Certify AI agents

Early Access release

You can use Okta Access Certifications to review and certify access to resources, including apps linked to active AI agents (linked apps). Use campaigns and security access reviews to do this.

Campaigns

A campaign is an access review from a certification and compliance perspective.

While you can use both Resource and User campaigns to certify and remediate access to AI agents, Resource campaigns help you focus on the AI agent and linked apps and who has access to those. Resource campaigns enable you to set the resource scope for your campaign so that you can review all users who have access to those resources. This campaign type helps you review access to sensitive resources, identify conflicting entitlement assignments based on separation of duties rules, and meet compliance requirements.

Running campaigns periodically helps ensure that your users have the right level of access to resources like apps, app-associated service accounts and entitlements, and groups.

There are two primary personas (in addition to some others) involved:

  • Admin

    A super or access certifications admin (for campaigns). The admin is responsible for setting up and configuring the campaign or security access review, and then defining its scope and launching it.

  • Reviewer

    The user responsible for making governance decisions. Depending on whether you use a campaign or security access review, a reviewer can be one of the following types:

    • User's manager

    • Group owner

    • Resource owner

    • Specific user

    • User dynamically assigned with a custom Okta Expression Language (OEL) expression

    Reviewers access their assigned review items from the Okta Access Certifications Reviews or Okta Security Access Reviews app tile on their dashboard.

Security access reviews

A security access review evaluates a user's access to sensitive resources, their level of access, and the method used to grant access in response to security incidents. Use these to review access to sensitive resources, including apps linked with AI agents. However, security access reviews don't specifically indicate apps that are linked to AI agents.

Get started

  • Read the Access Certifications overview to learn more about campaigns.

  • Complete the set of initial setup tasks listed in the Get started topic.

    • Update the campaign settings to include contextual information specific to AI agents for reviewers. See Customizable reviewer context.

    • Use the steps listed in Create resource campaignsor Create user campaigns.

      Use Resource campaigns if you need clear visibility on who has access to AI agent-linked apps.

    • When you create Resource campaigns that review access to AI agents, keep the following considerations in mind.

      • Resource settings: When configuring the campaign, you can select AI agents as the resource type to filter for only linked apps.

      • Reviewer settings: If you select Resource Owner as the reviewer type and the AI agent-linked app owner isn't defined or is deactivated, the review is assigned to the AI agent owner. This is applicable if an app has only one AI agent linked to it. If you select Resource Owner as the reviewer type and the AI agent owner attributes aren't defined or the owner is deactivated for an AI agent, then the review is assigned to the fallback reviewer.

      • Refer to the topics listed as References to better understand how remediation and some other campaign features work.

      • Understand the reviewer experience from an admin perspective. See Reviewer tasks in the Get started topic.

Related topics

Request access to AI agents