Please visit our Oktane 2025 page for complete coverage of the event.Managing and securing AI agents through identity management and governance is one of Okta's primary missions, Okta Regional Chief Security Officer for the Americas Matt Immler told us last week at the
Oktane 2025 conference in Las Vegas.
"What we're mainly looking at is what we can do to put guardrails around AI," Immler said.
He added that
Cross App Access, a proposed open-source addition to the OAuth protocol backed by Okta, is "a way to ensure that when an AI agent is being utilized by somebody, that it is acting as that user," and can be used to implement the principle of least privilege on AI agents.
Immler also elaborated on how to detect and defeat unauthorized AI usage, or "shadow AI," and told us how Okta itself is using
AI in its own products.
The unmanaged state of AI agents, and how they're not regular NHIs
IT teams and
identity-management systems have had a lot of experience dealing with non-human identities (NHIs) such as service accounts, APIs, bots and other semi-autonomous machines and programs that have some control over other machines and programs.
But AI agents are
very different from regular NHIs, Immler said, and need to be handled differently. NHIs have specific, unchanging tasks, are given limited privileges and abilities and can be counted on to deliver consistent results.
"When you're talking about regular non-human identities, typically we're talking about service accounts," he said. "They have a specific purpose, they repeat the same action over and over and over again in perpetuity."
AI agents, on the other hand, are given the liberty to do practically anything and, given the opportunity, often will.
"AI agents, by their very nature, are very, very highly privileged accounts," Immler said. "You have an AI agent, it could maybe do it this way one day, this way another day, and it's going to change the way it's doing it based on how it learns from the data that it receives and the input it receives. So the big difference is really predictable versus unpredictable."
Too long a leash
AI agents are seldom restricted by the organizations running them, he added. That's partly due to necessity, because you would want an AI agent to have access to data and leeway to perform its functions.
"A lot of places will say, 'Okay, AI agent, here's your token to access this back-end system, whatever it might be,'" he said. "And it's fully privileged and it can access anything it wants immediately."
That may be what led to the recent
Salesloft Drift incident, Immler said. In that case, OAuth tokens for an AI chatbot with wide-ranging access were stolen and used to steal data from Salesforce cloud instances belonging to several companies, including well-known cybersecurity providers, that themselves used the Drift AI agent.
"An AI agent was compromised. A bunch of those tokens that are utilized to access that backend data of all their customers were stolen," he said.
However, as Immler pointed out, Okta, itself a Drift user, was not affected because it had imposed controls on the use of the stolen OAuth token.
"We had controls on our back end saying, 'We know where that token should be being used from. We know where it accesses, what it's supposed to access,'" he explained. "Then when it was used outside of that context, we were able to block it."
To prevent future breaches like the Salesloft one, Immler said, other organizations need to limit the scope of the authorization tokens given to AI agents to access sensitive data, especially customer data. They also need to understand that AI agents don't come with many safety features or restrictions like firm guardrails or hard limits.
How Cross App Access imposes controls
Putting those guardrails and limits on AI agents is what Okta aims to do with Cross App Access. Immler likened having such controls to having car insurance.
"You buy a car, you expect that car to come with certain safety features," he said. "But you are not going to be really modifying that car. You are not going to be changing those safety features. You have to rely on the manufacturer to do that."
To augment the safety features, car owners buy insurance for additional protection. Cross App Access does the same for AI, Immler said.
"Somebody breaks the AI model, they break the agent, they get past whatever controls are there from the manufacturer, what happens after that?" he asked. "Our main focus is how do we put those guardrails on so that should the agent start acting in a way that it's not supposed to or not intended to, based on the user and the use case? We have something in place to prevent it from going any further."
Restricting privileges
Under Cross App Access, compatible with any identity-management system that uses OAuth, the AI agent is issued authorization tokens in line with organizational policies. It has no more privileges, and possibly even fewer, than the human using the AI agent.
The AI agent can't go anywhere or do anything the human can't, and at least in Okta's identity-management offerings, a human is assigned the responsibility for each and every AI agent.
"Maybe [the AI agent] only has read-only privileges instead of the user who might have read-write," he explained. "Or maybe it can only access certain types of folders or certain applications, it doesn't maybe have the full-fledged rights of that user."
"It doesn't matter what it [the AI agent] thinks it can do or what it wants to do," Immler added. "It's hitting these hard limits based on the policy set forth."
Because of the strict restrictions imposed by Cross App Access, organizations can leverage it to implement the
principle of least privilege, a key part of a
zero-trust framework, upon AI agents. In other words, the agent will have only the access it needs to complete its task and no more.
Immler explained that Okta and Cross App Access can also enforce more advanced forms of least privilege on AI agents. Just-in-time privileges are granted only at the beginning of a specified task and then revoked when the task is completed. With zero standing privileges, a user has no permanent privileges at all and gets temporary ones only when needed.
"You are only giving them the least privileged level of access that they need," he said. "And then as they need additional access, you do that kind of in a just-in-time model."
Detecting shadow AI and how Okta uses AI
But what if a user installs an AI agent without the approval or knowledge of the IT department? Immler said it's not difficult to detect such instances using standard network-traffic monitors.
"With any sort of monitoring software," he said, "we've got all sorts of things that we have in place to do device posture checks on our systems, so we know what is installed, when it's installed."
He added that users will generally try to install such "
shadow AI," or unauthorized software of any kind, when an organization doesn't give them authorized tools adequate to perform certain tasks. The simplest solution is to provide software that will do the job.
"If there are good approved tools and training in place and the company is trying to responsibly roll it out, generally users are going to tend to use those approved tools and versions," Immler said. "That makes it a little bit harder for them to go outside of those tools to do their work when they have things that you prefer more readily available."
Okta itself is in the process of incorporating AI into its own identity-security offerings, Immler said, especially to spot behavioral anomalies and misconfigurations.
"Something that raises that risk score of the user to say that maybe there needs to be some sort of action taken, maybe the account needs to be blocked until security can look at what's going on," he said. "Trying to figure out what could be a misconfiguration, what is abnormal behavior, and how we can take those risk signals into play."
