Okta has announced a host of new platform capabilities aimed at helping businesses safely use and incorporate AI Agents and other “non-human identities, or NHIs.
TechRadar Pro went along to Okta’s launch at the magnificent McLaren Technology Centre in Woking, UK,to hear more about the identity management platform’s plans.
It seems pretty clear at this point that AI agents and non-human identities are upon us, and whether we like it or not, this technology is set to be pretty unavoidable soon. Research from Deloitte forecasts that by 2027, half of all companies using AI will also have adopted GenAI agents in some capacity. Developers are pretty optimistic about AI agents, but security isn’t always the first consideration for firms adopting the models, and the sheer pace of innovation means a focus on functionality leaves safety a little overlooked.
To help address this, the Okta platform is bringing a unified, end-to-end “identity security fabric” for organisations to help manage and secure identities across their ecosystems, from API keys, to AI Agents, to employees.
Okta is also releasing a new Auth for GenAI in Developer Preview, a “suite of features that enable developers to integrate secure identity into GenAI applications, helping ensure AI agents have built-in authentication, fine-grained authorization, asynchronous workflows, and secure API access”.
Non Human Identities
The phrase “non-human identities” and their transformation of the security landscape was a major theme at Okta's launch, rapidly evolving in part thanks to the adoption of cloud services, remote work, and a rise in NHIs.
These could be API keys, service accounts, access tokens, or automation tools - and they’re difficult to secure thanks to often being non-federated and without MFA - paired with excessive privileges means a lucrative attack vector for criminals.
There’s nothing inherently wrong with NHIs, Harish Peri, Okta SVP of Product Marketing says.
NHIs are “very, very critical for the functioning of business” because they integrate systems, and enable software to talk to each other - but the problem is safety.
“The issue is that securing NHIs is very, very difficult. Now think about this. What starts off as a convenient move by a developer, you know they introduce a little token or a little backdoor account into a program to make life easier for them? That gets forgotten. And then over time, that goes on to accumulate privileges and it becomes a risk factor, it becomes a threat factor because a lot of these NHIs lack a couple of fundamental security hygiene capabilities.”
“They don't have MFA, they're not behind SSO (Single Sign-on), they have static non-rotated credentials, they're not federated, and over time they do accumulate excessive privilege. It's a real problem,” Peri says.
Risk management
Okta warns that agents are connecting to APIs with integrations that aren’t “optimized for AI-driven access” and that notifications triggered to approve sensitive actions are being implemented with only minimal security controls - so tighter authorization security is desperately needed as AI develops.
“You're rolling out an AI agent or chatbot, maybe it's agent force,” explains Arnab Bose, Chief product officer of the Okta platform. “That agent, in order to do its work, has to have persistent access to your service ticket application, your phone IVR application, your knowledge base application”
“What's happening today is identities like API service tokens are being created to set those connections up. They are not being driven by the ITO security teams. ITO security teams don't even have visibility into the fact that these identities exist. They can't vault them, they can't protect them, they can't rotate them, and that's something that we have to change.”
Okta’s Developer Experience now enables developers to build a “secure and seamless experience” for AI agents to authenticate users. The more we use GenAI agents, the more access they need, and to critical data across a large number of devices - a serious complication in identity management.
The new tools
Auth for GenAI is looking to solve this problem with a four tiered approach. The first, is with authentication for generative AI applications, allowing developers to implement a custom-made logging experience for agents, like linking accounts and step up authentication,
“Second, you get token vault,” explains Shiv Ramji, Okta’s President of Customer Identity. “You can securely connect AI agents to tools like Gmail, Slack, HubSpot, Salesforce, using OAuth 2.0 for token management while also automatically handling token refreshes and exchanges.”
Third, is asynchronous authorization - allowing agents to perform tasks with “human in the loop approvals”. And finally, fine grained authorisation for Retrieval Augmented Generation (RAG), a capability that “allows you to protect sensitive data by ensuring AI agents only retrieve documents or data that the user has access to” - crucial for preventing overreach.
“True security goes beyond ticking boxes”
Recognising a need for a universal understanding, Okta also recently established a unified industry standard in the Secure Identity Commitment, for enterprise apps, resources, and workloads. The Interoperability Profile for Secure Identity in the Enterprise (IPSIE) is the OpenID Foundation’s newest tool against identity-based attacks.
“What we're seeing is that it is probably the most lucrative way for a threat actor to break in and once they break in, you get access to a session token, [and] the lateral movement threat is quite ridiculous,” explains Peri.
“So that's where IPSIE comes in,” continues Stephen McDermid, Okta’s CSO EMEA. “We're trying to look at how we minimize these risks. We do that through being able to first spot if a session token has been reused or has been stolen but then how do we mitigate that? That's where things like universal logouts, this idea that you know to remove a user's success from everywhere all at the same time.”
This only works if it's widely adopted, and “that's why the OpenID Foundation is so important,” McDermid affirms. This initiative means multiple vendors can meet and discuss, so Okta hopes the foundation will grow from here.
“We think this is the right thing to do, and so building that capability and try and encourage more vendors to join the initial cohort which they are doing now with more more organisations are doing it so I'm hopeful you know going into this year next year you'll see more and more organisations talk about IPSIE and how they are committing to it,” he says.
You might also like
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.