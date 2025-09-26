Okta, Inc announced new Okta Platform and Auth0 Platform capabilities, enabling organisations to build secure, standards-first AI agents that can be seamlessly woven into an identity security fabric for end-to-end lifecycle management. As part of the fabric, organisations will also be able to issue and verify tamper-proof digital credentials, helping establish trust and address rising AI-powered fraud.

AI agents–already in use by 91% of organisations–promise immense productivity gains but also amplify existing security gaps and introduce new classes of risk.

Despite this, governance of AI is lagging, with only 10% of organisations having a strategy for managing non-human identities 1 .

. This is not a theoretical risk; real-world incidents, such as the AI hiring bot that exposed millions of applicants’ data to hackers 2 who tried the password ‘123456’, highlight the threats posed by misconfigured or unmanaged AI agents.

AI agents need to be secure by design, with purpose-built controls for identity, access, and authorisation, and built on a new generation of standards that enable secure interoperability between agents, applications, and systems.

This makes agents fabric-ready, meaning they can plug into an identity security fabric for holistic visibility, control, and governance for every type of identity across ecosystems at scale.

In this new landscape, where AI agents operate at machine speed with high privileges and ephemeral lifecycles, and AI-driven deepfakes blur the line between legitimate users and malicious impersonators, fragmented architectures and legacy solutions can no longer keep.

By 2027, Gartner predicts3 that identity fabric immunity principles will prevent 85% of new attacks.

“AI is changing the workplace faster than organisations can adapt. We’re starting to see poorly built, deployed, or managed agents expose the risks of using a traditional patchwork of identity solutions,” said Kristen Swanson, SVP of Design and Research, Okta. “The modern enterprise requires an identity security fabric that can unify silos and reduce the attack surface. Our latest innovations weave agents into that fabric to manage their entire identity lifecycle, leveraging open standards like Cross App Access that help elevate the entire industry and create a more secure AI-powered ecosystem.”

End-to-End Security for the AI Agent Lifecycle with Okta for AI Agents

Okta for AI Agents seamlessly integrates AI agents into the identity security fabric for end-to-end security. It provides visibility to discover and identify risky agents, centralised control to manage their access, and automated governance to enforce security policies and manage their entire identity lifecycle. Planned to be available with Phase 1 in EA, FY27 Q1 and Phase 2 in GA, FY27.

Detect and discover: With Identity Security Posture Management (ISPM) , organizations can discover AI agents and identify potential security risks with service accounts, API keys, and OAuth tokens.

With , organizations can discover AI agents and identify potential security risks with service accounts, API keys, and OAuth tokens. Provision and register: Universal Directory helps establish and manage AI agent identities, attributing risk classification and ownership to every non-human identity.

helps establish and manage AI agent identities, attributing risk classification and ownership to every non-human identity. Authorise and protect dynamically: Enforce security policies to apply the principle of least privilege, providing AI agents with the access they need only for the time they need it. Cross App Access (XAA) , a new open protocol, standardises how AI agents and applications connect securely, while Okta Privileged Access (OPA) will enforce security policies to provide the right level of access for agents that use static credentials like service accounts or API keys.

Enforce security policies to apply the principle of least privilege, providing AI agents with the access they need only for the time they need it. , a new open protocol, standardises how AI agents and applications connect securely, while will enforce security policies to provide the right level of access for agents that use static credentials like service accounts or API keys. Govern, monitor, and respond: Okta Identity Governance (OIG) provides comprehensive audit trails and activity logging for all agent actions and decisions. Identity Threat Protection with Okta AI (ITP) continuously monitors user activity and employs behavioral analytics to identify anomalous behavior and trigger automated remediations to maintain security posture throughout active sessions.

Securing Agent and App interactions with Cross App Access

Cross App Access (XAA) extends OAuth to secure agent-driven and app-to-app interactions across the enterprise. With support from industry leaders like Automation Anywhere, AWS, Boomi, Box, Glean, Google Cloud, Grammarly, Miro, Salesforce, and WRITER, XAA shifts control from individual applications to the identity layer, enabling real-time visibility, policy-driven security, and safer integrations.

XAA will soon be available with out-of-the-box support in Auth0, enabling B2B SaaS developers to build applications and AI tools that can natively participate in the protocol. It also complements Auth0 for AI Agents to simplify how developers embed identity-first security into AI-driven applications. Together, XAA and Auth0 for AI Agents make it easier to deliver secure, “fabric-ready” applications, where each agent identity is governed and every connection is protected — at scale and with minimal developer effort.

For enterprises, XAA is now available within the Okta Platform in EA, enabling customers to experience it and benefit from the below as more organisations adopt the protocol:

Centralised policy-based access management: IT and security teams control what data apps or agents can access, allowing for consistent enforcement and real-time visibility.

IT and security teams control what data apps or agents can access, allowing for consistent enforcement and real-time visibility. Enhanced security and auditability: Unauthorised requests can be audited or blocked. This reduces hidden connections and blind trust while providing the ability to immediately revoke access in case of an incident.

Unauthorised requests can be audited or blocked. This reduces hidden connections and blind trust while providing the ability to immediately revoke access in case of an incident. Reduced user friction: By pre-approving agent-to-app or app-to-app connections, XAA reduces the number of consent prompts a user encounters, leading to a more seamless experience.

“As our customers scale their use of agentic AI, providing a secure and trusted platform is our top priority,” said Marla Hay, SVP, Product, Salesforce. “We’re excited to see the continued investment into securing agentic workflows with XAA and to work together to bring Okta’s valuable identity insights into the Salesforce Security Center, helping shared customers manage their security posture with greater confidence.”

“Enterprises everywhere are grappling with how to safely harness AI with company data. Our customers rely on Glean to unify that knowledge and empower AI agents to take meaningful action,” said Sunil Agrawal, Chief Information Security Officer, Glean. “Glean agents act strictly on behalf of the user – with no extra privileges. Cross App Access takes that principle even further and represents the next step toward making it more secure and seamless for AI agents to connect across systems. We’re excited to support this emerging protocol and to help guide the industry toward standards-based agent interactions.”

Preventing AI Fraud with Verifiable Digital Credentials

Woven into the identity security fabric, the Okta Verifiable Digital Credentials (VDC) platform, planned to be available in FY27, enables sto issue and verify tamper-proof, reusable identity data – like government IDs, employment records, or certifications. It reduces AI-powered fraud and friction during onboarding by providing a way for people to digitally prove their identity and eligibility. End users will also gain a simplified, streamlined experience when interacting with consumer apps and websites, eliminating tedious manual verification.

Built on open standards for maximum control and future interoperability, VDCs will help establish trust in a world of AI agents, enabling secure, privacy-preserving credentials that help prove who someone is, what they’ve done, or what they’re allowed to do.

Beginning with a new Digital ID verification feature, planned to be available in EA Q4 FY26, businesses will be able to natively verify government-issued IDs, initially supporting mobile driver’s licenses with plans to expand to more forms of identification in the future.