AI Security Guide → Old connected apps
Your Old Connected Apps Are the Way In: How to Audit & Remove Third-Party Access
Remember that AI tool you tried for one afternoon in 2024? The one that needed "access to your Google account" before it would work?
It still has that access. Today. Right now.
That's the old-access problem, and it's the most overlooked risk in online business. You don't have a hacker problem — you have a pile of forgotten permissions a hacker can inherit.
Why Forgotten Apps Are the #1 Risk
Three facts make this urgent:
OAuth tokens don't expire like passwords. They remain valid for months or years after you stop using the app (AppOmni). Changing your password does nothing — the app never had your password. The only fix is revoking access directly.
And attackers know it. In the 2025 Salesloft–Drift incident, hundreds of organizations were compromised without being hacked directly — attackers inherited the OAuth tokens those companies had granted to one trusted app.
The 20-Minute Audit (Google)
- Go to myaccount.google.com and open Security.
- Scroll to "Third-party apps with account access" → click Manage third-party access.
- For each app, ask one question: did I use this in the last 30 days?
- If no → click the app → Remove Access. Don't debate it. You can always re-grant later.
- For apps you keep: check what they can access. "Read, compose, send and permanently delete all your email" for a calendar tool? Remove it.
The Same Audit (Microsoft)
- Go to account.live.com/consent/Manage (or Microsoft 365 admin → Enterprise applications, if you run Workspace-style accounts).
- Review each app with consent. Revoke anything unused.
Make It a Habit, Not a One-Off
New AI tools launch daily, and every "Sign in with Google" click creates new standing access. Put a recurring 15-minute calendar block on the first Monday of each quarter: re-run both audits.
While you're in cleanup mode, also check the data you've already pasted into AI tools — that's the other half of the self-inflicted exposure most marketers carry.
→ Run the Google audit now (20 minutes)
→ Run the Microsoft audit if you use it (10 minutes)
→ Set a quarterly calendar reminder titled "App access audit"
The app audit is step 1 of the full checklist
The free AI security checklist covers the other seven gaps — AI-built code, WordPress, voice clones, phishing and more.
Get the Free AI Security Checklist →This article is part of our guide on how to protect your business from AI-powered cyber attacks.