Okta is rolling out Agent Discovery in its Identity Security Posture Management (ISPM) platform to combat the rise of shadow AI. Available first in the US, with EMEA deployment planned for Q2 2026, the feature aims to give organizations visibility into unauthorized AI agents accessing their data.
Agents sometimes fly under the radar, unsurprisingly so given their novel nature. Research shows that 90 percent of enterprise AI usage occurs via unauthorized personal accounts. Organizations are facing an average of 223 shadow AI incidents per month, a figure many may not be aware of owing to the shadowy nature of the issue. Okta’s philosophy, as with other identity security vendors, is that agents require an identity all to their own. Nevertheless, organizations might not have adopted the same stance just yet.
Agent Discovery works by detecting OAuth connections that AI tools establish with corporate applications. The system identifies which unsanctioned platforms employees are using to build agents, mapping relationships between the AI tool and the data sources it can access. Okta’s ISPM then reveals the specific permissions granted, exposing apps that bypass security reviews.
Shadow IT evolves into shadow AI
Harish Peri, SVP and GM of AI Security at Okta, frames the challenge in stark terms. “AI agents don’t operate at the network, endpoint, or device layer—they live in the application layer and use multiple non-human identities with broad, long-lived privileges,” he said.
The scale of the issue is significant, as previous research has shown. Shadow generative AI usage surged 68 percent in recent measurements, with 47 percent of generative AI users relying on unmanaged personal accounts. These unauthorized tools use OAuth grants to access data outside security perimeters.
Democratization of agent creation allows any employee to provision a digital worker. The resulting lack of IT oversight means companies have no visibility into how staff leverage unvetted tools. And ultimately, any ‘shadow’ usage of IT resources hint at a potential shortcoming when it comes to offering one’s workforce the tools they require. The very fact personnel is using ‘shadow’ applications should force organizations to figure out what part of the software stack they’re failing to incorporate. For now, basic visibility into the issue is required, leading to Okta’s latest addition.
Expanding to managed platforms
Sometime between February and May, Okta plans to extend ISPM’s discovery capabilities to major enterprise AI platforms. Microsoft Copilot Studio and Salesforce Agentforce will be among the first central systems where ISPM can identify agent ownership, permissions, and risk concentrations. Security teams can then turn sanctioned but high-risk identities into governed assets.
The platform provides a unified view of non-human identities across SaaS, identity providers, cloud infrastructure, and on-premises Active Directory. It uses more than 25 prioritized risk detections mapped to OWASP Top 10 for NHIs to surface gaps like over-privileged or unrotated credentials. Organizations can then register legitimate agents into Universal Directory for full lifecycle management.
Also read: Okta weaves AI agents deep into the identity fabric