Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

How Okta Secures AI Agents with Identity Security

Okta
04/11/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


Please welcome Okta's Chief Executive Officer and Co-Founder, Todd McKinnon. Hello, Oktane, wow. This is amazing. Thank you so much for being here, customers, partners. We love customers. We love partners, investors. We love investors. Competitors, hey, don't laugh. They have to figure out what they're going to be working on for the next few years. We're happy to share all of our hard work with all of you. We're very excited. My dad is here. Welcome to Oktane, Dad. Nice to have you here. This is very cool. So in the room, it's official. I got the update. This is the biggest in-room crowd ever for Oktane, bigger, yeah, bigger. It beats the record of 2019, which was the previous record. So I think that means COVID is officially over. Congratulations, everyone. We are thrilled to have you here for the most important security event of the year. Last year, I told you a story of how Okta was on this journey to be the most secure company in the world. This year, the story is about how Okta is still on that journey and is working on and made a lot of accomplishments toward being the most secure company in the world, but also how we're doing that and embracing and transforming with AI. Because there's a huge opportunity, this is the most obvious statement I'll make today, but there's a huge opportunity for all of us with AI. It's the biggest platform shift since the internet. It's bigger than mobile. It's bigger than cloud. It's bigger than social. The opportunities and the potential is amazing. We see it in the products we use. We hear it in the headlines we read. Do you read these headlines? I feel like I should just be doing more. I should be doing more with Okta. I should be leading. We should be adopting more AI. We should be putting in our products more, more, more, more, more. I feel like if I haven't built a company worth a trillion dollars, or I haven't built a $500 billion data center, it's like, what am I doing with my life? Does anyone else have this FOMO about AI? This is a common thing, FOMO. And I thought about what's going on here? What's the tension? And it's really this, Okta's spent the last few years on this journey to be the most secure company in the world. And that's really driven our priorities and what we focused on and what we invested in. And we have to figure out how we do both, how we innovate with AI and how we continue on this journey to be the most secure company in the world. And it's a tension that we all face every day. I know because in my conversations with you, it comes up over and over again. It's easy to fall in the trap of one extreme, either complete lockdown mode and totally focused on security, or the other way where you're being fast and loose and innovation at all costs. And we all know that we have to do both. We have to balance. We have to strike the right balance. We have to innovate and be secure. Every company struggles with this. Don't feel bad about it. Don't feel guilty. We have to figure out how to do both. And at Okta, our foundation, our bedrock, our core priority is incredibly clear. And it starts with this Okta Secure Identity Commitment, which is our long-term commitment to lead the industry in the fight against identity-based attacks. This is how we do it. When we think about this tension, about balancing innovation with AI and about security, we had this key revelation, which is the thing we've been focused on is actually the unlock to do both. This is how we innovate without compromise. The Okta Secure Identity Commitment has four pillars, from building industry-best products and making sure those products are secure by default, to hardening our corporate infrastructure, making sure it's the most secure in the world, to championing customers' best practices. Because if it doesn't all work for you and it's not easy to adopt and deploy and get value from, it doesn't work. And finally, to elevate the whole industry in the fight against these attacks. We launched this initiative formally over two years ago. And we have poured our blood, sweat, and tears into this. One way to quantify it is it's added up to over two million hours in two years. Two million hours in two years. And we're very proud of the progress here. And when you write it down, it's a lot of stuff. It's a lot of stuff. But that is what is required from a company like Okta. That is what is required, and that's what we've been doing. It's not just about security and locking it down. It is the unlock to how we reach the potential of AI, how we help the entire industry reach this potential. Being secure, the secure identity commitment is the key to the future of AI security and to AI. You know, what do I mean by this? Well, nothing like a great example. And we recently saw a very important and poignant example. It's a major industry-wide breach. I'm sure many of you were involved and impacted in some way, shape, or form. This is a breach of an AI agent. And this AI agent was used to automate marketing. So companies use this agent, and it sat on their website, and it helped prospects learn about the company and create sales leads and automate the marketing process. And the company that builds this agent was hacked, and the hackers got the access tokens that this agent used to connect to the SaaS application of hundreds and hundreds of companies. Hundreds and hundreds of SaaS applications on hundreds and hundreds of companies. I'm sure impacting many people in this room. And I share this story for two reasons. The first reason is it's a very strong demonstration of the work we've done at Okta to harden our corporate infrastructure. We are customers of this AI agent, and because of the work we've done to harden our corporate infrastructure, we were not impacted by this breach. We were not impacted. So thank you. Thank you. I appreciate that. And I don't share this. This is a really bad situation for the entire industry. And I don't share this story to celebrate this whole thing happening. But a lot of times, hardening corporate infrastructure and focusing on lockdown, security mode, it's hard work. It's focused day after day. It's prioritizing. It's having an amazing team that can get things done, can make hard projects amongst many dependencies in challenging times. And this focus and this dedication directly impacted Okta being protected from this issue. So it's nice sometimes to see success be demonstrably apparent when many times security work, as you know, is the best thing that can happen is you never hear anything about it. So that's the first reason I share it. Now the second reason is that this is an example of what can happen in our industry without the right security for AI agents. Think about this breach. This is an AI agent. If every agentic system has breaches like this, AI is not going to reach its full potential. It's not going to happen. People are going to be scared of it. Companies are going to be afraid to adopt it. We have to fix this problem. We have to elevate the industry. We have to show the industry a better way. If you think