Who Governs Your AI Agents? Identity, Offboarding & Open Standards

View Show Notes and Transcript

Are overprivileged AI agents the biggest emerging threat in cybersecurity? In a recent high-profile attack, a vibe-coding company had its entire source code stolen because an attacker exploited a long-lived, overprivileged token tied to a third-party AI agent.

In this episode, Ashish sits down with Ely Kahn, CPO at Okta, to unpack the challenge of managing Non-Human Identities (NHI) in the AI era. Ely explains why traditional, static human permissions completely break down when applied to autonomous agents.  To solve this, Okta has spearheaded Cross-App Access (XAA), an extension of OAuth that uses an Identity Assertion Grant (ID JAG). This open protocol, backed by 25+ partners, including Anthropic, XAA securely passes the baton between apps without annoying consent pop-ups or dangerous static API keys.

We also explore the four maturity levels of agent authorization, ranging from broad API keys to the ultimate "North Star" of intent-based security. Learn the difference between SPIFFE (for internal cryptographic identity) and XAA (for downstream resource authorization), how the Linux Foundation is building an Agent Domain System, and why every CISO needs an immediate "kill switch" for rogue AI agents.

Questions asked:
00:00 Introduction
02:50 Ely Kahn's Background: From DHS to Okta CPO
04:00 Why AI Agent Identity is Different from Human IAM
06:30 The Danger of Overprivileged Tokens: A Source Code Breach Case Study
08:30 Introducing Cross-App Access (XAA) and ID JAG
11:00 Agent Identities: Acting on Behalf of a User vs. Autonomous Scopes
13:00 SPIFFE vs. XAA: Workload Identity vs. Resource Authorization
14:30 The Linux Foundation's Agent Domain System for Cross-Company Passports
18:00 Assuming Breach: Why Prompt Injection Makes Identity the Highest ROI Security Action
19:30 The 4 Maturity Levels of AI Agent Authorization
21:00 Intent-Based Security and Zero Standing Privilege
23:00
How to Offboard AI Agents and Manage Identity Governance (IGA)
27:00 The 3 Governance Questions Every CISO Must Answer
28:50 Implementing a Universal Kill Switch for Rogue Agents

Ely Kahn: [00:00:00] Agents will be breached, and we have to assume breach on agents

Ashish Rajan: Prompt injection is almost an impossible problem to solve with the way we use systems today.

Ely Kahn: They had their entire source code stolen basically because of an attacker found a token, a long-lived, overprivileged token associated with the agent that they were using.

Ashish Rajan: We don't have a great answer for, uh, identity of AI agents, at least, uh, not one that we have been solidly getting behind.

Ely Kahn: People give agents long-lived, broadly scoped permissions to basically do anything that they may need to do in the future, and this is where companies can get into trouble.

Ashish Rajan: I don't know you've spoken about off-boarding.

Ashish Rajan: I, I don't know anyone who's talking about off-boarding an AI agent. I don't even know if that's a thing people do. People just make agents and they walk away from it.

Ely Kahn: The agent has zero standing privilege and instead, at tool invocation time, an assessment is made as to whether that agent is trying to make a tool call that is [00:01:00] aligned with the intent of that agent.

Ely Kahn: Ensuring that they have secure least privilege identities is the highest ROI security action that you can do.

Ashish Rajan: It's hard to escape NHI agent identity as a conversation, especially if you work in cybersecurity today and maintain infrastructure identity across a multi-cloud, hybrid cloud environment with AI agents floating around everywhere without an identity control.

Ashish Rajan: The broad reason for this used to be that there were not that many standards, and existing standards were not really working. So I had a conversation with Ely Kahn. He's the chief product officer at Okta, and we spoke about XAA, which is the extension of OAuth open standard that they have been working on with Anthropic.

Ashish Rajan: Claude recently announced their own Claude Tag and Claude Identity. We spoke about all these different standards which one is relevant for the identities that you guys are trying to manage in terms of human identity, non-human identity, the AI agent identity, MCPs and everything else that goes around it?

Ashish Rajan: Because even though identity has been there for [00:02:00] a long time and the building blocks may remain the same, what is different is the environment and what is different is that prompt injection is not solved even today. So it's good to hear that the standards are being developed to address the agent identity and keeping it separate from the human identity, which is where a lot of the worry was coming from.

