AI agent discovery in ISPM
Use Okta Identity Security Posture Management (ISPM) to find AI agents in your org's managed and unmanaged apps, including shadow AI agents. You can also assess the agent ownership, permissions, and the resources it can impact.
AI agents often access sensitive data in your org through OAuth grants or direct connector integrations without IT knowledge or approval. These unmanaged agents, known as shadow AI agents, operate outside of established security governance. Left undetected and unmanaged, they can undermine your org's security posture, become a vulnerability that threat actors exploit, and cause audit and compliance issues.
For example, a user might grant an AI productivity tool full access to your org's Salesforce data either through an OAuth grant or by building an agent inside your integration without IT approval or visibility. ISPM detects this connection, surfaces it for review, and lets you act on it immediately.
ISPM helps you discover shadow AI agents across managed apps and unmanaged apps.
AI agents discovery within managed apps
After you integrate a connector with ISPM and grant the necessary permissions, Okta automatically collects and analyzes metadata about AI agents from your connected sources. You can view the discovered agents and their details on the Discovered agents page in the ISPM console:
-
Agent owners
-
Operational status in managed apps
-
Permissions granted to the agent
You can also view the agents based on the agent builder platform without checking each platform individually. This helps you identify and mitigate risks proactively. (Currently, ISPM can discover AI agents that were built using Salesforce Agentforce.)
You can filter for agents by app access. This lets you see which agents can access important resources and drill down into the agent details to view the agent's permissions for other apps. If the agent should be allowed to continue operating in your org, you can register it in Okta directly from the Discovered agents page.
Shadow AI agents discovery using the SAM plugin
When you configure the Okta Secure Access Monitor (SAM) plugin in your managed browser, it captures OAuth tokens that users grant to apps in real time. Okta analyzes these signals, tags AI-related grants, and surfaces them on the Browser OAuth grants page in the ISPM console.
From this page, you can identify shadow AI agents in unmanaged apps and register them as managed identities in Okta. You can discover scopes that grant elevated privileges to critical resource apps. You can also surface unauthorized SaaS apps, reducing your regulatory and data-residency risks. Filter and investigate grants by client app, resource app, or scope, and then revoke access or register agents directly.
You can filter for OAuth grants to a client app that's a common AI tool to view the access scope provided for a resource.
The AI Agent OAuth Grant with Privileged Scopes issue detection helps you track OAuth grants with risky scopes and provides the relevant contextual data. Okta determines risky scopes by the resource app, focusing on scopes that provide over-privileged access to the resource app.
You can use the contextual information such as risky scopes, browser users, and OAuth grant relationship between apps to assess the grant and the risk it poses to your org's security posture.
Related topics
Discover AI agents in managed apps