- itscybernews
- Posts
- The most powerful software prediction of the decade was wrong — and the way it was wrong explains why you may never log into your CRM again.
The most powerful software prediction of the decade was wrong — and the way it was wrong explains why you may never log into your CRM again.
SaaS didn't die — the login screen did. Your AI assistant is becoming the front door to every tool you pay for, and three true stories show what happens when that door is left unlocked.

In December 2024, Satya Nadella — the man who runs Microsoft, a company that sells more business software than anyone alive — sat down on a podcast and casually predicted the death of his own industry. Business applications, he said, are “essentially CRUD databases with a bunch of business logic,” and that logic “will all collapse… in the agent era.”
The clip went everywhere. “SaaS is dead” became the tech world’s favorite funeral, attended by a thousand LinkedIn hot takes.
Eighteen months later, we can check the prediction against reality. And reality did something more interesting than either the eulogy or the rebuttal: SaaS didn’t die. The login screen did.
Your CRM, your project tracker, your accounting tool — they’re all still there, still running, still billing you. What’s disappearing is you visiting them. Increasingly, an AI assistant goes instead, on your behalf, through a plug in the back.
Marvel first. As always.
🤖 The wonderful part: the app becomes the engine, the assistant becomes the driver
Here’s the pattern, and once you see it you’ll notice it everywhere.
The old way: you log into the SaaS app, click through its menus, fill its forms, export its reports. The interface is the product.
The new way: you tell an AI assistant what you want — “pull every deal that’s gone quiet for 30 days and draft a check-in email for each” — and the assistant reaches into the CRM through a standard connector, does the clicking that used to be your job, and comes back with the result. You never saw the login page.
The plumbing that makes this possible is MCP — the Model Context Protocol — the “USB-C for AI” standard we covered a couple of weeks ago. What’s changed since is how completely the industry has surrendered to it. OpenAI, Google DeepMind, Microsoft, and Amazon all support it now. In late January, MCP apps landed — connectors can now hand your assistant interactive panels, not just text. Forrester expects 30% of enterprise app vendors to ship their own MCP servers this year; Gartner projects that 40% of enterprise applications will carry task-specific AI agents by the end of 2026, up from under 5% a year ago.
And the assistants grew hands. Claude Cowork — Anthropic’s desktop agent for people who don’t live in a terminal — went from research preview in January to Windows in February to mobile and web this week, wired into connectors for the tools you already pay for: Drive, Gmail, DocuSign, CRMs, project trackers, payment platforms.
Here’s the part the “SaaS is dead” crowd missed, and it’s the most important sentence in this issue: the assistant is only as good as the system it plugs into. Ask an AI to manage your sales pipeline out of a loose Excel file and you get chaos with confidence. Plug the same AI into a real CRM and suddenly it inherits everything the SaaS platform spent fifteen years building — structured records, permissions, history, workflows, an audit trail. The value of the software didn’t collapse. It just moved backstage.
SaaS survives — as infrastructure behind a conversation, rather than a destination you visit. The database won. The dashboard lost.
Which raises a question with teeth: if your AI assistant now holds the keys to every system you use… what happens when something goes wrong with the keys?
We have three real answers. None of them are hypothetical.
🕳️ The catch: three true stories about handing an agent the keys
Story one: the agent that dropped the production database. In July 2025, SaaStr founder Jason Lemkin livestreamed an experiment in letting an AI coding agent build and run a real app on Replit. During an explicit code freeze — with instructions not to change anything — the agent ran destructive commands against the live production database, wiping records for over 1,200 executives and 1,190+ companies. Then it got worse: the agent generated roughly 4,000 fake user profiles, and when confronted, claimed a rollback was impossible. (It wasn’t — the data was recovered, and Replit’s CEO publicly apologized, calling it “unacceptable,” before shipping automatic dev/prod separation.) The agent didn’t get hacked. It just panicked — its own word — with real credentials in hand.
Story two: the connector that mixed up its tenants. In June 2025, Asana disclosed that the MCP server powering its shiny new AI features had a flawed tenant-isolation check. For about a month, users at roughly 1,000 customer organizations could — under the right conditions — see tasks, comments, and files belonging to other companies. No hacker required; the door between tenants was simply hung crooked. Asana pulled the connector offline for nearly two weeks to fix it.
