This rule detects when an Okta service application acquires an OAuth2 access token via the client_credentials grant type with one or more dangerous management scopes (okta.users.manage, okta.factors.manage, okta.apps.manage, okta.groups.manage, okta.policies.manage). Since client_credentials grants are app-to-app and lack a user subject, granting management scopes to a service app effectively provides org-wide administrative access if the token is used maliciously. The detection targets Okta.SystemLog events (app.oauth2.token.grant.access_token) and requires: grantType = client_credentials and grantedScopes containing at least one dangerous scope, along with an actor that is a service app (PublicClientAppEntity). The rule is designed as a pre-exploitation signal, firing at capability acquisition before scope use. It purposefully does not fire for authorization_code grants, benign scopes, or cases where the actor is a user or the target contains a user. The included tests demonstrate positive detections (service-app token grants with dangerous scopes) and negative cases (benign or inappropriate scenarios).