about what's going on here, this AI agent and many other AI agents, they are a powerful new identity type, a powerful new identity type. They can act independently on their own or on behalf of a user or a team or a company. They can access tools, applications, and data. They can plan and complete tasks on their own. They're kind of like a piece of software, kind of like a system account, kind of like a person somewhere in between. And the pace here of innovation is absolutely stunning. We all see it. So it's not surprising that many of you are making AI agents the number one priority in your entire technology investment. And now these AI agents and the potential here and the potential benefits, they are getting very, very powerful. And it's happening very quickly. If you think about just five years ago, the complexity of a task that an agent could complete would be something that would take you about nine seconds. Think about adding the last sentence to your email. Now, just in five years, it's dramatically different. AI agents can complete tasks on their own that would take you two hours. Think about kind of a medium complexity support issue where you have to look at the support database and interact with the customer and then solve that issue. So key here as this improvement happens is that agents need access to more and more data. More and more data, more and more access, which means it's very important that these agents have an identity in the sense we talk about identities. And that means that without identity security, AI security collapses. So AI security is identity security. You can't be successful in one without the other. AI security is identity security. So to understand why, think about the complexity you are already facing. I know it's something you think about all the time. You're working with it every day. You have identities. You have employees, customers, partners, non-human identities. You have various tools from different identity vendors that connect the identities to your resources, the resources. They're absolutely critical. It's your applications. It's your data. It's your business processes. It's your APIs. It's the things that power your business. This could be thousands, even for a medium-sized company. It's a big challenge to stitch all this together, this web of complexity. Now, you take this complexity and you layer on top of it a million agents. And these agents, they need to connect to everything, just like your people do, machines, servers, APIs, data, customer data, other agents, identities. This results in even more and more complexity as it all mixes together. But complexity isn't the only challenge here. Agents, to be most effective as they get more powerful, need broad and persistent access. My friend, Steve Williams from NTT, Steve's here, I think, he had a great line about this. We were talking and he said, Todd, it's like you take an insider threat and you just put it in your company and give it all the access it needs and let it run wild. I thought that was an interesting way to think about it. Scary, but interesting. So there's enormous risk here. And this isn't some abstract concept that a CEO of an identity company is up here trying to scare you about. This is happening now. The risk is real now. And we're seeing instances of this every day. This is an example of one of the world's best known restaurant chains. They implemented an AI agent. This agent sits on their website and helps job applicants who want jobs at the restaurants learn about the positions. The person gives information to the agent. The agent lets the person apply for a job, automates this important process. It's an important process. This company needs great people to work in their restaurants. Now, they implemented the agent in such a way that attackers could trick it into disclosing the password for the back end administrator account that the agent connected to. And guess what the password was? So I understand. You think this is like for humor. And I will just say, like, take a step back and think about what's going on here. This, I don't have any inside knowledge about this. But I bet you something like this happened. The CEO of this company, the board of directors of this company, is pushing the team to adopt AI. Adopt AI. What are we doing with AI? Has anyone heard this? What are you doing with AI? Adopt AI. And so these hardworking, smart people built this great AI agent. And they probably took it to a meeting and said, look what we have. And I'm doing this at Okta. I'm saying, what do we have? What are we doing? What are we doing with AI? I don't want to miss out. And I'm sure you're doing it to your teams and your boss is doing it to you. And so this team took what they had and the boss said, put it in production now. And the teams look at each other like, I'm not sure it's ready. What do you mean it's not ready? We're going AI. So they put it in production. And so it's not a surprise that this happens. And now the threat actors have access to 64 million records about chats and conversations and personal information. It's a big issue. So we have to help. We have to do a better job here as an industry to make these kind of things successful. Because if we don't, AI is not going to reach its potential. So it's not just a one-off incident. The government of the United Kingdom organized a big red teaming exercise, which means a bunch of people got together and tried to break into systems so they could find the vulnerabilities before the bad guys did. And these weren't against AI agents built by a restaurant company. These are some of the most well-known AI agents that we all use. These are some of the most well-known. And guess what they found? In almost all of them, the same kind of issues. Overly permissive access, not clear deployment patterns, which led to the ability to compromise these actions. And without the right identity controls. This is a big problem. If we don't do something differently, we're at a risk of taking a step backwards 10 years in all the security progress we've made. We've done such a great job with phishing and cross-site scripting and building more secure web apps. This is the potential to throw it all away, which is we can't let that happen. This means AI security is identity security. It's the key to agent security and the entire AI security world. And we face these clear and present challenges today. I'll share another very memorable story from my conversation with a customer. This customer is a great Okta customer called Emerson Electric. And I was talking to Matt and Scott, and we were talking about this pressure they feel. Do more with AI. They had off-site meetings, and they said, we've got to get together, we've got to do more with AI. Of course we do. And they looked at me and they said, Todd, we want to do all this stuff with AI. If we don't get our identity foundation in order, we have no shot. We have no shot. It's not going to work. That really stuck with me. And you can't address this issue with a grab bag of standalone identity tools. This requires a completely new category, a unified approach that simplifies control and strengthens protection. Now a key thing here is that