Question
Audit logs reveal that 3 weeks ago a bug in your OAuth consent flow let a partner app whose tokens you issue request and receive **broader scopes than approved** (it asked for `read:tickets`, was granted `read:tickets admin:org` due to a scope-merge bug). ~2,000 access/refresh tokens with the over-broad scope are now live across many customer orgs; some were minted to a partner that has since had a security incident. You must claw back the excess scope without breaking the partner's legitimate `read:tickets` use, and without forcing every customer to re-consent if you can avoid it. How do you triage and remediate?
Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.