Oso

Oso and @cyera_io studied 2.4 million workers and found 96% of permissions go completely unused. Redditors in r/cybersecurity said it best: this is the "security debt nobody's talking about loudly enough" Full conversation: reddit.com/r/cybersecurit…

Full case study here: osohq.com/customers/webf…

Powered by Oso!

To our knowledge, this is the first research examining how permissions are actually exercised in production. Most discussions focus on policy — how access should be structured. Far less is known about how access is actually used in practice.

In summary, as an industry we are vastly over-permissioned. The principle of least privilege is widely discussed, but rarely practiced. In an agentic world, getting closer to it becomes much more important.

Our research found 31% of workers hold modify/delete permissions and 13% have export capabilities, creating significant exposure when agents inherit human access.

Delete, modify, and export permissions are intended for limited operational use, yet they remain broadly distributed across enterprise environments. Humans exercise these capabilities infrequently, but agents can invoke them instantly.

🤖 AI coding agents move fast, but overpermissioned environments make them dangerous. 🎙️ Alan Shimel speaks with Oso CEO Graham Neray about why authorization is becoming a critical C-suite issue in the agentic era. Watch full interview here:techstrong.tv/videos/intervi…

Our CTO, Nick, on sensitive data exposure.

Many employees retain access to sensitive information even if they rarely use it. In many environments, those permissions remain permanently available once granted. 91% of users never interact with the sensitive data they have access to — but it’s still reachable. When agents inherit those permissions, they can access it in seconds. 13 out of 100 corporate workers have access to regulated data. When agents inherit those accounts, they inherit that access as well. Our CTO, Nick, explains another key finding from our research: how sensitive data exposure persists inside enterprise permission models and why agents change the risk profile.

Only 4% of permissions are exercised. The other 96% go unused over a 90-day window — and most companies have agents inherit human permissions by default. Even among active users, ~80% of available permissions still sit unused. Our CTO, Nick, walks through the first finding from our research: the massive gap between permissions granted and permissions actually used — and why agents make that gap dangerous.

@Lat3ntG3nius Well said!

@osoHQ This is one of the most underrated risks in enterprise AI. Agents inherit the credential footprint of whoever provisioned them, not the footprint they actually need. Least-privilege for agents is a solved problem nobody has bothered to implement yet.

96% of enterprise permissions go unused. New research analyzing 2.4 million workers and 3.6 billion permissions, reveals a massive gap between granted access and real usage. Once AI agents inherit these permissions, the dormant exposure becomes active — at machine speed. Hear from our CTO, Nick, on the reasoning behind this research and how to think about permissions in an agentic world.

The biggest mistake companies make with AI agents: assuming yesterday's identity model will hold. Nancy Wang of @1Password says it even better than we could 👇 And our new research with Cyera puts numbers behind that: osohq.com/research #rsac2026

“Make sure that observability of agents extends into tool use: what data sources they access, and how they interact with APIs,” says @grahamneray co-founder and CEO, Oso. “You should not only be monitoring the actions agents are taking, but also categorizing risk levels of different actions and alerting on any anomalies in agentic actions.”

We added the LiteLLM supply chain attack to the AI Agents Gone Rogue registry → osohq.com/developers/ai-…

Listen to the full podcast here: …itypodcastofsiliconvalley.podbean.com/e/89-ai-agents…

As engineers, you sit on the arc of technological progress. Right now that arc is bending faster than ever. Getting to be part of it — and contributing to it — is pretty cool.

Catch us at the @cribl_io for the Toasts to Telemetry happy hour tonight info.cribl.io/RM-FEV-FY27-Q1…

The Oso team is at #RSAC2026 this week