it's got to be comprehensive. It's got to cover everything. No gaps, no little wedges for any kind of threat to sneak through. It's got to cover every identity type, every use case, and every resource. It's called identity security fabric. And it transcends previous identity categories. And the goal here is very simple. The goal here is zero identity-based attacks. It's a unified approach that's deployed across every identity type, employees, customers, non-human identities, partners, contractors. Every identity use case, governance, privilege access management, access management, threat protection, posture management. These are not individual products. They're really features of a bigger category. And it's integrated across every resource, apps, infrastructure, databases, APIs, everything. No gap. No wedge to sneak into. And it has to ensure that you are fully secure. And it can do this with the ability to orchestrate across the fabric. So the left hand knows what the right hand is doing. It can share risk signals, so coordinated defense against attacks. And you can take actions like automating universal logout when any kind of threat emerges. This is what you ask us for every single day. You don't want 50 different solutions from 50 different identity vendors. Now, this idea is what I've been doing my entire career. Okta is my third job. My first job was at a company called PeopleSoft. It was in the ERP category, unifying HR, financials, manufacturing. My second job was at Salesforce in the CRM category, unifying sales, marketing, service, and support. My third job is at Okta. The category is identity security fabric. And we're unifying access management, privilege access management, identity governance, posture management, identity threat protection. It's a new category. Now, it's bigger than just Okta. It will require the whole industry to work together to make this a reality. But it's our North Star. And we are continuously chasing this vision, this dream, and innovating as technology evolves. This is absolutely critical to our overall vision as a company, which is to free everyone to safely use any technology. And this vision is more relevant and more urgent than ever in this new age of AI and all the potential that we're surrounded by. For us, securing AI agents is just like securing any other type of identity. And it's what we were built to do. Today, we are unveiling three important innovations that will help all of us address the challenges of agentic security. The first is how you can bring your identity security fabric to life by bringing AI agents into the Okta platform. Second is how to strengthen the identity security fabric with open, industry-leading standards for AI agents. And third, how you can easily build fabric-ready agents with the Auth0 platform. It all starts with the Okta platform. It's the best. It's the fastest. It's the easiest way to build an identity security fabric. It's the only modern, fully integrated, scalable, cloud-based platform. It's purpose-built for IT and security teams. Individually, the products in the Okta platform are excellent. But together, they are spectacular and enable use cases that were never before possible. And it does this in an independent and neutral way that is integrated to everything. Over 8,000 integrations in our Okta integration network. We don't have an opinion on which technology you choose. We focus on identity and leave the choice of technology up to you. There's no lock-in. There's no forcing of any direction of technology. So the simple way to put it is the Okta platform, it brings your identity security fabric to life. That's how you simplify control and strengthen security as your environment grows. It takes you from this multi-vendor fragmented approach to consolidation on a single identity platform. Of course, a key feature of the Okta platform is that it continues to adapt and evolve as the technology world changes and new technologies emerge. And that's why we're making AI agents a first-class identity in the Okta platform. This means every use case in Okta will support AI agents from storing them in universal directory to discovering them with identity security posture management to managing their access with Okta identity governance to manage their access to critical resources with Okta privilege access. You can think about this like you've put people in Okta forever and had visibility and governance and control. And now you can do the same thing with AI agents, all with total flexibility that you would expect from Okta. Now in an AI world where the technology is rapidly emerging and adapting and changing every quarter, Okta is your AI partner. We focus on the fundamentals, the fundamentals of identity, governance, visibility, control, and free you to choose whatever emerging technology in this dynamic landscape that serves your needs the best. You need a partner that will take care of the basics and free you to choose. Okta does that for you and makes sure that your choices are future-proof. So one concrete example of this is with one click you can bring any AI agent into universal directory. You can decide what's the right source of truth. Should that come from Salesforce? Should that come from an agent you build yourself? Should that come from ServiceNow? Should that come from Workday? The choices are dizzying. You can choose though. You can choose. We'll take care of the visibility, the control, and the governance, just like any other type of identity, which is what we do for you. This unified approach will make sure you have a great cyber posture and be free to innovate with AI to meet your business objectives. To get AI right, you have to get identity right. To get AI right, you have to get identity right. And the Okta platform makes that possible by bringing your identity security fabric to life. Now the identity security fabric is only as complete as the standards that link it to all of your identities and all of your resources together in your environment. We love standards. Everyone knows their value. You get in your car, your phone seamlessly hooks up to your Bluetooth. Well, sometimes it does. We're still working on that one. Standards make the internet possible. And now it's especially important in an emerging new area like AI agents. Standardization gets everyone on the same page about where to innovate, who's doing what. It's key as these technologies evolve. Now, you can't have a comprehensive identity security fabric if your identities and your resources aren't speaking the same language. So let's look at a concrete example here of an area that needs to standardize. Everyone that's implementing agents, whether you're a SaaS company or whether you're building your own, is doing the security and the access control slightly differently. It's hard-coded and it can be brittle and error-prone, as we've seen if you move it from development environment into production. When something goes wrong, there's a lack of visibility because guess who has to clean it up? IT security. IT and security. And they go to clean it up and it's not clear how it was implemented, it's not clear what can access what. So there's a big opportunity to standardize