Organizations aren't short on AI agents – they're short on controls for them. With over 3 million agents operating globally and active agent identities reaching thousands per team, manual oversight is already impossible.
A new report from Software Analyst Cyber Research (SACR) and the Stanford Graduate School of Business offers guidance for navigating this challenge. Runtime Security for AI Agents: An Identity Governance Perspective finds that traditional identity controls were designed for humans and predictable machine identities – not autonomous agents that reason, chain actions, and interact with a changing set of tools and data sources on their own. The report concludes that agents must be treated as first-class identities and secured as runtime actors.
To help manage this fleet of agents, the report identifies three layers of runtime security:
Deterministic governance: Policy engines defining what an agent can and cannot access. Table stakes, but insufficient alone.
Non-deterministic behavioral analysis: Visibility into what agents are actually doing, including behavioral tracking and anomaly detection.
Non-deterministic governance: Real-time signals driving dynamic policy decisions and escalation controls.
Within those layers, the researchers offer guidelines to help security leaders navigate and secure AI agents. Here are our top takeaways for security leaders:
Start with deterministic governance and layer authorization in tiers
Every organization deploying agents needs a policy engine. But an agent operating entirely within its permitted scope can still cause significant damage through intent drift, prompt injection, or combining permitted actions in unauthorized ways.
The strongest approaches operate authorization at multiple tiers: constraining agents to their human operator's permissions, defining coarse-grained scopes, and enabling fine-grained control over individual resources. Organizations should review agent access rights with the same rigor that they already apply to humans.
Know your agent archetypes
The report identifies three categories of agents with distinct security requirements:
Homegrown agents: Custom-built in cloud infrastructure, where sprawl outpaces governance
SaaS platform agents (e.g., Copilot Studio, Agentforce): Where agents inherit standing access from their creator through the "maker identity problem"
Local developer tools (e.g., Cursor, Claude Code): Running on employee workstations, invisible to cloud-based security controls, and storing credentials in plaintext. The report calls this "the largest blind spot in most enterprise agent security programs today."
CISOs should map their agent populations across all three categories before evaluating platforms, and prioritize vendors whose enforcement surface matches where agents actually operate.
Treat MCP security as a distinct requirement
MCP is becoming a primary way agents access external tools and data, making it "not just an integration standard, but a live control surface for agent behavior." But the ecosystem is immature: According to the SACR report, 53% of public MCP servers rely on static secrets hardcoded into configuration or source code, only 8.5% use OAuth, and tool poisoning attacks succeed at a 72.8% rate.
Vendors are taking two approaches: a gateway approach routing traffic through a centralized proxy, and a direct-access approach integrating natively with underlying systems. The researchers conclude that comprehensive MCP security requires both.
Plan for governance at scale
As deployments mature, first-order questions like "how many agents do we have?" will evolve into scaling challenges: classifying agents, templating privileges, automating approvals, and handling orphaned agents. The vendors that endure will connect runtime enforcement with scalable governance rather than treating every agent as a bespoke exception.
Where Okta comes in
Okta helps organizations answer three critical questions: Where are my agents? What can they connect to? What can they do?
Okta's strongest differentiation, according to the researchers, is consolidation. With 19,000 customers already managing human and service-based account workloads, Okta is not building a new security layer – it is extending the existing identity fabric to treat agents as first-class identities alongside human users. "The single control plane vision eliminates tool sprawl across identity types," according to the researchers.
Here’s a look at how Okta's capabilities map to the four-part runtime security framework outlined in the report:
Continuous observability
Okta provides full audit trails that capture every agent authorization event, complete with actor ID, user context, and the outcome of the authorization. This gives security teams a complete, auditable record of what every agent accessed and under what permissions. The Okta dashboard also ensures continuous discoverability across all AI agent platforms.
Behavioral tracking
Through the Secure Access Monitor (SAM) browser plugin, Okta tracks and monitors for new OAuth grants, providing visibility into how and when users are authorizing new AI tools. This capability captures activity from platforms like Claude Code and other MCP server calls, helping to establish a baseline of normal agent and tool usage within the organization.
Intent-based authorization
Okta’s approach to authorization operates at three distinct tiers to ensure an agent’s actions align with its intended purpose. First, the user’s own context constrains the agent to their existing permissions. Second, coarse-grained scopes define the general categories of actions an agent can perform. Finally, fine-grained authorization enables policy-level control over specific resources and operations.
This model is built on the Identity Assertion Grant (ID-JAG), an open standard co-developed by Okta. ID-JAG ensures an agent’s permissions are always bound by the user’s access rights, even when interacting with tools across different domains. The researchers highlighted this framework as "one of the most architecturally rigorous approaches to delegated agent permissions."
Control and escalation
Okta enables human-in-the-loop controls through CIBA-based (client-initiated backchannel authentication) workflows. These can programmatically trigger an approval step via an application or email before an agent is allowed to execute a high-risk action. For immediate threats, global token revocation provides a "hard stop" mechanism to instantly disable a risky or compromised agent.
Looking ahead
The transition to the agentic enterprise is already underway – in many organizations, faster than the control plane required to secure it. As the report concludes: "The core challenge for the next several years will not be whether enterprises adopt agents, but whether they can do so with enough visibility, governance, and runtime control to preserve trust in the systems those agents touch."
The researchers offer a guiding principle for meeting this challenge: Agents must be treated as first-class identities and secured as runtime actors. This is the foundation Okta is building on: extending the identity fabric organizations already trust to discover, govern, and control the agents increasingly doing work on their behalf.
To learn more about securing AI agents, read the full report.
