The era of simple prompt-and-response AI is behind us with the rapid emergence of agentic AI. From backend API orchestrations to autonomous customer service workflows, AI agents look to be the new digital workforce. But while productivity may soar, these "non-human identities" can operate in the shadows, wielding high-level access without the oversight of traditional identity protocols.
As visibility is the only antidote to this emerging risk, we are excited to announce that Agent Discovery, a feature of Okta Identity Security Posture Management, is now available in Early Access (EA). By capturing the "handshake" between employees and the AI tools they use, Okta provides the "first mile" of security, turning shadow AI agents into managed identities. The Agent Discovery feature is also available within Okta for AI Agents as part of ISPM. The broader Okta for AI Agents solution is also now available in EA.
The Visibility Gap: Critical Risks for Security Leaders
Today, security leaders struggle to answer critical questions, such as:
- Is our company leaking our intellectual property or customer data through unsanctioned AI tools?
- We’ve spent millions and approved AI builder platforms to accelerate productivity - but how much risk did we just buy? And what’s the worst-case scenario if it’s hacked?
- Which over-privileged, unrotated API keys are currently powering critical agents, and who is the human accountable if they go rogue?
If you’re working through these questions, you aren't alone. In the race to "agentize" the enterprise, we have created a massive visibility gap. Gaining clear visibility is essential to building confidence in your AI Agents security posture.
With Agent Discovery, you can gain this visibility with ease in four key stages. Here is a playbook to help you reclaim control over your AI estate:
Stage 1: Know your Crown Jewel AI Platforms agents
Authorization does not equal visibility. While AI teams build rapidly within sanctioned environments like Microsoft Copilot, Salesforce Agentforce, AWS Bedrock, OpenAI, Google Vertex AI and Gemini Enterprise, security teams often lack the admin access or specialized expertise to audit these production environments. Even for teams with the best resources available, the huge volume of agents makes manual oversight impossible.
As a consequence, this creates a dangerous accountability gap: you are held responsible for the blast radius of an AI breach, yet you have no way to verify the current state of risk. To prevent incidents, you need to be able to set and audit posture controls. However, can you even detect if an agent was granted "super admin" permissions to simplify its setup, or whether it is dangerously bridging access between critical production and insecure dev tenants?
After an incident, if an agent within these platforms is compromised, could you produce a specific list of the data it can access?
You are forced to trust but verify. However, without an automated inventory of agents and permissions, verification is impossible.
The Okta solution: You get deep-dives into these "Crown Jewels" to identify who owns which agent, what those agents are truly empowered to do, and where the top risks reside. This transforms your "approved" platforms from a hidden spot into a governed asset, so that "sanctioned" actually means "safe".
Stage 2: Discover Unknown powerful agents built in unsanctioned platforms
You cannot govern what you cannot see. While most organizations focus on a few approved tools, an unnoticed expansion of the attack surface may be occurring across your departments. This "Unknown Layer" of AI includes unsanctioned platforms, unvetted agent builders, and hidden MCP servers, all operating outside the view of Security and IT.
A critical driver of this risk is the OAuth grant. To make home-grown or hidden agents functional, employees grant them access to core business data via User Consent. This process generates an OAuth Token: a digital key that permits an app to access data and perform actions on a user's behalf.
The Okta solution: Okta Secure Access Monitor (SAM) Browser Plugin feeds ISPM with real-time OAuth signals to help you take control:
- Identify agents built on unapproved platforms
- Identify Over-Privileged Access: Surface specific "scopes" that grant agents dangerous permissions.
- Surface Shadow SaaS: Detect unauthorized apps that bypass legal and privacy reviews, exposing the organization to regulatory and data-residency risks.
With the Okta for AI Agents solution, Okta helps you bring these agents under governance by registering them as known, managed identities in Okta, applying secure policies, and assigning human owners.
Stage 3: Harden the identity layer - secure non-human identities
AI agents run on multiple Non-Human Identities (NHIs), including API tokens, access keys, service principals, and OAuth tokens. To secure AI, you must move beyond the "bot" and start hardening the technical keys that allow agents to act on your critical apps and data. This requires deep visibility into the graph connections between the AI agent, the person who created it, the specific NHIs powering it, and the apps it can access.
The Okta solution: Get visibility across multiple NHI types in SaaS, IdP, Cloud infrastructure, and On-Prem AD, all within a single view. It helps you dramatically reduce your AI Agents’ risks through more than 25 prioritized risk detections, mapped to OWASP Top 10 for NHIs to surface high-stakes gaps, like over-privileged or unrotated credentials, before they are weaponized to compromise your AI Agents.
Stage 4: Visibility turned into remediation: Consolidated Unified Identity Platform
Bring your discovered AI agents and their underlying NHIs into the same identity platform with Okta for AI Agents - that’s the Okta advantage. Okta is platform-neutral, so we help you discover agents no matter where they come from. This consolidation allows you to apply a consistent security policy across your entire workforce, human and non-human alike.
Conclusion: Identity Security is AI Security
The shift to an autonomous workforce doesn't have to be a choice between speed and safety. At its core, AI security is identity security. By integrating AI agents into your existing identity security fabric, you transform them from unknown risks into governed assets that fuel innovation without expanding your blast radius.
- Learn more: Explore how Okta secures AI from the first line of code, through the entire agent lifecycle.
- Curious how we do it? Check out a demo to see how we secure the lifecycle of AI agents.
* Any mention in this blog of solutions, features, functionalities, certifications, authorizations, or attestations that are not currently generally available or have not yet been obtained may not be delivered or obtained on time or at all. We assume no obligation to deliver on such items and you should not rely on them to make your purchase decisions.