that. And so there are a lot of standards in the AI world, but there's a missing standard here. And that's why Okta are working with the standards bodies to propose a new standard we call cross-app access. It's focused on security and access. It lets IT and security teams set the access policies up front for these AI agents, which makes it open and transparent and visible to everyone involved. It also, you're clapping for the standard? Okay. This is like, it's my kind of crowd. It's my kind of crowd. You see the value in it. It's kind of down in the details, but you see the value in it. And so you get this visibility, you get to set things up beforehand, and most importantly, a lot of ways people do this now is that when the agents start being used, they ask the users to allow all these grants. And you get this prompt that says, do you want to allow access to your calendar from this agent? Yes, yes, yes. It's complexity for the end user, and there's a total lack of visibility as things progress. So we've been working on this for a couple years now. And we're partnering with the IETF OAuth working group, other ISVs, and others across the industry to pioneer this new open protocol. That open protocol part is very important. We're seeing a ton of support across the industry. Technology providers signing up and getting involved here and being on board. Now why? Why are they doing this? These people are all busy. They're trying to push their businesses forward. The reason why is because they see the problem, and they see the opportunities. They see their AI technologies going into these companies, and they see the friction, and they see the confusion, and they see the security issues, and they see this protocol as a way to free that up and have their technology deployed. They see it as an unlock for the entire industry, and that's why they're so excited. And it's not just these listed here. There's dozens more who recognize the power here and the value of securing the agentic future with a protocol like this. So this standard is necessary and important, but it's also a kind of a continuation of what we've always done. We work with standards, and we kickstart standards from the beginning, whether it's WSFed or SAML or OpenID Connect. And last year, I spent a bunch of time talking about our pioneering work on an open standard called IPSE. And we're really excited how much progress IPSE has made. The OpenID Foundation, technology providers, and a bunch of you in the room have worked together to publish the first draft of IPSE's Session Lifecycle 1, which delivers standards-based single sign-on, enforceable session lifecycle, and transparency into authentication methods. Now, this is just the beginning. We're already working with everyone involved on higher levels to add even more use case, to standardize how technology works with identity, make things more secure. It's a very important thing we're working on. And if you want to hear more about this, there's a session this afternoon with Gail Hodges from the OpenID, who is the OpenID Foundation's Executive Director. And so it's very exciting progress. It's important work because it's key to shaping the future of identity in the age of AI. And we're not stopping there. There are more standards to create. There's more innovation to push forward. We have a playbook for it. And it starts with working with standards bodies, working with the community to crystallize these areas that need to be standardized. And then we build them into our products. We build these standards into the Okta platform. We build these standards into the Auth0 platform. And then you adopt them, and you get the benefits, the security benefits of these open standards. And users of these products and technologies demand from the technical community that more and more people support them. And so the people building technology look at the open standard and say, oh, I'm not going to get locked in. I can add that. That's going to solve this problem of agentic access or identity management in the enterprise. So I'm going to implement it. And that leads to more customer success. So what you see here is this flywheel, this flywheel that spins, and it benefits everyone toward the goal of zero identity-based attacks. It's a powerful motion. It's happening. And you're all part of it. So it's very exciting. Now, a critical part of this entire playbook is making sure that developers can build with these standards from the start. And that brings us to our Auth0 platform. The Auth0 platform is purpose-built for developers, whether that's a developer building a service or agent or application to sell to customers, or it's a developer inside a company building applications and services and agents for internal use. Auth0 works amazing with every programming language, every platform, every framework. You can use it in really bite-sized components. So you can use it where it helps, and where you don't want to do your own thing. It gets out of your way. It's perfect for a developer. And of course, it's all based on the solid foundation of security and reliability. Now, for years in the Auth0 platform, we've made sure that developers could build every application standards first. And we've made it very easy by including them in Auth0. And today, we're taking that journey even further by delivering, inside of the Auth0 platform, cross-app access support out of the box. So yeah, if you clap for the standard, you have to clap for the implementation in our products. It's a rule. It's the rule of clapping. So whether you're building an agent or you're building agentic services, which is something that an agent talks to, you can make sure that they're fabric-ready out of the box with the right levels of security and the right level of visibility. Now, to bring it all together, here's a summary of everything we've covered so far. The Okta platform brings your identity security fabric to life. Open, industry-leading standards like cross-app access help everything in your fabric from the identities down to the resources, making sure they all speak the same language. And the Auth0 platform makes it incredibly easy to build fabric-ready agents and agentic systems. Now, together, all of this ensures that you can build, deploy, and manage AI agents safely, securely, and at scale. Now, let's see all of this in action. So join me in welcoming to the stage Harish and Mallory to show you what this all looks like. Harish. All right. Thank you, Todd. What's up, Okta? How are we feeling? I couldn't hear you. How are we doing today? That's what I'm talking about. All right. So in the next few minutes, Mallory and I are going to walk you through what it's like to bring AI agents directly inside the Okta platform into your identity security fabric. The thing is this. From every single one of you, we're hearing the same thing. We want to roll out agents really fast, but we're struggling to balance innovation and security. And specifically, we hear the same three things over and over again. The first is visibility. Where are all these agents that are in my org? The second is control. How do I ensure that it's only accessing exactly what it's allowed to access? And the