Secure identity vendor Okta has announced enhancements to the capabilities of both the Okta Platform and the Auth0 Platform capabilities. This lets organizations build secure, standards-first AI agents that can be seamlessly woven into an identity security fabric for end-to-end lifecycle management. As part of the fabric, organizations will also be able to issue and verify tamper-proof digital credentials, helping establish trust and address rising AI-powered fraud.
The significance of the growth of risk makes these capabilities necessary. AI agents are already in use by 91% of organizations. They promise immense productivity gains but they also amplify existing security gaps and introduce new classes of risk. In addition, despite this, governance of AI is lagging, with only 10% of organizations having a strategy for managing non-human identities. This is not a theoretical risk. Real-world incidents, such as the AI hiring bot that exposed millions of applicants’ data to hackers who tried the password ‘123456’, highlight the threats posed by misconfigured or unmanaged AI agents.
AI agents need to be secure by design, with purpose-built controls for identity, access, and authorization, and built on a new generation of standards that enable secure interoperability between agents, applications, and systems. This makes agents fabric-ready, meaning they can plug into an identity security fabric for holistic visibility, control, and governance for every type of identity across ecosystems at scale. In this new landscape, where AI agents operate at machine speed with high privileges and ephemeral lifecycles, and AI-driven deepfakes blur the line between legitimate users and malicious impersonators, fragmented architectures and legacy solutions can no longer keep up.
“AI is changing the workplace faster than organizations can adapt. We’re starting to see poorly built, deployed, or managed agents expose the risks of using a traditional patchwork of identity solutions,” said Kristen Swanson, SVP of Design and Research at Okta. “The modern enterprise requires an identity security fabric that can unify silos and reduce the attack surface. Our latest innovations weave agents into that fabric to manage their entire identity lifecycle, leveraging open standards like Cross App Access that help elevate the entire industry and create a more secure AI-powered ecosystem.”
Okta for AI Agents provides end-to-end security for the AI Agent lifecycle. Okta for AI Agents seamlessly integrates AI agents into the identity security fabric for end-to-end security. It provides visibility to discover and identify risky agents, centralized control to manage their access, and automated governance to enforce security policies and manage their entire identity lifecycle. Phase 1 is planned to be available in EA, FY27 Q1, and Phase 2 in GA, FY27.
Swanson was excited by what’s coming up on the horizon here, particularly around Okta’s Oktane event.
“Oktane is always awesome, but this year it’s going to be more powerful than ever before,” she said. “We’ll be discussing how Okta secures AI across the entire identity lifecycle. The rise of AI agents is creating an entirely new, unpredictable workforce that can access sensitive data at machine speed. My conversations with peers show a clear trend – most organizations are using AI agents, but very few have a strategy to manage them. I can’t wait to see everyone at the keynotes, sessions, and hands-on labs to explore how to build a unified identity security fabric that can manage every identity – human and non-human – across every app and resource.”
Okta for AI Agents benefits from Identity Security Posture Management (ISPM), which lets organizations discover AI agents and identify potential security risks with service accounts, API keys, and OAuth tokens. Universal Directory helps establish and manage AI agent identities, attributing risk classification and ownership to every non-human identity. Users can also enforce security policies to apply the principle of least privilege, providing AI agents with the access they need only for the time they need it. Cross App Access (XAA), a new open protocol, standardizes how AI agents and applications connect securely, while Okta Privileged Access (OPA) will enforce security policies to provide the right level of access for agents that use static credentials like service accounts or API keys. Finally, Okta Identity Governance (OIG) provides comprehensive audit trails and activity logging for all agent actions and decisions. Identity Threat Protection with Okta AI (ITP) continuously monitors user activity and employs behavioural analytics to identify anomalous behaviour and trigger automated remediations to maintain security posture throughout active sessions.
“Okta Threat Intelligence research uncovered a new Phishing-as-a-Service (PhaaS) operation called VoidProxy,” Swanson noted. “It’s designed to bypass standard authentication processes and allow threat actors to easily create and deploy phishing pages. This discovery shows the importance of phishing-resistant authenticators like Okta FastPass that protect users, and are easier to use than passwords.”
Cross App Access (XAA) extends OAuth to secure agent-driven and app-to-app interactions across the enterprise. With support from industry leaders like Automation Anywhere, AWS, Boomi, Box, Glean, Google Cloud, Grammarly, Miro, Salesforce, and WRITER, XAA shifts control from individual applications to the identity layer, enabling real-time visibility, policy-driven security, and safer integrations. XAA will soon be available with out-of-the-box support in Auth0, enabling B2B SaaS developers to build applications and AI tools that can natively participate in the protocol. It also complements Auth0 for AI Agents to simplify how developers embed identity-first security into AI-driven applications. Together, XAA and Auth0 for AI Agents make it easier to deliver secure, “fabric-ready” applications, where each agent identity is governed and every connection is protected – at scale and with minimal developer effort. For enterprises, XAA is now available within the Okta Platform in EA, enabling customers to experience it and benefit from the below as more organizations adopt the protocol:
“As our customers scale their use of agentic AI, providing a secure and trusted platform is our top priority,” said Marla Hay, SVP, Product, Salesforce. “We’re excited to see the continued investment into securing agentic workflows with XAA and to work together to bring Okta’s valuable identity insights into Salesforce Security Center, helping shared customers manage their security posture with greater confidence.”
“Enterprises everywhere are grappling with how to safely harness AI with company data,” said Sunil Agrawal, Chief Information Security Officer at Glean. “Our customers rely on Glean to unify that knowledge and empower AI agents to take meaningful action. Glean agents act strictly on behalf of the user – with no extra privileges. Cross App Access takes that principle even further and represents the next step toward making it more secure and seamless for AI agents to connect across systems. We’re excited to support this emerging protocol and to help guide the industry toward standards-based agent interactions.”
Woven into the identity security fabric, the Okta Verifiable Digital Credentials (VDC) platform, planned to be available in FY27, enables organizations to issue and verify tamper-proof, reusable identity data – like government IDs, employment records, or certifications. It reduces AI-powered fraud and friction during onboarding by providing a way for people to digitally prove their identity and eligibility. End users will also gain a simplified, streamlined experience when interacting with consumer apps and websites, eliminating tedious manual verification. Built on open standards for maximum control and future interoperability, VDCs will help establish trust in a world of AI agents, enabling secure, privacy-preserving credentials that help prove who someone is, what they’ve done, or what they’re allowed to do. Beginning with a new Digital ID verification feature, planned to be available in EA Q4 FY26, businesses will be able to natively verify government-issued IDs, initially supporting mobile driver’s licenses with plans to expand to more forms of identification in the future.