The Hidden Attack Surface of Agentic AI: Securing AI Agent Integration Platforms
As AI is widely adopted, the number of integrated tools and services is growing rapidly. Each new component introduces additional credentials, secrets, and trust relationships, creating an increasingly complex attack surface. When onboarding becomes really easy, and using AI to connect other tools organizations need to better understand these risks.
Cyera researchers examined that layer across hundreds of organizations and found thousands of exposed credentials: API keys for Composio, Arcade, Nango, Tavily, Exa, LlamaIndex, Firecrawl, and other platforms that connect AI models to the enterprise systems they operate on. The owners were startup founders, CTOs, AI company executives, and enterprise software vendors across North America, Europe, Africa, and APAC. In several cases, the credentials belonged to the people responsible for building the AI systems they compromised.
One of those credentials: a VP of Engineering at a technology company in North America committed a Composio API key to a public repository. Composio is an AI agent integration platform that provides a unified interface for connecting LLMs and autonomous agents to hundreds of third-party applications, APIs, and enterprise tools with managed authentication and action execution.
Depending on the permissions associated, an attacker with such a key can gain almost full visibility into the organization's AI agent ecosystem and possibly ability to execute further downstream tools.
Most security teams have not mapped their AI integration layer. Remember this is where AI systems manage the interactions between tools, models and the real world. In this blog we further explain about this layer and the gaps we found.
What the AI Integration Layer Actually Does
The AI stack has a gap between the model and the systems it needs to reach. An agent tasked with "find all Salesforce customers who opened support tickets last week, summarize the issues, and notify account managers in Slack" needs to authenticate to Salesforce, manage OAuth tokens, refresh expired credentials, connect to Slack, and execute actions across both applications. The integration layer handles that work.
Four categories of platform make up this layer:
Integration Infrastructure. Platforms like Nango build and maintain hundreds of integrations to Salesforce, Slack, GitHub, and Google Workspace, handling API authentication, connectors, and OAuth workflows. They manage hundreds of APIs and authentication flows behind a single interface.
Unified Enterprise Data Layers. Platforms like Merge unify vendors within a category. Dozens of HR software vendors, Workday, BambooHR, ADP, HiBob, each expose different APIs. Merge abstracts those differences so AI agents query HR data without maintaining separate integrations for each vendor.
AI-Native Search and Retrieval. Platforms like Composio, Arcade, and Nango give AI agents search and retrieval capabilities: real-time web search, content extraction, and structured data retrieval. They are the primary mechanism through which agents gather external information and feed it into knowledge pipelines.
Agent Security and Governance. Platforms like Arcade define what AI agents are permitted to do: delete records, access customer data, send emails, approve transactions, modify cloud resources. They broker authentication between agents and the services they operate on.
What Cyera Found
Cyera researchers identified its customers' AI integration infrastructure across hundreds of organizations. MCP servers represented the largest category by count. Across all categories, we observed tenants running thousands of sanctioned and unsanctioned applications. More than 10% of those applications were both unsanctioned and externally facing. Upon detection, our customers were alerted to mitigate and better secure their environments.
MCP Servers: Large Footprint, Low Visibility
MCP servers were the most prevalent category, with hundreds of tenants and thousands of deployments including Microsoft 365 MCP, Atlassian, and Notion integrations. Discovering an MCP server provides almost no information about its actual risk. A single MCP server can expose source code, internal documentation, cloud environments, customer data, or proprietary business systems. Knowing the server exists does not reveal what data it can access, what actions it can perform, or what an attacker gains by compromising it.
Agent Authentication and Governance
Cyera found dozens of organizations running platforms like Arcade and Composio, including 17 unsanctioned deployments. These platforms act as authentication brokers for AI agents, managing access to external services and APIs. Designed to centralize security decisions, they often become the most privileged single points in the agent stack, a single integration granting access to dozens of downstream applications.