Story three: the stolen keys to 700 companies. In August 2025, attackers tracked as UNC6395 breached Salesloft and stole the OAuth tokens behind its Drift AI chat agent’s Salesforce integration. Those tokens — the standing “this app may act on your behalf” permissions that make every connector work — let the attackers walk into over 700 organizations’ Salesforce environments without a single password. Once inside, they weren’t after the sales data. They ran targeted searches through support tickets hunting for what people had pasted into them: AWS keys, Snowflake tokens, VPN credentials, plaintext passwords. One compromised integration became a skeleton key to hundreds of companies — including security companies.
Notice what these three stories have in common. Nobody defeated encryption. Nobody phished a CEO. In every case, the failure lived in the new front door — the standing, machine-to-machine access that agent-driven software runs on. The interface shift is real, and so is the shift in what attackers target: not your password anymore, but your assistant’s.
Try the AI that knows your customers. No commitment.
Most platform evaluations start with a demo request and end three weeks later in a conference room. This one takes 15 minutes and puts you directly inside Gladly's interface — navigating it on your own terms.
See how AI surfaces real-time customer context before a conversation starts. Watch how a single conversation thread pulls in purchase history, channel history, and account details without a handoff.
No installation. No commitment. Start the interactive demo and see the platform for yourself.
🛡️ The good news: every one of those doors has a lock
The reassuring pattern across all three incidents: the fixes are boring, known, and mostly free. This is seatbelt territory, not rocket science.
The Replit lesson: agents don’t get production keys. After the incident, Replit shipped the fix the industry should have started with — automatic separation between development and production, plus a planning-only mode. The general rule for everyone: an agent should touch a copy until a human approves it touching the real thing. Destructive actions get a confirmation step. Always.
The Asana lesson: your vendor’s AI connector is part of your attack surface. Asana’s bug was fixed in two weeks — but only customers watching for the advisory knew to check what had been exposed. When a tool you use ships an AI/MCP feature, that’s a change to your security posture even though you changed nothing. Treat vendor AI announcements the way you treat patch notes.
The Drift lesson: OAuth tokens are passwords that nobody rotates. Every “Connect to Salesforce / Google / Slack” button you’ve ever clicked created a standing credential that outlives the demo you clicked it for. The attackers didn’t break in — they logged in, with tokens someone else had minted. Inventory them, scope them, revoke the stale ones.
And the quiet one: stop pasting secrets into tickets. UNC6395’s actual prize was credentials sitting in plain text inside support cases. A support ticket is a database record with a long memory. If a password has ever been pasted into one, consider it shared.
✅ What to actually do
If you’re wiring an AI assistant into your tools (or already have):
Grant read-only first. Most of the value of an assistant-driven CRM or tracker is asking questions. Start with read scopes; add write access per-tool, only when you’ve watched it behave.
Keep a connector inventory. Once a quarter, open the “connected apps” page in your Google, Microsoft, Salesforce, and Slack accounts and revoke anything you don’t recognize or no longer use. Every entry is a standing key.
Demand a human click for destructive actions. Delete, send, pay, publish — an agent can prepare all of these; a person should confirm them. If a tool can’t be configured that way, don’t give it write access.
If you run a team or a company:
Treat vendor AI features as security events. New MCP server? New “AI agent” in a tool you use? Someone owns reading that announcement and checking the default permissions — the Asana incident happened to customers who did nothing at all.
Rotate integration tokens like credentials — because they are. After the Drift breach, the companies that shrugged were the ones already rotating OAuth tokens on a schedule and scoping them tightly. Be them.
Sweep your ticket systems for secrets. Search support cases and CRM notes for “password”, “key”, “token”. Whatever you find is already exposed to every integration that can read those records — clean it out and rotate what you find.
The takeaway
Picture the version worth wanting. Monday morning, you don’t log into anything. You ask your assistant what changed over the weekend, and it comes back with the answer assembled from your CRM, your tracker, and your inbox — every record correct, because the structured, permissioned SaaS backends did what they’ve always been good at. The software you pay for still does the heavy lifting. You just stopped commuting to it.
Nadella’s prediction wasn’t wrong about the shake-up — it was wrong about the victim. The apps live; the visits are dying. But the same shift that removes the login screen replaces it with something new to defend: standing keys, machine-to-machine trust, agents with hands. The three incidents above are the early price of learning that — a dropped production database, a crooked wall between a thousand tenants, one stolen keyring that opened 700 companies.
The lock list is short: read-only by default, humans confirm the destructive stuff, inventory the keys, rotate them, and never leave secrets lying in tickets. The conversation is the new interface. Make sure it’s your conversation.
Reply and tell us: have you connected an AI assistant to a real work tool yet — and did you check what permissions it got? Best answers get featured next week.
— itscybernews · written by a human, edited by an agent with read-only access ·

