The coming AI agent crisis: Why Okta's new security standard is a must-have for your business

the-lightwriter/iStock/Getty Images Plus via Getty Images

Follow ZDNET: Add america arsenic a preferred source connected Google.

ZDNET's cardinal takeaways

• IT managers person constricted visibility into erstwhile users springiness outer apps entree to institution data.
• When those outer apps are AI agents, the information risks multiply by orders of magnitude.
• Okta has projected a modular to springiness organizations much visibility and power implicit those permissions.

By the extremity of 2026, galore of america volition person astatine slightest 1 AI-powered cause doing thing down the scenes connected our behalf. Within 5 years, it could beryllium tens oregon hundreds of agents. They volition not lone marque decisions astir what to bash (based connected their autonomous observations), but they volition link to aggregate sources of information (as good arsenic each other) successful bid to optimize those decisions and different outcomes.

This aboriginal should terrify astir organizations that already spell to large lengths to support their integer resources from unauthorized access. As employees are pressured to bash much with the assistance of AI, they'll look to motorboat these agents and assistance them entree to immoderate firm resources are necessary. 

Today's credential for specified user-provisioned application-to-application entree -- known arsenic an OAuth token -- whitethorn beryllium woefully unsuited to the task.

Also: Weaponized AI hazard is 'high,' warns OpenAI - here's the program to halt it

Several years ago, good earlier agentic AI was connected the horizon, erstwhile organizational users granted definite applications, specified arsenic Slack, entree to their enactment data, the folks astatine individuality absorption supplier Okta recognized a cardinal flaw successful however that entree was approved and granted. 

Identity and entree absorption (IAM) systems, specified arsenic Okta's Identity Platform and Microsoft's Entra, service arsenic cardinal power planes for managing which humans person entree to which firm resources. However, those aforesaid systems are often retired of the loop erstwhile it comes to however different applications were granted akin assets entree connected behalf of those users. Instead, those decisions were (and successful galore cases, proceed to be) near to extremity users successful a mode that resulted successful IAM unsighted spots and avoidable information risks. Since then, Okta has been moving with the Internet Engineering Task Force (IETF) connected a draught unfastened modular designed to adjacent the loophole. 

Proposing a caller standard

Behind closed doors and successful its promotional materials, Okta refers to the specification arsenic "Cross-App Access" oregon XAA. However, the specification is known by a antithetic sanction arsenic portion of the IETF's unfastened standards conversation: Identity Assertion Authorization Grant (IAAG). Compared to proprietary technologies and successful immoderate cases de facto standards, an unfastened modular is simply a exertion that's made disposable to the manufacture connected a afloat unencumbered basis. Companies and developers, including Okta's iAM competitors specified arsenic Microsoft and Ping Identity, are escaped to physique their ain implementations of the exertion without the request to wage royalties to its inventor(s). 

Also: Gartner urges businesses to 'block each AI browsers' - what's down the dire warning

HTTP -- the halfway exertion that makes it imaginable for immoderate web browser to entree immoderate website -- is an unfastened standard. The 2 superior technologies that harvester to marque passkeys enactment the mode the do -- the World Wide Web Consortium's WebAuthn and the FIDO Alliance's Client to Authenticator Protocol (CTAP) -- are unfastened standards.

While immoderate institution tin invent a exertion and lend it to the satellite for information arsenic an unfastened standard, the existent measurement of whether that exertion is truly an unfastened modular is bound to the complaint astatine which it gets adopted by different companies. According to Okta, Google, Amazon, Salesforce, Box, and Zoom are among IAAG's aboriginal adopters. 

During an interrogation astir Microsoft's plans to assistance organizations tame the sprawl of agentic AI, Microsoft firm vice president of AI Innovations Alex Simons told ZDNET that Microsoft plans to enactment the caller IAAG modular successful Entra (the company's cloud-based IAM solution). Whereas Aaron Parecki, Okta's manager of individuality standards, primitively appeared arsenic the specification's author, Ping Identity distinguished engineer Brian Campbell present appears arsenic a co-author connected the latest draft, which is simply a beauteous bully indicator that Ping is connected committee arsenic well. (I reached retired to Campbell via email but person not yet heard back.)

Also: How passkeys work: The implicit usher to your inevitable passwordless future

The timing of the projected modular couldn't beryllium much serendipitous. According to Parecki, erstwhile Okta archetypal started moving connected the problem, agentic AI wasn't adjacent connected the radar. But present that the class of smart, scalable, and sometimes afloat autonomous bundle is poised for explosive maturation -- particularly down the firewalls of galore organizations -- the caller modular is successful presumption to springiness IT managers the power and visibility they request to securely tame some applications and agents arsenic though they're connected a level playing tract with humans.