AI Search and Retrieval
Platforms like Tavily, Exa, and Firecrawl appeared in multiple environments. These services give agents their view of the external world: what information they retrieve, from where, and what enters their knowledge pipelines. Organizations do not track this. An agent retrieving information through a compromised search layer makes decisions based on manipulated data with no audit trail.
Unified Integration Platforms
Cyera found deployments of Merge, Nango, and Apideck with dozens of registered integrations each. These platforms aggregate access to multiple SaaS applications behind a single interface. One Nango deployment connects CRM platforms, HR systems, finance applications, ticketing tools, and source code repositories. One compromised credential reaches all of them.
The Gap Inventory Alone Cannot Close
An MCP server connected to a public knowledge base and one connected to production cloud environments appear identical in an asset inventory. They carry entirely different risk profiles. Organizations need to understand what each integration can access, what permissions agents hold through it, and what an attacker gains by compromising it.
Credentials Exposed in the Wild
Cyera researchers found in public repositories hundreds of distinct files containing AI infrastructure credentials, including dozens of API keys for Composio, Arcade, Nango, Tavily, Exa, Arcade, LlamaIndex, and other platforms across the AI integration ecosystem.
The owners spanned container images from AI-powered applications, the OpenClaw ecosystem, academic research projects, startup founders, CTOs, SVPs of Engineering, AI company executives, enterprise software vendors, and financial services organizations. In several cases, the exposed credentials belonged to the people responsible for building the AI systems they compromised.
Further analysis of a Composio Access
Composio is an integration layer that lets AI agents act in the real world. It makes the life of developers easy by connecting many apps at once. An easy to use platform and AI based chat make the work even easier. Composio exposes 1,043 integrations and over 23,000 actions across Gmail, GitHub, Slack, Notion, CircleCI, databases, and more.
When we started working with Composio we configured our API key. The default is “No access”, as illustrated below. You can define Read Only, Write only or Full access.
We defined a test key to which we gave a full access privilege.
Next we started adding tools. We used the AI chat setup which enables absolutely easy and frictionless onboarding.
You can see how a non-expert can have an agent reading email and pushing code in minutes.
To illustrate the permissions we tricked the Composio integration a bit and defined our Gmail account as a child account.
You can see how our very own Andy is giving a very permissive access to the Composio integration.
The trade-off is that the Composio key now has access to Andy’s email. We added GitHub and CircleCI just to check what can happen if our key is “leaked”.
A plausible scenario that was seen thousands of times in the past is an API key committed to a repo, baked into a container image, printed in a CI log, or pulled via SSRF.
Below you can observe how a test sequence we wrote, by generating several GET requests to Composio, resulted with receiving the underlying credentials. A single read-only call returned the Gmail access_token and refresh_token, the GitHub bearer token, and the CircleCI API key.
When inspecting the Composio APIs there are 2 very interesting ones.
The Sandbox Execute provides a remote, persistent execution environment where AI agents can run Python code, execute shell commands, process files, make API requests, and interact with Composio-connected tools within an isolated workspace. While it is labeled as a remote command execution, effectively it is running in a Composio sandbox and probably guarded with proper guardrails and protections, other than successfully executing a command with our API key, we didn’t further test this API.
The more interesting API is the Proxy Execute which allows Composio to act as an authenticated proxy to third-party services, enabling users or agents to make arbitrary API requests to connected applications. In our case Gmail, GitHub and CircleCI. We fetched the last 10 emails with a “leaked” API key and got the results.
The blast radius is the union of every connected scope, and here the scopes were wide: Gmail granted https://mail.google.com/ (full mailbox — read, send, delete), GitHub carried repo + workflow (private source and CI control), and CircleCI's key exposed pipeline environment variables where cloud and deploy secrets live.
From there the pivots write themselves: mine the inbox for password-reset emails to take over other accounts, exfiltrate private sources and plant a backdoor in GitHub Actions, harvest infrastructure credentials from CircleCI.
