April 28, 2026
Posted by Refael Angel
Last week, we walked through the Vercel incident and explained why ephemeral secrets change the blast radius of this class of breach. This post is the practical next step: a 30-minute audit any platform or security team can run this week.
Nothing in it is specific to Akeyless. If you come out the other side and decide a different platform is the right answer, you’ll still be in a better place than you started.
Section 1: OAuth Scope Audit (10 minutes)
Open your Google Workspace admin console (or the M365 equivalent) and answer these:
How many third-party apps are currently authorized against your domain?
How many of those hold broad scopes (“Allow All,” mail.readonly across the domain, admin.directory, drive.*)?
For each high-scope app: can someone on the team name a current business owner and use case?
When was the last time a user actually used the app?
Immediate action: revoke anything with broad scopes and no clear owner. For the rest, set a 30-day review on each.
Section 2: Static Secret Inventory (10 minutes)
Across your environments:
How many static API keys are currently in environment variables, CI/CD config, and Kubernetes secrets?
How old is the oldest one? (If you can’t answer in minutes, that itself is the finding.)
Which of those keys, if stolen right now, would grant production access?
Which service accounts in your cloud providers hold long-lived access keys instead of federated identities?
Immediate action: tag every production-access key that’s older than 90 days for rotation or replacement with a dynamic credential.
Section 3: AI-Agent Identity Review (5 minutes)
A new category most teams haven’t audited yet:
Which AI tools have been authorized against your corporate identity provider in the past 12 months?
Which of those agents hold credentials that persist between sessions?
Do any of them have access scopes that exceed a human user’s scopes for the same task?
Immediate action: treat AI-agent identities like service accounts. If you wouldn’t give a human employee the scope the agent has, revoke it.
Section 4: Incident Response Reality Check (5 minutes)
Imagine Vercel happened to a vendor in your stack tomorrow. Answer honestly:
How long would it take to rotate every affected credential?
Who owns that work?
How would you know which customers or systems were exposed?
Would you have to rotate out of caution, or could you target the actual affected keys?
If the honest answer to the first question is “days,” you have a standing-credential problem, not a rotation problem.
Scoring
If you answered confidently on all four sections: you’re ahead of most of the industry. Use the exercise to find the remaining edges.
If you answered confidently on two or three: you have a clear, prioritized roadmap for the next 60 days.
If you answered confidently on one or fewer: you are not alone, and the Vercel incident is the reason this conversation is moving up the boardroom agenda.
The Offer
Our solution architects run this exact audit with teams every week. If you’d like a second set of eyes — no pitch deck, no pressure — we’ll do 45 minutes on your environment for free.
Book a session here.
Whether you end up working with Akeyless or not, you’ll leave with a prioritized list of the three changes that would most reduce the blast radius of your next breach.
