Identify shadow AI agents using OAuth grants

Early Access release

After you configure the Okta Secure Access Monitor (SAM) plugin across your managed browsers, Identity Security Posture Management (ISPM) automatically analyzes the OAuth grants data captured by the plugin. ISPM then displays it on the Browser OAuth grants page of the ISPM console. ISPM also detects which grants are potentially being used to enable AI agents and tags them with an AI label.

The Browser OAuth grants page provides you with a comprehensive view of OAuth grants that users provided to apps, especially unmanaged (shadow) apps that can build AI agents. This visibility is crucial for identifying shadow AI agents. Shadow AI agents are unmanaged agents that are used in your org without proper oversight or approval. By capturing data such as client apps, resource apps, and specific scopes, ISPM allows you to filter, sort, and investigate these connections directly. This enables you to take immediate remediation actions, such as registering these agents in Okta to bring them under management or revoking the grants.

Before you begin

  • Ensure that the Okta Secure Access Monitor (SAM) browser plugin is configured and deployed to your managed browsers.

  • Check that the SAM plugin is configured for the Okta org that you connected as a source in ISPM.

  • When you first configure the plugin, it may take up to seven days for the data to appear in ISPM. After that, the data is synced daily.

Start this task

  1. In the ISPM console, go to the InventoryNHI & AI agents Browser OAuth grants page. This page displays an aggregated summary of OAuth grants captured by the SAM plugin.

  2. From the Category filter, select AI.

  3. Review the table to see connections between client apps and resource apps. You can review the information in the following columns to identify unknown or suspicious grants.

    • Client app: The app that requested access.

    • Resource app: The target app that holds the data being accessed.

    • First / Last seen: These time stamps indicate when the connection was first observed and when it was seen most recently.

  4. To investigate specific connections, select any row in the inventory table and review the details, such as the individual users who authorized the connection and the specific scopes that are granted.

  5. If a grant seems suspicious, reach out to the user and confirm:

    • If the grant is authorized and related to AI agents, click Register. See Register AI agents.

    • If the grant is unauthorized, take the appropriate remediation actions.