It’s pretty clear now that the next direction for AI is in Agents, with recent Okta research claiming the technology is now in use by a staggering 91% of organizations in some capacity.
Despite this widespread use though, only 10% of those surveyed reported having a ‘well developed strategy or roadmap for managing non-human identities’ – highlighting the worrying security deficit left as companies rush to make the most of new technology.
But Okta has a mission to address this, and at its Oktane 2025 event, the company, together with Auth0, is introducing a new set of security principles to ‘seamlessly integrate’ AI agents into the identity security fabric for end-to-end security – so organizations can take advantage of the productivity gains without fear of exposure.
You may like
TechRadar Pro spoke to Auth0 President Shiv Ramji and heard from Okta CEO and Co-founder Todd McKinnon to find out more.
Woven into the fabric
“Everyone is talking about AI, AI, AI – Agents are all the rage,” Ramji points out, but noted very few companies have sufficient guardrails against potential breaches.
The purpose of these key new features is to unify security for the new age of AI agents, all within the Okta platform – and they comes in three forms.
The first is ‘Okta for AI Agents’ – which allows for the seamless integration of AI agents into the identity security fabric. This helps users identify potential risks regarding their agents and provides visibility into their activity – all in one centralized platform with controls to manage access and automated governance.
There are four facets to this; detection, provision, authorization, and governance. With Identity Security Posture Management (ISPM), organizations can discover any potential service account risks, giving them a chance to be proactive against the threat.
Pretty much what they say on the tin, provision and authorization allow users to classify risks for non-human identities (NHIs) and enforce security policies with the principle of least privilege – giving AI agents access only when they need it.
Governance protocols look to control the risk of ‘agent sprawl’ – where agents move without solid framework or oversight.
You may like
Tracking these NHIs is made a whole lot easier with Okta Identity Governance – which provides ‘comprehensive audit trails and activity logging for all agent actions and decisions.’
This is important – particularly given that agents have become a major blindspot in cybersecurity defenses in many cases, with an inherent lack of security intuition and of course, no cybersecurity training.
(Image credit: Future)
Industry-leading standards
The second, and perhaps most impactful feature, is ‘open, industry-leading standards for AI agents’ with Cross App Access (XAA). This extends OAuth to secure app-to-app interactions across the organization, and is supported by industry leaders like Google Cloud and Salesforce.
“It’s focused on security and access,” explains McKinnon. “It lets IT and security teams set the access policies upfront for these AI agents, which makes it open and transparent and visible to everyone involved.”
This is particularly important to elevate the industry standard and establish protocols to keep security teams ahead of threat actors across the world. This open standard is ‘the key to shaping the future of identity in the age of AI’
“Open industry-leading standards like Cross App Access help everything in your fabric from the identities down to the resources, making sure they all speak the same language – and the Auth0 platform makes it incredibly easy to build fabric-ready agents and agentic systems,” McKinnon says.
XAA is set to become available with, ‘out of the box support in Auth0, enabling B2B SaaS developers to build applications and AI tools that can natively participate in the protocol.’
Fabric-ready agents
Verifiable Digital Credentials (VDC), planned to become available in 2027, are aimed at establishing trust in AI agents and combatting AI fraud.
This enables developers to build AI agents with security front and centre, enabling organizations to ‘issue and verify tamper-proof, reusable identity data – like government IDs, employment records, or certifications.’
“The thing about AI agents is that they’re always on” Ramji explains, “They can take any prompt and can go access any information. So there are a lot of security concerns with that.”
He gives an example of an agent tasked with booking travel. You give the agent the dates, location, budget, and preferences. It might not seem too complicated, but to do this, the agent needs access to a swath of personal information – from calendar access, credit cards, hotel rewards programs – and permissions to action the bookings.
“When I provision that agent to do that, first the agent needs to know that it’s doing this on my behalf. So I need to be authenticated, and of course the agent has to be authenticated too.”
This needs to be specific and fine tuned. Your agent might need your credit card to book the hotel, but it doesn’t (and shouldn’t) know how much money you have or your spending history.
“Whether you’re building an agent or you’re building agentic services, which is something that an agent talks to, you can make sure that they’re fabric ready out of the box with the right levels of security and the right level of visibility,” McKinnon announces.
Customer approved
These new features were well received at Oktane. James Simcox, CTO of fintech company Equals Money told us he was most excited about Okta for AI Agents so that his employees can safely experiment with new tools,
“We use AI agents internally ourselves right now, and there’s some we have that are approved,” he explains, “But I also know that our staff are doing lots of things they’re not supposed to be doing because they found this cool AI tool on Reddit – they really want to use it. And we don’t know they’re using it, right? So being able to report on that is really important for us.”
The overarching message from Okta is; Security, visibility, and governance – and the hope for these new features is not just to protect customers, but to elevate the security posture of the whole industry and beyond.