Worse, because the raw tokens are now in the attacker's hands, rotating the Composio key doesn't end the incident. The refresh tokens keep working directly against Google, GitHub, and CircleCI until each downstream grant is individually revoked.
What These Leaked Credential Actually Unlocks
While each key provides different levels of access, permissions, and execution capabilities, they can generally be grouped into two main categories.
The first (the most critical) category includes Agent Authentication & Governance and Unified API & Integration platforms. These are particularly sensitive because they often allow whoever controls the key to inventory the environment, enumerate connected tools and integrations, execute actions, and in some cases act as a proxy for invoking commands across connected services.
The impact ultimately depends on the permissions granted to the key and the systems connected through it. In practice, these keys frequently have broad privileges and are integrated with numerous applications across critical parts of the AI stack. As a result, a compromised key may provide an attacker with visibility into the organization's AI infrastructure, access to connected services and data sources, and, in some cases, the ability to interact with internal systems, applications, and databases through trusted agent workflows.
The second one is less critical but still allows an attacker to at least consume resources. This is the group of AI Search & Retrieval. Because most of the keys only enable external internet search.
The MCP server category (in our table above) is the wildcard in the equation. Organizations often inventory these AI stack components under the generic label “MCP server”, making it difficult to determine their true capabilities and, consequently, the full blast radius of a compromise. An MCP server can be connected to anything from internal databases and ticketing systems to source code repositories, cloud environments, SaaS applications, and proprietary business systems. Without a clear understanding of what each MCP server is connected to and authorized to access, assessing the impact of an exposed credential or compromised agent becomes significantly more challenging.
Below you can see some examples:
Arcade: The Full Agent Action Surface
According to their documentation, an Arcade API key unlocks everything Arcade can reach. Arcade brokers authentication between AI agents and the external services they operate on: productivity suites, communication platforms, ticketing systems, CRM environments, cloud services, and development platforms. An attacker with a compromised key inherits the same action surface available to the agent: reading data, modifying records, creating resources, sending communications, triggering workflows.
In agent frameworks, Arcade controls agent actions, not just data reads. The blast radius is bounded by the permissions the organization delegated to the agents operating through it.
Nango: One Credential, the Entire Integration Stack
According to their documentation, a compromised Nango credential exposes the organization's entire integration fabric. Nango manages OAuth flows, token refreshes, and API connections across hundreds of SaaS integrations. One deployment connects CRM platforms, ticketing systems, collaboration tools, source code repositories, HR systems, and financial platforms through a single interface.
Description: A partial integration list out of the +800 integrations on Nango’s website
In agentic environments, Nango is the bridge between AI agents and those systems, enabling data retrieval, synchronization, and action execution across the organization's application stack. One credential reaches all of it. in that stack.
What Organizations Should Do
Build the inventory
Security teams cannot govern AI integration infrastructure they have not found. A continuously updated inventory of MCP servers, agent governance platforms, retrieval services, and integration providers is the starting point. That inventory must include unsanctioned deployments, externally facing applications, and shadow AI infrastructure that entered without security review.
Understand the exposure
Inventory answers what exists. Governance answers what each integration can reach. Security teams need to map what data each integration accesses, what permissions agents hold through it, what business systems are reachable, and what the blast radius of a compromise would be. Asset discovery is where governance starts.
Enforce controls
Discovery and understanding without enforcement leaves risk documented but unaddressed. Security teams need the ability to act on sensitive data access, excessive permissions, exposed secrets, unsanctioned applications, and risky integrations, catching them before they become entry points. At Cyera, this is the work we do across the AI integration layer: discover what exists, understand what it exposes, and enforce controls that reduce risk.
Your security team has an inventory of cloud accounts, endpoints, and SaaS applications. How many of the 1,344 AI integration apps Cyera found across similar organizations appear in yours? How many of those are unsanctioned? Or connected to the internet?
Get your AI Security Assessment
.svg)