third is governance. How do I ensure that over time, I don't end up with agentic sprawl? Well, the good news is this. For the last 16 years, Okta has been solving this exact problem for human identities, and now we can do the same exact thing for AI agents. Let's see how. We're going to start with visibility. This is your AI agent directory. If this screen looks familiar, it should. This is the same universal directory that many of you use on a daily basis, and now you have AI agents right alongside people and groups. That's because AI agents are a first class identity now in the Okta platform. Let me repeat that. AI agents are a first class identity in the Okta platform. That's right, give it up for universal directory. That's right, duties in the house. OK, now there's a lot of agents here. There's agents for customer support. There's agents for productivity. There's agents to record video calls. And what's great is these agents were built on different platforms, like Lanchain or Vercel or Rider, and they also live in different platforms. Maybe they're in service now. Maybe they're an agent force. It doesn't matter. Okta integrates to all of these, so you don't have to worry about future proofing. We got you. Don't worry about it. But there's one more important thing. You can see the users that actually own these agents. Now, it's very important when it comes to closing the accountability loop and knowing who's actually responsible for this agent. Now, let's click into one of these agents, the customer support agent. This is a use case we're all familiar with. This is a very powerful agent that needs access to Service Cloud. It needs access to PagerDuty to do its job. But what's great is I can see a description of the agent. I can see the users that own that agent. And I can see the users that have access to that agent. This is the point. It's complete visibility in one place, so you know everything that's going on with your agent right inside the Okta platform. So that was part one. That was visibility. Let's keep moving. Let's look at the next piece of puzzle, which is control. Now, as Todd said, an agent is only as powerful as the underlying apps and data and resources that it can access. The access is great. It lets the agents move fast. But it creates a big security hole. But if you remember, I'm testing you. I just said agents are now a first-class identity in Okta, which means with managed connections, I can actually control exactly at a fine-grained level what's going on with these agents. Think of this screen like the single sign-on screen for an agent. A lot of you have the SSO screen that you use to get into the various applications with Okta. This is exactly that for an AI agent. Now, what's even better is I can see all of these agents' connections in one place. I can see its service accounts. I can see its API keys. And I can see its direct agent-to-app connections. This last one is powerful but also dangerous because if you're a motivated hacker, which none of you are, but if you're a motivated hacker, you can ride that direct agent-to-app connection directly to get the agent to spit out some sensitive data or take a malicious action. It's very dangerous stuff. But fear not. This agent supports cross-app access, which means the IT team can control at a very fine-grained level exactly what this agent has access to. So in this case, it has read access to Google. It has read-write access to Jira. And what we've done is we've shifted what is normally embedded hidden risk. We've shifted that into the hands of the IT team. And in doing so, we've actually eliminated a critical attack path. Now, control is more than just about what this agent can access. It's also about staying on top of where this agent is going. And to get a deeper look at that, I can actually go to my system logs. And I can get a detailed audit trail of everywhere this agent has been in my organization. Now, this screen is more than just some great graphs and some details. This data can be streamed to my security operations team so they can stay one step ahead of potential attackers. I want to make a very important point here. Agents are now in the Okta platform, which means your IT teams, your security teams, they can move from being reactive to breaches and move into a place where they're proactive and staying one step ahead of threat actors and take care of their organization's security. All right, I mentioned three things. Let's look at the third piece, which is governance. Now, a lot of you are telling us this. Agents are moving rapidly from development to production. That's great. Keep innovating. You do you, but you have to stay secure. And one of the big problems with agents moving really fast into production is the risk of agentic sprawl. What that means is, what if you have an agent that is no longer needed but still has long-lived, overprivileged access to sensitive resources? That's the definition of sprawl. But again, agents are in the Okta platform, which means Okta Identity Governance can fix that. In OIG, I can run a simple access review to understand, for example, who has access to Salesforce. And this review shows me my human users, but it also shows me the AI agents that are accessing Salesforce. Even better, I can see the original owner of that agent. Remember when I called out the owner in Universal Directory? That's why. Closing the accountability loop. But beyond that, I can see the entitlements of this agent. I can see a risk level. And Governance Analyzer with Okta AI can show me a recommendation of what exactly to do with this agentic access. I may want to revoke it, or I may want to keep it. The point is, the end user has the data they need to make the right decision to keep your organization secure. Okay, so we covered what I would call the happy path. You know, you're setting up an agent correctly from the get-go, you're controlling its access, you're running Governance, that's great. But what about the rogue agents? What about, let's say for example, this is just an example, what if the sales team, I love my sales people here, but what if the sales team deploys an agent to connect to Salesforce without notifying IT? It could happen, they're very enterprising folks. Now here's the thing, the Okta platform can detect that. Because agents are in the platform, you don't have to hunt for rogue agents and hidden risks, we can find them for you. And to show you more about that, I'm gonna hand it to my friend Mallory. Take it away. Great, thanks Harish. This is Identity Security Posture Management, or ISPM. You can think of ISPM as your real-time threat hunter. It's continuously scanning your tech stack for risks like misconfigurations, overprivileged accounts, or even hidden app-to-app connections, like Harish mentioned. It does this by integrating with every part of your tech stack. And it uses things like access patterns, naming conventions, and a whole host of other advanced techniques to actually identify these risks. So here, we can see that ISPM has flagged a high-risk issue called Grants Without Okta Policy. Sounds interesting and risky, so we'll look into that. If we investigate, we can see that ISPM has flagged a rogue