OAuth scopes are the labels an integration uses to declare what it intends to do with a customer's account. A scope like 'calendar.events.read' grants read access to the calendar; 'calendar.events.write' adds the ability to create or change events. A serious integration asks for the minimum scopes it needs and no more.
Lazy integrations ask for broad scopes ('full access') because narrower ones require thinking about which API calls the agent actually makes. The cost lands on the customer: an over-scoped integration is a larger blast radius if anything goes wrong, and a larger compliance review during procurement.
For a CX-AI buyer, the right diligence is to ask for the scope list per CRM integration and look for evidence of intentional narrowing. A vendor that hands over a list of three or four targeted scopes per integration has done the work. A vendor whose answer is "we ask for admin" has not.
Vorel CRM adapters request the minimum scopes per integration, documented per adapter. Adding a new feature that needs broader scope is a customer-visible upgrade event, not a silent expansion.

