During Oktane25, Okta is focusing on agentic AI. Agent identities are becoming “first-class citizens” within the Okta offering and are leading to a change in how the company positions its offering. From now on, the identity fabric takes center stage; what does that mean?
The term “identity fabric” was coined by Gartner. The underlying idea is that identities within IT environments are much more than just puppets to navigate login screens. They form the basis for the security of the entire infrastructure and are therefore constantly coveted targets for cyber attackers. It took Okta a while to flesh out the term in its own words, but now that it has embraced it, it is doing so wholeheartedly. Below, we explain what Okta’s proposition entails, based on the announcements made during Oktane25 in Las Vegas.
Agents everywhere
We are already seeing ‘agent sprawl’, according to various Okta spokespersons. Shiv Ramji, President of Okta Customer Identity Cloud, emphasizes that the AI upon which agents are based is not deterministic and therefore carries inherent risks. However, with just a few lines of code, developers can make their AI agents secure digital employees.
Auth0 for AI Agents aims to make the difference between safe and unsafe agentic AI use through this compact coding task. This results in “fabric-ready” applications, i.e., apps that produce safe, predictably operating agents. Through Cross App Access (XAA), previously introduced by Okta as an open standard, applications can communicate and interact with each other via agents.
Tip: Nametag partners with Okta to monitor agents
Naturally, protocols such as MCP or Agent2Agent come into play here. Because these frameworks do not have an inherent security layer, it is up to vendors themselves to make their developments based on these innovations secure. Ramji sees this as a new application for Okta on top of providing access to business applications or forming the building blocks for identity within a solution. Creating internal apps has already been made easier for organizations (vibe coding or not), and from now on, Auth0 can be used for this purpose.
A finely woven fabric
In short: agents fit within the existing landscape of Okta’s offerings. This applies to both Auth0 and Customer Identity as a whole as well as Workforce Identity. A large part of the announcements during Oktane therefore revolve around restating the company’s own portfolio in a new context. Identity Security Posture Management (ISPM), Universal Directory, and Identity Threat Protection with Okta AI (ITP) are examples of the highlighted Okta components that are nothing new, but from now on integrate AI agents and make them “first-class citizens,” as Abhi Sawant, CTO of Okta, puts it.
Just as Okta is responding to well-known standards within the agentic AI world, the same applies to its own embrace of other companies’ standards elsewhere. Take Okta Verifiable Digital Credentials (VDC), due to be released next year, in which the identity security company wants to make use of personal identification securely and in a reusable way. This will start with mobile driver’s licenses at the end of this year, after which the ultimate goal is that app developers will no longer have to think about specific regions when it comes to supporting identification. Okta is doing the hard work of integrating California driver’s licenses, Dutch ID cards, and UK passports, you name it, into VDC. The same should apply to integrations with Google Wallet, Apple’s equivalent, and more.
In this way, Okta places its own platform within a complex fabric. It aims for the broadest possible support and interoperability and is a stronger advocate of this than many other vendors, at least rhetorically. In any case, those other vendors frequently collaborate, for example through the Shared Signals Framework. Think of Cisco, Jamf, CrowdStrike, Zscaler, Apple, Cloudflare, and more. It’s not all one-way traffic coming from Okta at least.
Conclusion: inspiring confidence
Okta likes to remind us that its founders Todd McKinnon (still the company’s CEO) and Frederic Kerrest already realized in 2009 that identity would be central to modern IT security. Although they would probably prefer not to see customers under attack, it must be some consolation that the current threat landscape supports this vision.
Okta’s leadership says that the company’s life as a company has gone through three phases, the first revolving around the cloud transition and the second around the rise of identity-based attacks. In recent years, Okta has seen attackers shift their focus to hunting for identities. Now, with agentic AI as an incentive, identity is taking on an extra dimension for all involved. In addition to real people and service accounts, countless agentic users are joining the fray.
However, Okta sees that the security of these agents is inadequate. Ninety-one percent of organizations (whether they are Okta customers or not) use agents, but only 10 percent have a security policy in place for them. That needs to change, especially since AI pilots so often fail (95 percent according to a recent MIT study). To this end, Okta is nesting agents within its own familiar territory, which is logical, and is leaning heavily on its established reputation for integration, standardization, and sticking to its own playbook.