agent. This agent is connected to Salesforce, it was created completely outside of IT's processes, and it has broad read-write access to our customer data in Salesforce. These are obviously all really huge issues for us. But fortunately, with Okta, we don't just find this risk, we can actually remediate it. So all of the things that you just heard from Harish around visibility, control, and governance are ready to be applied. So when we find a rogue agent, we don't scramble, we can just run the play. I'm gonna go ahead and remediate this risk by applying our full security model to this agent. First, for visibility. We can go ahead and bring this agent into Universal Directory, and we can do that with just one click, and then we'll assign a human owner to our agent to close that accountability loop that we've been talking about. Second, for control, I'll go ahead and apply a baseline security policy that's going to immediately limit the permissions of this AI agent to read only. And this is gonna help us shrink that blast radius if something were to happen. And then third, for governance, we'll go ahead and trigger an access certification campaign right off the bat, and the new owner, the one we assigned in Universal Directory, will have to review this AI agent, just make sure everything still looks good with the permissions. And just like that, we have gone from a hidden critical risk to a fully managed and governed identity in Okta. And if I head back over to Universal Directory, do that now, you can see this agent right alongside all of our other AI agents here in Okta. Fully visible and fully secure. With Okta, these rogue agents have nowhere to hide. What'd you think, Harish? You know, I think it's cool, but judging by this, I think they think it's pretty cool, too. Yeah. So, you know, that's right, agents in the platform. Look, what you saw was the full power of the Okta platform now applied to AI agents. You saw visibility, all of your agents in one place. You saw control, so that your agents don't access anything they're not allowed to. You saw governance, so you don't end up with agentic sprawl that's gonna come back to haunt you later. And finally, you saw ISPM detecting and bringing a rogue agent under control. The thing is this, agents are going to transform business and technology as we know it. That is going to happen. But companies that invest in an identity security fabric and that invest in securing every identity type across every use case, integrated to every resource, those are the ones that are gonna get ahead and stay ahead in our AI future. Thank you. Todd, back to you. All right, nice job, Harish. Nice job, Harish. Nice job, Mallory. It's amazing. I love seeing it all, all the hard work of the entire team demonstrated on screen there. And I can't wait for all of you to get your hands on this. And to make that incredibly easy, that's why we've packaged all of this up in a solution that we call Okta for AI Agents. Now, it includes everything you need to build and manage agents securely. So for agent builders, it includes Auth0 for AI agents, so you can build agents that are secure by design. And for IT and security teams, it includes all the products on the entire breadth of the Okta platform with support, especially for AI agents. So for securing AI agents, this is the most comprehensive solution in the entire market. We're amazingly proud of it, and we can't wait to have all of you use it to deliver value to your companies and your organizations. So I wanna, to cap things off today, I wanna zoom out a little bit and have a conversation with another industry leader thinking about how to navigate this tension between innovation and security in the age of AI. So, we are incredibly fortunate to have So we are incredibly fortunate to. the following guests here at Octane. So, I'd like to introduce now Sarah Franklin, the CEO of Lattice. Hi. Hi. Hi. Thank you for joining us. Thank you, yeah, I can't do the jumping thing in these fields, so. It's bigger than it looks, huh, on camera? It is, it takes time to walk through, and what an incredible crowd. Thank you so much for having me. Yeah, thank you for being here. So, many customers of Lattice in the audience, but for those of you that aren't current on everything you guys are up to, what's the latest? Yeah, so Lattice, our mission has and always will be to make work meaningful, meaning that we help you as employees know what to do, what your goals are, how you're doing at that, you know, have a conversation with your manager, and bringing AI in, in a way that helps people be, you know, scaling our human potential, and really helping us achieve, like you said, that nirvana, that great outcome that AI can bring to people, and we're really focused on the success of people. I love that perspective, because we talk a lot about infrastructure, and standards, and risk, but it really is all about what are we doing with all this stuff, how are we impacting positively our organizations? Do you have AI FOMO? I don't have AI FOMO. I mean, sometimes, what is it, JOMO, the joy of missing out? Yeah, joy of missing out. No, what we have is a deep belief in what we want the outcome to be with AI. You've talked about it from a security standpoint. We deeply care about the human impact, and what it means for us as people, and we don't want an outcome to be where AI is just automating us all out of work. We want the AI to help us be better at our jobs, and so that's really what is so important to us, and why it's an incredible opportunity right now for IT and HR to really lock at the hip, and say, let's make this secure, let's make it accountable, let's have that fabric, and let's really focus on how this is a big people transformation for all of our organizations. When you're out there talking to customers, what is the biggest barrier to that? What slows it down, or what is the unlock? For us, the whole idea here is that we're emphasizing how important identity security is to AI. What's the equivalent, as you try to spread this message of empower your people, and people are the key? I mean, people are afraid. AI is new, it is unknown, and it doesn't. By the way, the way the industry pundits talk about it doesn't help. No, it scares you. Everything's gonna change, it's all horrible. Well, it is going to change, but in a way that we want it to be more in our control than out of our control, and when we have people saying everything from we'll have massive unemployment to we'll have massive free time, and when we're sitting here wondering how do we just get this to step one, we're all at the starting line. Not anyone here has 10 years of agentic AI experience, so we need to, like you said, be very responsible in how we bring this in, and not let the fear paralyze us. We need to have the courage and the confidence together that we will not just ship something to production with a passcode of one, two, three, four, five, six because we need it there, but that we will be very responsible in how we bring AI out. Is, like what's the biggest success story? Like do you have a customer story that demonstrates the way to do this wonderfully? Yes. Talk about the barriers, like what's the positive