Manage AI agents
Early Access release. See Enable self-service features. Use of Okta for AI Agents is subject to the applicable Okta for AI Agents Terms (Early Access).
Okta for AI Agents gives customers the ability to manage their org's AI agents. This helps ensure that AI agents are accountable and operate with least privilege, so they become a managed part of your digital workforce instead of a security risk. The Okta for AI Agents solution enables human to agent connections, as opposed to agent-to-agent connections.
Okta for AI agents is only available for Okta Workforce Identity customers on Identity Engine.
Benefits
Using Okta to manage your AI agents helps you centralize security and control over their identities.
- Enforce least privilege
- Minimize an AI agent's attack surface by granting access with policy-constrained scopes and methods.
- Centralized control and compliance reporting
- Centralized management brings every agent action into a unified control plane, making interactions fully auditable within Okta System Logs.
- Elimination of standing privileges
- Time-bound access and enforced policies help eliminate the need for risky, permanent credentials for agents and users.
- Enhanced security posture
- Security teams confidently deploy and connect AI agents with clear visibility into connections, permissions, and risks.
- Reduced user friction
- The agent completes tasks for users automatically, so they can enjoy a seamless experience without repeated access requests.
Key features and components
This end-to-end framework helps establish control across the entire lifecycle of an AI agent, ensuring visibility, least privilege, and governance.
| Setting | Goal |
Key Action |
|---|---|---|
|
Get visibility into AI agents that are currently in use. |
Discover unauthorized OAuth grants that often enable unregistered AI agents to access critical resources. |
|
|
Formalize an AI agent's identity. |
Super admins establish the agent as a first-class, non-human identity in the Universal Directory (UD) with assigned human ownership. |
|
|
Enforce least privilege access. |
Apply rule-based access policies using Managed Connections, dictating allowed resources and required protocols. |
|
|
Enforce least privilege access and help meet compliance requirements. |
Streamline requesting access to linked apps and periodically certify and remediate existing access. |
How it works
The following workflow details how you can achieve visibility, least privilege, and governance across the AI agent lifecycle by implementing the four-phase security model.
Detect and discover
After you configure the Okta Secure Access Monitor (SAM) plugin, it monitors managed browsers for new OAuth grants to apps. OAuth grants often enable AI agents to access data and take actions on the user's behalf without requiring the user to share their sign-in credentials with that app.
Okta Identity Security Posture Management (ISPM) ingests the data, analyzes it, and provides you with the visibility you need into shadow IT use for your org. This enables you to take immediate remediation actions against OAuth grants that enable shadow AI agents. You can revoke the grants or register these agents in Okta to ensure appropriate oversight.
Register and provision
Once the system identifies an AI agent, the super admin registers it in the Universal Directory. This establishes the agent as a non-human object, and helps ensure clear governance through assigned human ownership and defined accountability. Each agent is assigned to a human owner who serves as the designated point of accountability for the agent's identity and lifecycle. While super admins perform the technical setup and configuration, the owner is responsible for certifying its intended use, approving access requirements, and overseeing the agent's long-term compliance. This process provides the agent with a formal identity record in UD, assigns clear human accountability, and issues the necessary authentication credentials for policy creation.
Secure and authorize
This phase helps you establish an enterprise control plane for registered Okta AI agents called Managed Connections. Okta AI agents are designed to request tokens from Okta when accessing external resources to perform tasks. Managed connections allow you to define precisely which resources an AI agent is authorized to access by requesting a token.
You can connect an AI agent to an authorization server that's supported by Cross App Access, which grants the AI agent access to resources that are protected by an Okta custom authorization server. In these scenarios, you can specify a predefined set of scopes that an AI agent is permitted to request. This enforces the principle of least privilege and removes the need for end users to interact with consent pages from external resources.
Managed connections can also facilitate access to vaulted static credentials, such as pre-configured service accounts and secrets. Regardless of the method used, the AI agent's access to external resources is governed by Okta based on admin-defined policies.
Govern
In this final phase, AI agents are integrated into Okta Identity Governance processes to maintain security, compliance, and auditing throughout their lifecycle. You can manage user access to agents through an Access Requests resource catalog with defined approval policies. Time-bound access automatically revokes privileges when the approved period ends, preventing indefinite standing access. Regular Access Certifications campaigns and detailed System Logs ensure continuous auditability of all agent-related actions.