Assess AI agents that have privileged OAuth scopes

The AI Agent OAuth Grant with Privileged Scopes issue detection helps you track OAuth grants with risky scopes and provides the relevant contextual data. Okta determines risky scopes by the resource app, focusing on scopes that provide over-privileged access to the resource app. Assess each issue to understand the potential impact of the grant, identify the browser user, and remediate the grant.

Before you begin

• Ensure that the Okta Secure Access Monitor (SAM) browser plugin is configured and deployed to your managed browsers.

• Check that the SAM plugin is configured for the Okta org that you connected as a source in ISPM.

• When you first configure the plugin, it may take up to two days for the data to appear in ISPM. After that, the data is synced daily.

Start this task

1. In the ISPM console, go to the IssuesPrioritized report page.

2. Locate and select OAuth grants with excessive scopes to AI agents to view a list of active issues.

3. Assess the client and resource apps, excessive scopes, browser user, and other information associated with an OAuth grant.

4. Select an OAuth grant to learn more.

5. Remediate the OAuth grant depending on the resource app type.

   • Managed apps: Reduce or revoke the scopes from the app's admin console.

   • Unmanaged apps: Contact the user who granted the OAuth token and scopes and ask them to reduce or revoke the scopes.

6. Optional. Snooze or acknowledge the issue, or mark it as a false positive.

   1. Go back to the AI agent OAuth grants with excessive scopes issues list.

   2. Click the dismiss icon for the specific issue.

   3. Select one of the following options:

      • Snooze: Select this option if you want ISPM to display this issue in future if it occurs again.

      • Acknowledge: Select this option if you want ISPM to stop displaying this issue.

      • False positive: Select this option if ISPM detected something that was incorrect or irrelevant.