case? So the positive case, and what we've seen with Lattice is when we brought AI in as a coach and really to help people have better human confidence. Wait, what does that mean, AI as a coach? Oh, sorry. I think I might need that. The, the, you're doing great. Presentation coaching? No, no, no, it's more in your day-to-day job. Like when you think about, you show up to work, you might have, you have goals that you want to achieve, the company has goals to achieve. Are you working on the right things? Are you doing a good job? That conversation, one of the most important things, you know this as a CEO, is getting your people aligned and motivated and working on the most important things. Yeah, priority alignment is really hard, yeah. Yes, and this is where AI can really help us scale and coach us and be there for us all the time to help us understand what we should focus on, what we're doing well, what we're doing poorly. And the other thing that's very interesting with AI is that as humans, a little, a truth about us as humans is that we are not always honest with each other. We're scared of what somebody may think. We're scared of being wrong. We're scared of not knowing what we need to do. And that fear impacts our conversations. And especially when you're giving feedback. I don't want to hurt somebody's feelings by giving them, you know, feedback. And so when you have AI that can have context of you as an employee, context of your system of record of work, whether it's Salesforce, whether it's JIRA, whether it's any system that you're working in, and the feedback that's coming about you, your goals, your aspirations, it can help you through your daily job. And that's what's really exciting about Lattice. And what we've seen with our customers be super successful is just being able to help that conversation be more connected and human and real because the AI is there to help you. Yeah, there's a lot of amazing potential there. When you work with your customers, do these issues of security of your solution and how manageable it is and how it hooks in with the rest of them, does that come up a lot? All the time. And this is why for all of you here, this is so important that you have the Okta's fabric because AI is, I mean, it's true, I am guilty, as you said earlier in the keynote about being a CEO of telling your team to push AI out there. Faster, come on. Right? And we're having the pressure from the board to be more efficient. The thing that is most important I think right now is to not just look at efficiency, but look at effectiveness. And we need to help our people be more effective with AI. And our customers are asking us every day, okay, what does this mean? They don't yet understand everything that you showed on the screens of how these agents have autonomy or how they have access, sometimes root level access to data. And so this is, I accept your challenge for us as an industry to really step up to the plate to say, our job is here to educate everyone on what this technology can be, but also how it can hurt us. And let's do this responsibly so that we navigate more to a utopian outcome than a dystopian one. I love that. There's so much potential and we need to stay on the side of utopia. I would love to. And I will say also, at Lattice, we're a very proud Okta customer as well. And it's something that our systems- Thank you so much. Yes. It's important that our IT teams and our HR teams, they work really well together because the directory you have of your agents also needs to be mirrored in the people directory and understanding what the goals are for these new entities, these new identities in our workforce. And so it's a new world that we're all walking into, and it's one which is great responsibility. It's actually, getting a little geeky, I would say that I'm really- Don't get geeky here. Oh, I'm not allowed to? No, we don't talk any standards or protocols. You were just doing it. I should be allowed. No, but I find it very exciting that the functions of IT and security and HR are really center stage right now. It is all of your moment to be the superhero in this story. We've seen so many cautionary tales between cloud, social, mobile. Actually, social, mobile, I'll just say really quickly, exciting technologies when they were delivered, we thought this democratizes access to the internet, democratizes access to all types of things. We didn't take enough time to ask, how can it hurt? And now many of us, I'm a self-proclaimed addict to my mobile phone, and we have a generation of anxious people. Our children are addicted to their devices. Social media has harmed their sense of self-worth. And if we can look at those two things as cautionary tales to not just say, how can this help us, but also how can it hurt us. Yeah, I think that's really smart. And let's not let it hurt us. Let's not wait a decade to have the regulations and the onus on ourselves to bring this technology responsibly in, because we want this to be great for people. Yeah, the way I keep thinking of it is utopia takes work. Utopia doesn't happen on its own. I mean, hope cannot be our strategy. I've never heard that work out well. So yes, it takes work, and it takes ownership, and it takes courage. And that's what's the hardest thing, is that this is unknown. It's new, and the charts are going up and to the right, and it's fast. And so we have to have the courage to walk into the unknown together. And I would love for IT, security, HR to, the back office comes front office and says, we are here to make the future of our companies and our society one that we're proud of. I love the message, Sarah. Thank you so much for being here to deliver it. Thank you so much. Thanks for joining us. Have a good day. Sarah, Sarah Franklin. Thank you. Utopia takes work. Doesn't happen for free. The next decade will be defined by how we secure AI. We all feel this tension. It's real. How do we innovate? How do we stay secure? Okta makes it possible to do both. And our goal is clear, and that is zero identity-based attacks. So today we've covered three important things to move us closer to this ideal state. First is how you bring your identity security fabric to life with Okta. How you do it with open, transparent, clear standards that connects everything together. And thirdly, how you build fabric-ready agents with Auth0. So by doing this, it's the key unlock. It's how we can all innovate without compromise. And this is only something we, the collective we, Okta and all of you here, can deliver together. So it's a very important mission. We have to deliver. The next chapter of identity security is here, and it's up to us to lead it. So you can scan this QR code on the screen. We have details about everything we've announced. We have a lot of work to do, but we've made incredible progress. And there is incredible, amazing potential and opportunity that comes next. So let's keep driving, let's keep striving, let's keep pushing to build this future and realize all the benefits. I want to thank you on behalf of the entire Okta team for being here with us today. I want to wish you the best, and please enjoy the rest of Okta. Thank you. Thank you. Thank you. Thank you.

