Please visit our Oktane 2025 page for complete coverage of the event.The unique characteristics of AI agents force identity-security providers to create a new class of identity that combines the speed and scope of non-human identities with the unpredictability and untrustworthiness of human users, Okta Senior Vice President of Design and Research Kristen Swanson said at the Oktane 2025 conference last week.
"We at Okta have secured machines that were deterministic for a long time. And we've secured unpredictable, non-deterministic humans for a long time," Swanson told us in an interview Sept. 24. "
AI agents are actually both of these things. They're machines, but they're also non-deterministic."
Swanson also outlined how the new
Cross App Access standard enforces access restrictions upon AI agents and explained why an AI agent always needs a human to take responsibility for its actions.
A new kind of identity
The day after we spoke to Swanson, Okta Co-Founder and CEO
Todd McKinnon told the audience at his Oktane keynote address that identity providers have never encountered anything like AI agents.
"They're kind of like a piece of software, kind of like a system account, kind of like a person — somewhere in between," McKinnon said.
And that, Swanson said, raises the stakes when it comes to defining, managing and securing identities.
"AI agents are really increasing the need for best practices in identity security," she said. "We see the scale that this problem brings as a unique moment for Okta."
The most basic type of identity in a computer system is that of a human user, who can be tremendously creative and innovative, but also devious and untrustworthy. Humans tend to deviate from their assigned tasks, for better or for worse, so they must be tightly controlled by passwords or other means of
verification and strict access management.
But humans' ability to cause harm is limited by their relative slowness to act, their ease of identification, and their need to periodically eat and sleep.
Far more prevalent than humans are
non-human identities (NHIs) assigned to machines, applications, scripts and processes that autonomously interact with other such entities. One example might be a monitoring program that adjusts the configurations of industrial machines or other programs. Another might be a script that runs a series of orchestrated routines.
NHIs are very fast, very efficient, and most importantly, very predictable. They're designed to do specific things and no more. They can run 24/7, they're essential to modern-day enterprise and cloud computing, and they're kind of dull. You should neither expect nor desire chaos or creativity from NHIs, which is why you can trust them to do things on their own and not mess them up.
Identity-management systems generally control NHIs more loosely than humans. NHIs' credentials to access other applications are often static, sometime even hard-coded, which creates a background risk if an attacker can steal or abuse those credentials.
NHIs are also so rapidly created that most organizations don't know exactly how many they've got. But NHIs are so trustworthy that there's little chance of one going rogue.
Close to human
With AI, going rogue is kind of the whole point. As Swanson points out, AI agents and LLMs are non-deterministic, a polite euphemism for chaotic and unpredictable. Type the same prompt into ChatGPT three times and you'll get three different results. A regular NHI would give you exactly the same thing each time.
That's what makes AI models so appealing to humans. They act like us. They seem to think like us. They're exciting. And like us, they can make things up, be deliberately deceptive, and try to sneak into places they shouldn't be.
But if we want AI models to help us do our jobs, we have to give them a degree of autonomy akin to those of regular NHIs. We need them to act on their own, to have agency. The problem is that we can never be sure what kind of action an AI agent will take, or even if it's acting in our own best interests.
So, as Okta sees it, we cannot give AI agents the same kind of loose supervision we give NHIs. We need to strictly manage, monitor and control them in the way we handle human users. And we need to account for the fact that AI agents don't eat, don't sleep and seem to move at the speed of light.
"The next decade will be defined by how we secure AI," said McKinnon in his Oktane keynote.
That's why Okta designates AI agents alongside human users and user groups as "first-class identities" needing the highest level of supervision and access management.
"We actually had to build a new data model that incorporates the best of the non-deterministic human piece," Swanson told us. "Like everything we need to know about a human, how we manage that, as well as everything we know about a machine, the scale of a machine, the tokens that a machine needs, and put those things together."
Bringing AI agents under control
Okta has helped develop a proposed extension to the open-source OAuth standard that treats AI agents like human users by limiting what the agents can access and can do. Okta calls it Cross App Access; other identity providers may use different names.
Cross App Access also changes the permissions model used by AI agents. By default, an agent has wide ability to act, but as a safeguard, it asks its human user to authorize every action it would like to take. That's a good idea in theory, but in practice it can quickly lead to notification fatigue, and many humans will soon start clicking "Yes" to every request.
"The reason people are requesting a lot of approval for everything is because they're giving the agents so much scope," Swanson said.
Cross App Access shifts the authorization burden from individual human users to an organization's security policy, dropping each AI agent into a permissions lane appropriate to its task and role. The agent can work without waiting for authorization at each step; the human is relieved of notification overload.
"Cross App Access is going to unlock when we can really define the scopes for what's in policy and then what's out of policy," Swanson told us, "and determine strategically and by design where we want those security approvals and speedups."
Swanson said that this also limits the potential exposure that comes when organizations, eager to reap the benefits of AI, implement too many AI agents, give them too much leeway and, as with regular NHIs, sometimes leave them running after their tasks have been completed.
"The agents, we find this in our research, they're over-permissioned, and they're frankly not governed," she said. "They don't really get spun up and spun down in an intentional way."
Where the buck stops
Part of Okta's governance model is that even though AI agents are constrained by the organization's policies, each agent also needs a human master to take ultimate responsibility for its actions.
In the way that a dog's owner is at fault if the dog bites someone, this is because someone must be held accountable if something goes wrong. We're simply not ready to grant "personhood" to artificial intelligence.
"You're giving these AI agents, they've got human-like powers, human-like abilities, but ultimately the responsibility has to be with a person, a human being," Swanson said.
In Okta's user interface, the "owner" of each AI agent is clearly designated. Combined with Cross App Access and the reclassification of AI agents as a top-tier identity category, this puts AI agents at the center of what Okta calls its "identity security fabric," managed according to company policies to a similar degree as human users.
"What you're going to start seeing in the product is the ability to have AI agents as first-class identities in your meta directory in Okta, so that you can provide that best practice and experience for an agent that is potentially owned by a human," Swanson told us. "The creation of this new entity type is going to allow us to apply these standards and these policies at a much broader scale."
