LAS VEGAS – September 25, 2025 – Okta, Inc. (NASDAQ: OKTA), the leading independent identity partner, today announced new Okta Platform and Auth0 Platform capabilities, enabling organizations to build secure, standards-first AI agents that can be seamlessly woven into an identity security fabric for end-to-end lifecycle management. As part of the fabric, organizations will also be able to issue and verify tamper-proof digital credentials, helping establish trust and address rising AI-powered fraud.
Why it Matters:
AI agents–already in use by 91% of organizations–promise immense productivity gains but also amplify existing security gaps and introduce new classes of risk.
Despite this, governance of AI is lagging, with only 10% of organizations having a strategy for managing non-human identities.
This is not a theoretical risk; real-world incidents, such as the AI hiring bot that exposed millions of applicants' data to hackers who tried the password '123456', highlight the threats posed by misconfigured or unmanaged AI agents.
AI agents need to be secure by design, with purpose-built controls for identity, access, and authorization, and built on a new generation of standards that enable secure interoperability between agents, applications, and systems.
This makes agents fabric-ready, meaning they can plug into an identity security fabric for holistic visibility, control, and governance for every type of identity across ecosystems at scale.
In this new landscape, where AI agents operate at machine speed with high privileges and ephemeral lifecycles, and AI-driven deepfakes blur the line between legitimate users and malicious impersonators, fragmented architectures and legacy solutions can no longer keep.
By 2027, Gartner predicts that identity fabric immunity principles will prevent 85% of new attacks.
“AI is changing the workplace faster than organizations can adapt. We’re starting to see poorly built, deployed, or managed agents expose the risks of using a traditional patchwork of identity solutions,” said Kristen Swanson, SVP of Design and Research, Okta. “The modern enterprise requires an identity security fabric that can unify silos and reduce the attack surface. Our latest innovations weave agents into that fabric to manage their entire identity lifecycle, leveraging open standards like Cross App Access that help elevate the entire industry and create a more secure AI-powered ecosystem.”
End-to-End Security for the AI Agent Lifecycle with Okta for AI Agents
Okta for AI Agents seamlessly integrates AI agents into the identity security fabric for end-to-end security. It provides visibility to discover and identify risky agents, centralized control to manage their access, and automated governance to enforce security policies and manage their entire identity lifecycle. Planned to be available with Phase 1 in EA, FY27 Q1 and Phase 2 in GA, FY27.
Detect and discover: With Identity Security Posture Management (ISPM), organizations can discover AI agents and identify potential security risks with service accounts, API keys, and OAuth tokens.
Provision and register: Universal Directory helps establish and manage AI agent identities, attributing risk classification and ownership to every non-human identity.
Authorize and protect dynamically: Enforce security policies to apply the principle of least privilege, providing AI agents with the access they need only for the time they need it. Cross App Access (XAA), a new open protocol, standardizes how AI agents and applications connect securely, while Okta Privileged Access (OPA) will enforce security policies to provide the right level of access for agents that use static credentials like service accounts or API keys.
Govern, monitor, and respond: Okta Identity Governance (OIG) provides comprehensive audit trails and activity logging for all agent actions and decisions. Identity Threat Protection with Okta AI (ITP) continuously monitors user activity and employs behavioral analytics to identify anomalous behavior and trigger automated remediations to maintain security posture throughout active sessions.
Securing Agent and App interactions with Cross App Access
Cross App Access (XAA) extends OAuth to secure agent-driven and app-to-app interactions across the enterprise. With support from industry leaders like Automation Anywhere, AWS, Boomi, Box, Glean, Grammarly, Miro, and WRITER, XAA shifts control from individual applications to the identity layer, enabling real-time visibility, policy-driven security, and safer integrations.
XAA will soon be available with out-of-the-box support in Auth0, enabling B2B SaaS developers to build applications and AI tools that can natively participate in the protocol. It also complements Auth0 for AI Agents to simplify how developers embed identity-first security into AI-driven applications. Together, XAA and Auth0 for AI Agents make it easier to deliver secure, “fabric-ready” applications, where each agent identity is governed and every connection is protected — at scale and with minimal developer effort.
For enterprises, XAA is now available within the Okta Platform in EA, enabling customers to experience it and benefit from the below as more organizations adopt the protocol:
Centralized policy-based access management: IT and security teams control what data apps or agents can access, allowing for consistent enforcement and real-time visibility.
Enhanced security and auditability: Unauthorized requests can be audited or blocked. This reduces hidden connections and blind trust while providing the ability to immediately revoke access in case of an incident.
Reduced user friction: By pre-approving agent-to-app or app-to-app connections, XAA reduces the number of consent prompts a user encounters, leading to a more seamless experience.
“Enterprises everywhere are grappling with how to safely harness AI with company data. Our customers rely on Glean to unify that knowledge and empower AI agents to take meaningful action," said Sunil Agrawal, Chief Information Security Officer, Glean. "Glean agents act strictly on behalf of the user – with no extra privileges. Cross App Access takes that principle even further and represents the next step toward making it more secure and seamless for AI agents to connect across systems. We’re excited to support this emerging protocol and to help guide the industry toward standards-based agent interactions."
Preventing AI Fraud with Verifiable Digital Credentials
Woven into the identity security fabric, the Okta Verifiable Digital Credentials (VDC) platform, planned to be available in FY27, enables organizations to issue and verify tamper-proof, reusable identity data – like government IDs, employment records, or certifications. It reduces AI-powered fraud and friction during onboarding by providing a way for people to digitally prove their identity and eligibility. End users will also gain a simplified, streamlined experience when interacting with consumer apps and websites, eliminating tedious manual verification.
Built on open standards for maximum control and future interoperability, VDCs will help establish trust in a world of AI agents, enabling secure, privacy-preserving credentials that help prove who someone is, what they've done, or what they're allowed to do.
Beginning with a new Digital ID verification feature, planned to be available in EA Q4 FY26, businesses will be able to natively verify government-issued IDs, initially supporting mobile driver's licenses with plans to expand to more forms of identification in the future.
Learn more
For more information, visit the Okta Secures AI landing page.
Check out this Okta Newsroom article to learn more about the industry challenges that XAA helps solve for.
To learn how to adopt XAA, visit the Cross App Access landing page.
Discover more about Okta’s other latest innovations in the Launch Week blog post.
Disclaimer: Any products, features, functionalities, certifications, authorizations, or attestations referenced in this material that are not currently generally available or have not yet been obtained or are not currently maintained may not be delivered or obtained on time or at all. Product roadmaps do not represent a commitment, obligation or promise to deliver any product, feature, functionality, certification or attestation and you should not rely on them to make your purchase decisions.
