By Greg Nowak. Last updated 2026-06-26.
AI workflow pilots tend to get judged by the visible part of the workflow. Did the summary make sense? Did the CRM field update? Did the Slack message land in the right channel?
Those checks matter. But the more durable business risk often appears a few minutes earlier, when someone clicks Allow.
That click may give an app, bot, connector, or service account access to mail, files, conversations, contacts, model resources, API usage, or operational data. If nobody records what was approved, who approved it, and how to unwind it, a short pilot can quietly become a permanent integration with no clear owner and no obvious revocation path.
This is not an argument against OAuth, service accounts, or API keys. They are the controls that make modern integrations possible. The problem is treating them as setup friction rather than as the real launch gate for an automation. The business may think it approved a narrow workflow. The system may have received something much broader.
Consent is an operations decision
Google Workspace is a useful example because the admin model is explicit. Administrators can control how apps that users sign into with Google accounts access organizational data. Google separates Google-owned, internal, and third-party apps, and its app access controls let admins review configured apps, accessed apps, and apps pending review.
That review can cover app identity, ownership, user count, requested services, and OAuth scopes. In other words, the control point is not just whether an app looks useful. It is whether the organization can see what has been configured, what has actually been accessed, and what users are asking to connect next.
Google Workspace access can be set as trusted, limited, specific Google data, or blocked. High-risk OAuth scopes can also be restricted for areas such as Gmail, Drive, Docs, and Chat. That is the right level of thinking for AI pilots: approve access around the business function, not around the excitement of a demo.
Slack exposes the same issue in a different form. Its scope reference is effectively a permission map for internal bots and workflow apps, covering areas such as chat, files, conversations, users, workflows, audit logs, and more. A bot that posts a status update is not the same risk as a bot that reads files, searches content, or touches user data. The scope list is where that distinction becomes concrete.
| Question before launch | What to inspect | Practical answer to document |
|---|---|---|
| Who is granting access? | User account, bot, service account, or API key owner | A named owner, with a system account where system access is required |
| What is being granted? | OAuth scopes, Slack scopes, Google services, API key permissions | Only the permissions needed for the workflow, not a broad convenience grant |
| Where is the boundary? | Workspace access setting, org unit, OpenAI project, model and rate limits | A project or policy boundary that matches the pilot scope |
| How does it stop? | Token revocation, app block, service account removal, archived project | A removal path agreed before the pilot goes live |
| Where are secrets stored? | API keys, access tokens, repository variables, automation platform secrets | No keys in code, clear storage ownership, and scanning for accidental exposure |
API keys need the same discipline
Not every AI integration starts with an OAuth screen. Some start with an API key pasted into a workflow tool. That can be just as sensitive.
OpenAI projects are designed to organize work by access, limits, service accounts, usage, billing, budgets, models, and resources inside a constrained project scope. That is a better operating pattern than sharing a personal key or putting unrelated experiments into one default bucket.
OpenAI service accounts are intended for system access and are distinct from individual user accounts. They are scoped to projects, and project-level service accounts cannot be used outside the project where they are created. That matters once a pilot moves beyond personal experimentation. A production-facing automation should not depend on the employment status, inbox, or laptop of the person who tried it first.
The same guidance makes an important point about key permissions. Service account API key permissions default to read and write access across project API resources, but those permissions can be updated. API keys can be created and managed in project settings, with All, Restricted, and Read Only options.
For an AI workflow pilot, the operating rule is simple: start with the narrowest project and permission set that supports the workflow. Widen it only when the business need is explicit.
Projects also help with cost and operational control. Model usage and rate limits can be configured at the project level, and project budgets can be monitored with alerts. OpenAI notes that project budget alerts are soft thresholds rather than hard spending caps, so they are not a security control and they are not a guaranteed spending stop. They still give the owner somewhere to watch usage before a pilot becomes an untracked dependency.
Remove implicit trust before the workflow scales
NIST SP 800-204D focuses on software supply chain security in DevSecOps pipelines, but its access-control framing applies well to AI and API automation. It treats credentials, sensitive data, internal operations, source code, and build systems as assets that can be targeted. It also describes attacks involving stolen credentials, stolen secrets, and compromised workflows.
That is close to the real risk profile of many AI pilots. The automation may be small, but the connector can sit near valuable systems.
NIST also emphasizes removing implicit trust from legitimate channels. In practical terms, an AI workflow is not safe simply because it was installed by a real employee, used by a respected team, or connected through a familiar platform. The permission grant still needs an owner, a reason, a boundary, and a retirement path.
The checklist should be deliberately plain. List the app or key. Record the owner. Capture the requested scopes or permissions. Identify the data touched. Decide whether access should be personal or service-based. Place the integration inside a project or organizational boundary. Confirm where secrets are stored. Add a review date. Document how access will be revoked if the workflow is cancelled, the vendor changes, or the owner leaves.
This work is not just defensive. It makes good pilots easier to approve because reviewers can compare requested access with the intended workflow. A Slack app that only posts operational notifications should not look like a knowledge-mining assistant. A document summarizer should not receive broad mail permissions by default. An OpenAI prototype should not share a key with unrelated experiments when projects can separate usage, resources, members, and service accounts.
The useful first project is an access inventory
For many teams, the best next step is not to rebuild the automation. It is to inventory the connection layer already in place.
In Google Workspace, that means reviewing configured and accessed apps, requested services, OAuth scopes, app ownership, and access settings. In Slack, it means checking whether each bot or app has scopes that match its actual job. In OpenAI, it means reviewing projects, members, service accounts, keys, permissions, budgets, model usage, and unused files. Across repositories and workflow tools, it means looking for exposed API tokens and unclear secrets ownership.
GrN.dk can help turn that review into a practical operating system for future AI and API pilots: an inventory of OAuth apps and API keys, a mapping from scopes to real workflows, cleanup of stale connections, least-privilege service accounts where system access is required, and a repeatable launch checklist.
The aim is not to slow experimentation. It is to keep useful experiments from becoming permanent shadow integrations with more access than the business meant to grant.
Related on GrN.dk
- When Google can call the business, your local data stops being cosmetic
- ChatGPT Visibility Without Open Access Takes More Than robots.txt
- Cloudflare AI Gateway Spend Limits Make LLM Cost Control a Real Ops Project
Need help with this kind of work?
Review your AI integration access Get in touch with Greg.