CX platforms process billions of unstructured interactions a year: survey forms, review sites, social feeds, call center transcripts, all flowing into AI engines that trigger automated workflows that touch payroll, CRM, and payment systems. No tools in a security operations center leader’s stack monitor what the CX platform’s AI engine is consuming, and attackers figured it out. They poison the data it feeds, and AI causes harm to them.
The Salesloft/Drift breach in August 2025 proved exactly that. Attackers compromised SalesLoft’s GitHub environment, stole Drift chatbot OAuth tokens, and accessed Salesforce environments across 700+ organizations, including Cloudflare, Palo Alto Networks, and Zscaler. It then scanned the stolen data for AWS keys, snowflake tokens, and plaintext passwords. And no malware was deployed.
The gap is wider than most security leaders realize: 98% of organizations have a data loss prevention (DLP) program, but only 6% have dedicated resources, according to Proofpoint’s 2025 Voice of the CISO report, which surveyed 1,600 CISOs in 16 countries. And according to CrowdStrike’s 2025 Threat Hunting Report, 81% of interactive intrusions now use legitimate access instead of malware. Cloud infiltration increased by 136% in the first half of 2025.
“Most security teams still classify experience management platforms as ‘survey tools,’ at the same risk level as project management apps,” Assaf Keren, chief security officer of Qualtrics and former CISO of PayPal, told VentureBeat in a recent interview. “This is a massive misclassification. These platforms now connect to HRIS, CRM, and compensation engines.” Qualtrics alone processes 3.5 billion interactions annually, a figure the company says is set to double by 2023. Organizations cannot afford to step down on input integrity once AI enters the workflow.
VentureBeat spent several weeks interviewing security leaders to bridge this gap. Six control failures occurred in each interaction.
Six blind spots between the security stack and the AI engine
1. DLP cannot see unstructured sentiment data coming out through standard API calls
Most DLP policies classify structured personally identifiable information (PII): name, email, and payment data. Open-text CX responses include salary complaints, health-related disclosures, and executive criticism. No standard PII pattern matches. When a third-party AI tool pulls that data, the export looks like a regular API call. DLP never activates.
2. Zombie API tokens from expired campaigns are still live
An example: MMarketing ran a CX campaign six months ago and the campaign died. But the OAuth tokens connecting the CX platform to HRIS, CRM, and payment systems were never revoked. This means that every single lateral movement path is sitting open.
JPMorgan Chase CISO Patrick Opett flagged this risk in his April 2025 open letter, warning that SaaS integration models create “single-factor explicit trust between systems” through tokens that are “inadequately secured… vulnerable to theft and reuse.”
3. No bot mitigation in public input channels before data reaches AI engine
A web app firewall inspects the HTTP payload for a web application, but none of that coverage extends to a Trustpilot review, a Google Maps rating, or an open-text survey response that the CX platform intercepts as valid input. The fraudulent sentiment prevalent in those channels is invisible to perimeter controls. VentureBeat asked security leaders and vendors whether any CX covers input channel integrity for public-facing data sources feeding AI engines; It turned out that the category doesn’t exist yet.
4. Lateral movement from a compromised CX platform runs through compromised API calls
“Adversaries aren’t infiltrating, they’re logging in,” Daniel Bernard, CrowdStrike’s chief business officer, told VentureBeat in an exclusive interview. “It’s a valid login. So from a third-party ISV perspective, you have a sign-in page, you have two-factor authentication. What more do you want from us?”
This threat extends to human and non-human identities alike. Bernard described it this way: “Suddenly, terabytes of data are being exported out. This is non-standard usage. It’s going to places this user hasn’t gone before.” A Security Information and Event Management (SIEM) The system sees authentication successful. There is no practical change visible in this. without what bernard said "software posture management" Covering CX platforms, lateral movement runs through connections that have already been approved by the security team.
5. Non-technical users have administrative privileges that no one reviews
Marketing, HR, and customer success teams configure CX integrations because they need it for speed, but the SOC team may never see them. Security needs to be an enabler, says Karen, or teams will move around it. Any organization that cannot maintain a current list of every CX platform integration and the administrator credentials behind them has shadow administrator risk.
6. Open-text feedback reaches the database before PII is hidden
Employee surveys record complaints about managers by name, pay complaints and health disclosures. Customer feedback is exposed exactly: account details, purchase history, service disputes. None of these hits the structured PII classifier because it comes as free text. If a breach exposes it, attackers gain access to personal information along with lateral movement paths.
No one owns this difference
These six failures have the same root cause: SaaS security posture management has matured to Salesforce, ServiceNow, and other enterprise platforms. CX platforms never got the same treatment. No one monitors user activity, permissions, or configuration inside the experience management platform, and there is no policy enforcement over the AI workflows that process that data. When bot-driven inputs or unusual data exports hit the CX application layer, nothing detects them.
Security teams are responding with what they have. Some people are expanding SSPM tools to cover CX platform configuration and permissions. API security gateways provide another path, inspecting token scope and data flow between CX platforms and downstream systems. Identity-centric teams are implementing CASB-style access controls on CX admin accounts.
None of those approaches provide what CX-layer security really needs: continuous monitoring of who is accessing experience data, real-time visibility into misconfigurations before lateral movement paths are created, and automated protection that enforces policy without waiting for quarterly review cycles.
The first integration purpose-built for that difference connects Asana Management directly to the CX layer, giving security teams the same coverage over program activity, configuration, and data access they already expect for Salesforce or ServiceNow. Behind this is the duo of CrowdStrike’s Falcon Shield and Qualtrics XM platform. VentureBeat’s security leaders said in interviews that this is a control they’re manually creating — and it’s causing them to lose sleep.
Security teams are not measuring the scope of the explosion
Most organizations have mapped the technology blast radius. “But not the scope of the business explosion,” Karen said. When an AI engine initiates compensation adjustments based on toxic data, the damage is not a safety event. This is a wrong business decision executed at machine speed. The difference is between a CISO, a CIO, and a business unit owner. Today no one is its owner.
“When we use data to make business decisions, that data has to be accurate,” Karen said.
Run the audit, and start with the zombie token. This is where drift-scale violations begin. Start with a 30-day verification window. AI will not wait.
<a href