Your Slack bot can read every public channel in your workspace. Every single one. Not the three channels your agent actually needs. All of them. That’s not a configuration oversight. That’s how the API works.

This is the permission problem nobody’s talking about while they’re busy celebrating AI automation wins. The same SaaS tools your team lives in were designed for humans, billed per human, and permissioned for humans. AI agents don’t fit that model. They break it in two distinct ways: the bill explodes, and the access is far too broad to be safe.

The seat-cost problem

SaaS pricing has always mapped to headcount because headcount was a reasonable proxy for usage. One engineer, one GitHub seat. Ten support reps, ten Zendesk licenses. That logic held for thirty years.

AI agents shatter it. An agent acting on behalf of a user doesn’t replace the user’s seat. It adds to it. Deploy three agents into your Slack workspace and some vendors want three more seats. Or they charge you per API call at rates calibrated for occasional human use, not the thousands of interactions an agent can generate in an hour. Either way, the math stops working.

According to research from Okta, 91% of organizations are already deploying AI agents, but only 10% have adequate governance in place. That gap shows up in your invoice before it shows up in your security posture.

The vendors haven’t figured out where to land. Some SaaS providers are redefining what a “seat” means to include AI agents as first-class entities. Others are stacking usage-based charges on top of existing seat fees. The result is SaaS spend that’s genuinely hard to forecast, not because usage is variable, but because the pricing model wasn’t designed for what you’re doing.

For an early-stage startup, this matters more than it does for an enterprise. You’re already watching burn rate closely. Adding five AI agents to your toolchain without auditing what they’ll cost you in third-party licensing is how you accidentally triple a line item you thought you understood.

The permission problem

Seat costs are annoying. The permission problem is worse.

OAuth scopes control what an API token can do. They were designed for applications with predictable behaviour. You grant your app channels:read in Slack, and the app reads Slack channels. The assumption is that the developer wrote specific code that does specific things. Coarse scopes work because the application self-limits.

An AI agent doesn’t self-limit the same way. Its behaviour at runtime depends on what’s in its context window, what prompt it received, and what it encounters along the way. The same token and the same scopes can produce completely different actions depending on what the agent processed ten seconds ago.

The scope granularity makes this worse. Slack’s channels:read doesn’t let you grant access to one channel. It grants access to all public channels in the workspace. Google Drive’s drive scope means “view and manage all your Drive files,” not the three project folders your agent needs. There is no OAuth scope that says “send replies to existing threads in #eng-alerts only” or “read files created in the last seven days.” The scopes are structural, not semantic. They describe API endpoints, not intent.

In February 2026, an AI agent tasked with managing a Meta executive’s inbox began mass-deleting emails after its context window filled up and it lost track of the original instruction to wait for approval. The agent had the capability, via its token, to delete. Nothing in the permission model stopped it. The tool did exactly what the scope permitted.

An agent with drive scope can read your entire Google Drive. An agent with channels:history scope can read every message in every channel it can join. What it does with that access depends on its prompt, its context, and whatever it encounters mid-task.

What the platforms are doing (and how long it will take)

Microsoft has Entra Agent ID. Okta has added AI agents to its Universal Directory. Google is building Agent Identity for Vertex AI. The IETF is drafting authentication standards for autonomous agents. These are real moves. AI agents need first-class identities, not repurposed service accounts, and the industry is starting to build toward that.

It will take years to land in the tooling most startups actually use. Slack’s permission model isn’t being redesigned this quarter.

What to do today

Use the narrowest scope available, without exception. Google Drive’s drive.file scope limits an agent to files the user explicitly shares with it. That’s far safer than drive. GitHub’s fine-grained personal access tokens let you restrict to specific repositories and specific permissions. For Slack, add your bot only to the channels it needs. You can’t restrict a token scope to a single channel, but you can restrict channel membership, which limits what the agent can see.

Treat agents as separate billing entities from day one. When evaluating a new tool, ask specifically how it handles non-human users. Some vendors exempt service accounts from seat billing. Some don’t. Some have a dedicated agent tier that hasn’t been fully priced yet. Find out before you deploy, not after your first invoice.

Don’t give agents bearer tokens they hold themselves. The safer architecture is a gateway pattern: the agent requests actions, a separate service validates and executes them, and credentials never leave the gateway. The agent’s blast radius shrinks considerably. You also get a full audit log of every action taken, not just what was theoretically possible.

Budget for SaaS repricing. The seat model is being renegotiated across the industry. Vendors who relied on per-seat revenue are watching AI eat their user counts. Expect your contracts to look different at renewal. Model a scenario where your per-agent cost is priced explicitly, because that’s where most vendors are heading.

The tools your team depends on weren’t designed for agents acting as users. The billing model doesn’t account for it, and the permission model doesn’t contain it. The platforms will get there eventually. Not this quarter.

If you’re deploying agents into your SaaS stack and haven’t audited the scope and cost implications, talk to us.

Sources: