Security researchers are warning that OAuth tokens created by employees connecting productivity and AI tools to Google or Microsoft accounts often persist indefinitely with no expiration or monitoring, creating an invisible attack vector that bypasses traditional perimeter controls and multi-factor authentication entirely.