Behind the scenes of delegated access

Although I'm leaving retired immoderate gory details, here's what typically happens down the scenes: When 1 exertion is fixed nonstop entree to different exertion connected behalf of an extremity idiosyncratic (a benignant of entree known arsenic "delegated access"), the relation of the 2nd exertion (the "resource server") is asked to contented a peculiar login credential that the archetypal exertion (the "client application") subsequently uses to authenticate with the assets server arsenic though it's pretending to beryllium the extremity idiosyncratic herself. 

In this measurement of a emblematic OAuth workflow, the Google relationship assets server is notifying the extremity idiosyncratic that it has received a petition from Slack arsenic a lawsuit exertion wanting circumstantial entree rights (enumerated successful the displayed list) to the user's Google account. If the idiosyncratic indicates their support by clicking the "Allow" button, Google volition contented an OAuth entree token to Slack that's circumstantial to the extremity user, their Google account, and the listed entree rights.

Screenshot by David Berlind/ZDNET

In a script similar this, the extremity idiosyncratic -- considered by the OAuth modular to beryllium the "resource owner" --  is said to beryllium delegating immoderate oregon each of their assets server entree rights to the lawsuit application. This peculiar credential is known arsenic an OAuth token. Before the assets server issues specified a token to the lawsuit application, the extremity idiosyncratic is typically consulted done a dialog container (see screenshot above) for their support to proceed with the delegation. If the extremity idiosyncratic consents, the assets server (typically a specialized "authorization server" acting connected behalf of the assets server) issues the OAuth token to the lawsuit application, which is past liable for storing it securely. After all, it's fundamentally the equivalent of the extremity user's idiosyncratic ID and password. 

Also: Battered by cyberattacks, Salesforce faces a spot occupation - and a imaginable people enactment lawsuit

Earlier this year, erstwhile over a cardinal lawsuit records were criminally and avoidably exfiltrated from the Salesforce instances of immoderate of the world's biggest and astir recognizable brands, the menace actors relied connected stolen OAuth tokens to perpetrate their crime.

Once the extremity idiosyncratic consents to OAuth token issuance and the lawsuit exertion takes receipt of that token, it goes connected to usage that token arsenic a login credential to the assets server, overmuch the aforesaid mode humans contiguous their idiosyncratic IDs and passwords astatine login time. Each of these OAuth tokens is restricted to the idiosyncratic (again, the "resource owner") that granted it, the circumstantial entree rights that were delegated astatine the clip of the assistance (these could beryllium a subset of the user's wide rights), and the assets server that issued it. 

An OAuth token that was issued by Google (the assets server) to Slack (the lawsuit application) connected my behalf is, therefore, circumstantial to Google and mapped to my Slack identity. Slack cannot contiguous that aforesaid token to different exertion similar Zoom, nor tin it contiguous that token to Google connected behalf of different user. Whereas immoderate tokens past forever, others expire aft a definite play of time. Token issuers tin besides invalidate tokens (known arsenic revoking a token) astatine will. It's akin to disabling a password oregon changing the fastener connected your beforehand door. 

Once OAuth came along

Although determination are aggregate token types for a assortment of usage cases, the thought of an Open Authorization oregon OAuth token came astatine a clip when, successful the aforementioned scenario, a idiosyncratic would simply input their Google idiosyncratic ID and password into Slack. And it's hard to judge that galore of america users gladly supplied those credentials without considering the imaginable for superior harm. From a cybersecurity perspective, the signifier raised immoderate deal-breaking and mostly rhetorical questions. To whom were we truly giving that idiosyncratic ID and password? Is it a morganatic concern oregon a malware app cleverly disguised arsenic an incredibly utile tool? Even if the app is legit, however and wherever is it securely storing the concealed credentials that we conscionable shared with it? What if the lawsuit exertion lone needed a subset of the extremity user's wide entree rights? 

Also: How to beryllium you're not a deepfake connected Zoom: LinkedIn's 'verified' badge is present escaped for each platforms

Also, dissimilar with OAuth, determination was nary explicit measurement during which the idiosyncratic issued their consent. "The consent was implied successful the [sharing of the] credential," said Parecki during an interrogation with ZDNET. "So you would springiness your password to an application, the exertion would instrumentality the password to a service, and contiguous it arsenic if it were you. And that's benignant of this implied consent, right? Because the information that it has the password means that it had to person obtained it legitimately, right? Which, obviously, we cognize is not a bully signifier to assume."

Once OAuth came along, it eliminated the request for users to stock their concealed credentials successful bid to alteration cross-application entree connected their behalf. That strategy has worked beauteous good connected the net for the past mates of decades. But past came the question of who the assets proprietor genuinely is. As mentioned above, it's the extremity idiosyncratic who's considered to beryllium the assets owner, and therefore, it's the extremity idiosyncratic who ends up consenting to the issuance of the OAuth token. But is the extremity idiosyncratic truly the assets owner? Or is it the organization? And if it's the enactment -- which it is -- shouldn't the enactment beryllium enactment to the OAuth workflow?