TL;DR

  • Okta positions AI security as fundamentally an identity security problem, treating AI agents as first-class identities requiring the same governance as human users
  • The company announces cross-app access support in Auth0, enabling developers to build fabric-ready agents with security and visibility built in from the start
  • Okta's hardened corporate infrastructure protected it from a recent industry-wide AI agent breach that compromised hundreds of companies
  • The identity security fabric provides centralized visibility and control over all AI agents, preventing agentic sprawl and closing accountability loops
  • Okta frames its Secure Identity Commitment as the unlock for innovating with AI without compromise, working toward zero identity-based attacks

AI Security as Identity Security

Okta CEO Todd McKinnon frames the central challenge facing organizations today: balancing rapid AI innovation with security requirements. He introduces the concept that AI agents represent a powerful new identity type that requires the same governance, visibility, and control as human identities. McKinnon reveals how a recent industry-wide breach of an AI marketing agent compromised hundreds of companies — but not Okta, thanks to hardened corporate infrastructure. This incident demonstrates why AI security fundamentally depends on identity security, as agents increasingly access sensitive data and systems autonomously. The keynote positions Okta's Secure Identity Commitment as the unlock for innovating with AI without compromise.

Identity Security Fabric for AI Agents

The presentation introduces Okta's identity security fabric, which treats AI agents as first-class identities alongside people and groups in the Universal Directory. This approach provides complete visibility into all agents across the organization, regardless of where they were built or deployed. Okta demonstrates how managed connections enable fine-grained control over agent access to applications and data, similar to single sign-on for human users. The company announces support for cross-app access standards in the Auth0 platform, allowing developers to build fabric-ready agents with security and visibility built in from the start. This architecture aims to prevent agentic sprawl and close accountability loops by linking agents to their owners.

Industry Leadership and Customer Partnership

McKinnon emphasizes Okta's role in elevating industry standards for AI security, noting that without proper security frameworks, AI adoption will stall due to fear and risk aversion. The keynote features a conversation with Lattice CEO Sarah Franklin, who discusses the intersection of HR, IT, and security in managing AI agents as new workforce entities. Franklin stresses the importance of balancing efficiency with effectiveness, and warns against repeating the mistakes of social and mobile technology adoption by proactively addressing how AI can harm as well as help. The session concludes with a call to action for the collective industry to lead the next chapter of identity security, working toward the goal of zero identity-based attacks.

Chapters

0:00 - Welcome and Opening
1:37 - The AI Innovation vs Security Tension
4:03 - Okta Secure Identity Commitment
6:01 - AI Agent Breach Case Study
8:42 - AI Agents as New Identity Type
29:27 - Auth0 Platform for Developers
31:38 - Product Demo: Identity Security Fabric
32:56 - AI Agent Directory and Visibility
34:37 - Agent Access Control and Cross-App Access
48:00 - Conversation with Lattice CEO Sarah Franklin
54:02 - Closing and Call to Action

Key Quotes

4:03 "Our foundation, our bedrock, our core priority is incredibly clear. And it starts with this Okta Secure Identity Commitment, which is our long-term commitment to lead the industry in the fight against identity-based attacks."
7:06 "We are customers of this AI agent, and because of the work we've done to harden our corporate infrastructure, we were not impacted by this breach."
8:16 "If every agentic system has breaches like this, AI is not going to reach its full potential. It's not going to happen. People are going to be scared of it. Companies are going to be afraid to adopt it. We have to fix this problem."
10:25 "Without identity security, AI security collapses. So AI security is identity security."
33:16 "AI agents are a first class identity now in the Okta platform. Let me repeat that. AI agents are a first class identity in the Okta platform."
53:15 "Utopia takes work. Utopia doesn't happen on its own. I mean, hope cannot be our strategy."
Categories:
  • » Cybersecurity » Application Security
  • » Cybersecurity » Zero Trust
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Identity & Access
  • AI & Machine Learning
  • Zero Trust
  • DevSecOps
  • Security Operations
  • Keynote
  • Executive Briefing
  • AI Agent Security
  • Identity Security Fabric
  • Cross-App Access Standards
  • AI Agent Governance
  • Developer Security Tools
  • Zero Trust for AI
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: How Okta Secures AI Agents with Identity Security

              Upcoming Webinar Calendar

              • 07/14/2026
                01:00 PM
                07/14/2026
                Crafting a Championship-Worthy Security Team for Unmatched Defense
                https://www.truthinit.com/index.php/channel/2025/crafting-a-championship-worthy-security-team-for-unmatched-defense/
              • 07/14/2026
                02:00 PM
                07/14/2026
                Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data
                https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-safeguarding-ai-accessible-data/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Strategies for Effective Data Privacy and Protection
                https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-for-effective-data-privacy-and-protection/
              • 07/22/2026
                01:00 PM
                07/22/2026
                Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue
                https://www.truthinit.com/index.php/channel/2029/insights-from-attackers-during-the-fifa-world-cup-a-human-dialogue/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 07/29/2026
                12:00 PM
                07/29/2026
                Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
              • 07/29/2026
                01:00 PM
                07/29/2026
                Ask Your Cloud Anything: Unlocking Governance Silos in your Environments
                https://www.truthinit.com/index.php/channel/2048/ask-your-cloud-anything-unlocking-governance-silos-in-your-environments/
              • 08/19/2026
                12:00 PM
                08/19/2026
                Becoming Agent Ready: Insights from Cyera's Expertise
                https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jul
                14

                Crafting a Championship-Worthy Security Team for Unmatched Defense

                07/14/202601:00 PM ET
                • Jul
                  14

                  Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data

                  07/14/202602:00 PM ET
                  • Jul
                    21

                    Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

                    07/21/202604:00 AM ET
                    • Jul
                      22

                      Insights and Strategies for Effective Data Privacy and Protection

                      07/22/202606:30 AM ET
                      • Jul
                        22

                        Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue

                        07/22/202601:00 PM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version