channel can expose executive compensation to junior analysts. Four critical vulnerabilities (CVSS 9.3-9.4) hit Anthropicopens in a new tab, Microsoftopens in a new tab, ServiceNowopens in a new tab, and Salesforceopens in a new tab in 2025. Same pattern: authorized retrieval, unauthorized recipients. The fix requires fine-grained authorization that computes the intersection of all recipients' permissions before data leaves the retrieval layer, a step that happens after OAuth's job is done.