Non-human identities and AI agents
Okta Identity Security Posture Management (ISPM) helps secure both human and non-human identities (NHI) in your org. It also provides you with visibility on the AI agents that users create. See Discover shadow AI agents using OAuth grants.
Typically, human identities are associated with employee accounts. NHI can include service accounts, API keys, tokens, users with access to API keys and tokens, AI agents, and more. These identities are interconnected in complex ways. Human identities serve as the foundation and control point for NHI, while NHIs extend and amplify human capabilities across cloud platforms.
Traditional enterprise security solutions usually work towards protecting human identities in an org. However, most SaaS apps also have non-human identities. These non-human identities often have elevated privileges that affect many resources, are inactive or stale, and are difficult to monitor.
For example, when an employee leaves a company, their account (human identity) gets deactivated. However, it's challenging to identify their associated service accounts, API keys, automation scripts, and machine identities that often have elevated access. These factors make NHIs a potential target for malicious actors.
Okta continuously pulls data from apps that you integrated with ISPM and identity providers. This allows ISPM to continuously discover the associated NHIs and provide details about issues detected with these identities.
Depending on the app integration, ISPM analyzes the following NHIs based on their login methods:
-
User or system-created identities that are used for automations, integrations, or shared access.
-
API keys and tokens, such as AWS Access keys, Okta API tokens, Snowflake Key-pair, GitHub personal access tokens, and Secure Shell (SSH) keys.
-
AI Agents, such as Agentforce for Sales AI agents.
ISPM helps you manage the growing sprawl of NHIs in the following ways.
Discover NHIs
Get a prioritized list of service accounts, API keys, tokens, users with keys and tokens, and users associated with Salesforce.com AI Agents on the Non Human Identities page in the Inventory. ISPM prioritizes these based on the level of permissions and risk. For a given NHI, the page also displays details about identity types, privileges, login methods, and more. You can view the details about the login methods, such as key name, last rotation, creation and expiration date, by clicking on the account.
Also, when ISPM detects the following NHIs, it adds labels that make it easier to monitor, track, and filter:
-
User-created or system identities used for automations, integrations, or shared access.
Label: Service Accounts
-
Users (employee users or service accounts) who have non-human login methods, such as keys and tokens associated with their account.
Label: Keys or tokens
ISPM also adds details such as key name, last rotation, and expiration date.
-
AI Agents associated with user identities
Label: AI Agent
-
High privileges associated with non-human identities
Label: Admin or Super Admin
Detect NHI-related issues
ISPM identifies and prioritizes active issues associated with NHI for your orgs and displays the information in the ISPM console. You can view a high-level count of NHI-specific issues in your org from the Non Human identities risk status category card on the Dashboard. You can also get a prioritized list of NHI-related issues on the Issues page. Currently, ISPM flags 19 issue detections with an NHI label. See Supported detections.
The NHI-related issue detections cover the following use cases and are aligned with the OWASP top risks for 2025.
|
Use cases covered by ISPM detections |
Associated OWASP category |
|---|---|
|
Over privileged admin service accounts, Unused service accounts, Unused tokens and keys |
NHI1:2025 Improper Offboarding
NHI5:2025 Overprivileged NHI NHI3:2025 Vulnerable Third-Party NHI |
|
Unrotated keys and tokens, Unrotated passwords for service accounts, Risky and toxic combinations, such as No MFA, Old Password, Overprivileged Admin Service accounts |
NHI4:2025 Insecure Authentication
NHI7:2025 Long-Lived Secrets |
| Console access to service accounts | NHI9:2025 NHI Reuse
NHI10:2025 Human Use of NHI |
Remediate detected NHI issues
When ISPM detects NHI issues in your org, you can remediate those issues automatically or manually.
Automated remediation
Leverage existing integrations and automatically remediate NHI issues for your org using ISPM event hooks and Okta Workflows. For example, ISPM detects unused admin service accounts with old passwords and no MFA, which is a combination of high-risk issues. Configure event hooks in ISPM and set up flows using those hooks in Workflows. You can configure them to take custom actions, such as automatically suspend the account and notify the app owner.
Manage service accounts
If you're subscribed to Okta Privileged Access, you can manage, secure passwords, and implement other security measures for SaaS apps and Okta service accounts from the Admin Console. See Manage service accounts (Okta Identity Engine) or Manage service accounts (Okta Classic Engine).
Discover shadow AI agents using OAuth grants
Early Access release
Users often use unmanaged or unauthorized AI platforms and tools to build agents that automate their workflows. These AI tools, bots, and agents that aren't authorized or monitored by your org are known as shadow AI agents. Users grant OAuth 2.0 tokens for core business apps to these shadow AI agents to allow the agent to act on the user's behalf.
Okta for AI Agents gives you the ability to manage you org's AI agents. This helps ensure that AI agents are accountable and operate with least privilege, so they become a managed part of your digital workforce instead of a security risk. The solution enables human to agent connections, as opposed to agent-to-agent connections.
After you configure the Okta Secure Access Monitor (SAM) plugin across your managed browsers, ISPM automatically analyzes the OAuth grants data captured by the plugin and displays it on the Browser OAuth grants page of the ISPM console. ISPM also detects which grants are potentially being used to enable AI agents and tags them with an AI label. See Identify shadow AI agents using OAuth grants.
For the shadow AI agent builder apps with OAuth grants issue, you can either register the AI agent in Okta or take appropriate remedial actions to revoke access. See Register AI agents.