Okta unveils identity fabric to secure surge in enterprise AI agents

Leading independent identity partner Okta has announced a suite of new capabilities aimed at helping organisations secure the rapidly growing use of AI agents inside the enterprise, as Australian businesses accelerate their adoption of artificial intelligence.

Unveiled at the company’s Oktane 2025 conference in Las Vegas, the updates expand both the Okta and Auth0 platforms to support secure, standards-based integration of AI agents within what the company calls an identity security fabric, a unified framework that manages and governs both human and non-human identities.

Okta’s latest AI at Work 2025 research found that 91 percent of organisations are already using AI agents, yet only 10 percent have a defined strategy to govern them. These autonomous agents, used for everything from HR automation to software development, often require broad access privileges and can move across multiple systems, making them a potential weak point in enterprise defences if left unsecured.

“AI is changing the workplace faster than organisations can adapt,” said Kristen Swanson, Okta’s senior vice-president of design and research. “We’re starting to see poorly built or unmanaged agents expose the risks of using a traditional patchwork of identity solutions. The modern enterprise requires an identity security fabric that can unify silos and reduce the attack surface.”

Lifecycle security for AI agents

At the centre of the announcement is Okta for AI Agents, a new set of features designed to bring end-to-end visibility, control and governance to non-human identities. The tools allow organisations to discover and classify AI agents, apply least-privilege access rules, and automatically revoke credentials when agents are decommissioned.

The feature set builds on Okta’s existing identity governance and privilege management capabilities, extending them to include service accounts, API keys, and OAuth tokens often used by AI agents to interact with enterprise systems. The solution is expected to enter early access in early 2027.

Securing agent-to-app connections

Okta also launched a new open standard called Cross App Access (XAA), which extends OAuth to secure communication between applications and AI agents.
The standard aims to address the growing number of app-to-app and agent-to-app interactions that fall outside traditional user-based security models.

Industry support for XAA includes AWS, Automation Anywhere, Boomi, Box, Glean, Grammarly, Miro and Writer. The companies are backing XAA as a way to create a consistent, policy-driven framework for how AI agents authenticate and access enterprise data.

Sunil Agrawal, chief information security officer at Glean, said the new protocol “represents the next step toward making it more secure and seamless for AI agents to connect across systems.”

Okta said XAA will also be embedded in its Auth0 developer platform, giving software builders a simpler way to embed identity-first security into AI-driven applications.

Preventing AI-powered fraud

Beyond agent governance, Okta also unveiled its Verifiable Digital Credentials (VDC) platform, designed to tackle AI-powered identity fraud by enabling organisations to issue and verify tamper-proof digital credentials such as employment records or government-issued IDs.

The VDC platform, built on open standards for interoperability, aims to provide stronger assurance in digital onboarding and verification processes, while maintaining user privacy. A digital ID verification capability, initially supporting mobile driver’s licences, will enter early access in late 2026, followed by broader credential support the following year.

The announcements come as AI adoption surges across Australia and New Zealand, where businesses are investing heavily in automation and productivity tools. According to research from AWS, one Australian business adopts AI every three minutes, and around half of all organisations report using AI regularly across operations.

However, this rapid adoption is prompting greater scrutiny from regulators and boards. Under APRA’s CPS 234 and the Cyber Security Act 2024, Australian directors now hold direct accountability for cyber resilience and data protection. The new rules make boards personally liable for security failings and emphasise the need for stronger identity and access controls..