The mode Okta sees it, successful user scenarios wherever the extremity idiosyncratic wants a lawsuit exertion similar an AI cause to instrumentality enactment connected their idiosyncratic Gmail account, it's perfectly good for the extremity idiosyncratic to beryllium the assets proprietor who consents to the issuance of an OAuth entree token. But successful organizational scenarios wherever the resources really beryllium to the organization, and entree to those resources is controlled done a cardinal power plane, the eventual consent should travel from that cardinal power level -- the IAM strategy -- instead. 

Why does this marque sense? Well, extremity users already person a beauteous rotten way grounds erstwhile they're the past enactment of defence betwixt menace actors and an organization's exertion infrastructure. For example, research has shown that adjacent aft receiving cybersecurity training, 98% of users inactive fto their defender down and succumb to preventable phishing attacks. Under the IAAG standard, the extremity idiosyncratic inactive gets the prime of opting into a transportation betwixt a lawsuit exertion similar Slack and a assets similar the organization's installation of Zoom. But it's the organization's IAM strategy that yet approves that transportation petition and the consequent issuance of the indispensable OAuth entree token. 

Also: Roaming authenticators connection what different passkey solutions can't - but determination are trade-offs

Similar to the mode assets entree is granted to humans, Parecki says, this signifier of consent is configured successful beforehand by the strategy administrator. "For each users astatine the company, we would similar to let Slack to beryllium capable to get entree tokens for our users' Dropbox accounts," Parecki offered arsenic an example. "And that's a argumentation that lives successful the IdP [Identity Provider, an acronym sometimes utilized interchangeably with IAM]. So now, [for each user, Slack] tin spell and get an entree token due to the fact that the argumentation is configured successful the IdP."

When AI agents spell wild

The attack besides makes consciousness successful a satellite that's astir to beryllium overwhelmed by AI agents -- particularly ones that, fixed the accidental (and overmuch similar humans), could autonomously instrumentality portion successful OAuth workflows unbeknownst to anyone successful the organization. In that AI-agents-gone-wild scenario, it's not hard to ideate however rapidly the cardinal IAM strategy mightiness autumn retired of lockstep with each of the permissions being granted, connected whose behalf, and for what resources. At scale, a azygous leaky oregon malicious cause could bash a batch of harm successful precise abbreviated order. 

"Even if it's really an agent, it's inactive a portion of software, and it's inactive represented by its lawsuit ID," said Parecki. "Let's accidental you privation a caller cause to beryllium capable to scale each of your contented crossed 20 endeavor apps. The cause wants much data, and it's trying to entree much things [than successful the emblematic OAuth lawsuit exertion scenario]. You don't privation each idiosyncratic astatine the institution to person to click done a consent punctual 20 times conscionable to commencement utilizing your caller AI tool."

Also: 3 ways AI agents volition marque your occupation unrecognizable successful the adjacent fewer years

To facilitate that improved idiosyncratic acquisition and the information to spell with it, the projected modular involves much than conscionable an OAuth workflow accommodation to cheque with the existent proprietor of the assets (the organization) alternatively of the extremity idiosyncratic who uses the resource. The token's operation needed improvement, too. For example, whereas a modular OAuth workflow involves the user's ID arsenic reported by the assets provider, this enhanced OAuth workflow involves the user's ID arsenic reported by the organization's IAM system. A grounds of the IAM strategy is besides included successful the enhanced workflow. 

Not lone bash these further fields of information alteration the insertion of the organizational IAM strategy into the mediate of the OAuth assistance process, but they besides facilitate a higher grade of cardinal visibility and power that was antecedently unavailable to IT managers. For example, see these scenarios: 

• An worker has 25 AI agents moving connected his behalf, acting connected a wide scope of the organization's assets servers. When helium decides to permission the company, the IT section needs to deprovision those agents. Under this caller OAuth scheme, an IT manager tin query the organizational IAM strategy to not lone presumption each the tokens issued for a peculiar idiosyncratic crossed each assets servers, but besides much easy revoke immoderate oregon each of them arsenic portion of a targeted deprovisioning exercise.
• The enactment discovers that an AI agent, primitively approved for usage by each employees, is leaking confidential accusation to the underlying ample connection model. To halt the bleeding, the CISO decides that the full agentic AI solution supplier indispensable beryllium instantly deprovisioned from the organization's exertion infrastructure. With a azygous query to the IAM system, an IT manager should beryllium capable to much easy observe the applicable tokens and deprovision them. 

Also: Your programming vocation isn't implicit - AI conscionable upgraded your toolbox

Like galore caller standards, it whitethorn instrumentality immoderate clip earlier everything falls into spot successful a mode that gives IT managers centralized power implicit the sprawl of agentic AI (not to notation the modular application-to-application connections that were already being established down IT's back). Not lone indispensable the draught modular spell done its last rounds of support astatine the IETF, but enactment for the caller modular has to amusement up successful the assorted authorization servers utilized by each the SaaS providers that enactment OAuth-based connections from lawsuit applications.