Ashish Rajan: So all that and a lot more in this episode of Cloud Security Podcast. As always, if you have been listening or watching an episode of Cloud Security Podcast and have been finding it valuable, I would really appreciate if you take a quick second to drop the follow and subscribe button. We are on all the podcast platforms, including Spotify, Apple, YouTube and LinkedIn.

Ashish Rajan: And shout out to Okta for sponsoring this episode as well. I hope you enjoy this conversation. I'll talk to you soon. Hello, and welcome to another episode. I've got Ely Kahn with me. Hey man, thanks for coming on the show.

Ely Kahn: Great to be back.

Ashish Rajan: I know. Like you've, you've-- I think it's like the third or the fourth time, so I'm super excited 'cause this time we're... the topic is identity. But before we get into that, uh, maybe if you give us a bit brief about your, uh, background, what you've been up to, and what are you doing today these days.

Ely Kahn: All [00:03:00] right. Sounds good. I'll start with what I'm doing today. I'm, I'm the Chief Product Officer at Okta. I've been here for about five months, but I've been doing cybersecurity my entire career, starting in the US government and intelligence community, doing cybersecurity at the Department of Homeland Security in the, the early days of cyber at DHS and then at the White House working at the National Security Council staff I then co-founded a startup called Sqrrl, which was an early pioneer in threat hunting and security graphs, which was acquired by AWS, and then spent four-plus years building product there.

Ely Kahn: Led the launch and the build-out of AWS Security Hub, and then made the jump over to SentinelOne, uh, where ultimately I became CPO there.

Ashish Rajan: Awesome. And I guess talking about identity, specifically agent identity, is top of mind for a lot of people. I think some people are calling 2026 is supposed to be the year of the AI agents, and yet we don't have a great answer [00:04:00] for, uh, identity of AI agents.

Ashish Rajan: At least, uh, not one that we have been solidly getting behind. Yeah, so my hope is at least we get some more clarification during this q- Q&A that we do. Wanna maybe start with why is the identity challenge with AI agent different to what we have done traditionally? Because a lot of people already have an IAM team.

Ashish Rajan: Think of any enterprise out there, all of them have an IAM team. They've done SAML, they've done SSO. We even solved, and you were in the cloud space as well. So we, we solved that in the cloud world as well for CLI. How is it different this time?

Ely Kahn: Yeah. Well, and to be honest, this is the main reason I came to Okta was to solve this.

Ely Kahn: I think it's one of the most exciting problems in cybersecurity today, and it's a bit of a paradox. I'll explain. In some ways it's not different at all in that you need, uh, least privileged identities. You need to govern those identities through things like IGA. You need to provision access to privileged resources through things [00:05:00] like PAM.

Ely Kahn: You want to monitor for unused privileges via things like ISPM. You want to monitor for anomalies in that usage via things like ITDR, identity threat detection and response. So a lot of the building blocks are the same.

Ashish Rajan: Mm.

Ely Kahn: But, but there are a number of unique problems here to solve that are specific to agentic identities.

Ely Kahn: A few of the, the interesting problems with agentic identities is that there are multiple different types. So you have agents that can act on behalf of humans. You also have now more autonomous agents think Claude tags that just have their own unique identity that need to be defined. But, you know, one of the key differences between human identities and agentic identities- is that humans you can get away with more static permissions.

Ely Kahn: You know, humans' [00:06:00] roles and goal, objectives and goals don't change that often. But with agents, you're giving them new problems to solve all of the time, and the most effective agents are the ones that are gonna be very autonomous. And it's very hard to predefine every permission that autonomous agent may need, which leads us to one of the biggest problems with agents.

Ely Kahn: People give agents long-lived, broadly scoped permissions to basically do anything that they may need to do in the future. And this is where, this is where companies can get into trouble. You know, there's been some big breaches very recently. Just, uh, there was a big one in April, a vibe coding company had their entire source code- What, what code?

Ashish Rajan: Yeah ...

Ely Kahn: Yeah, they had their en- entire source code stolen basically because of an attacker found a token, a long-lived, overprivileged token [00:07:00]associated with the agent that they were using, this was a third-party agent, and then used that to move into the company, move laterally, and ultimately get access to that source code.

Ely Kahn: Long-live, overprivileged tokens, this is the problem that, uh, that we all need to solve in terms of agentic identities.

Ashish Rajan: A couple of things I took away from what you sh-shared. So funny, when I used Claude, initially my security brain, every time it would ask me for permissions for, "Hey, can I access, I don't know, your Gmail or..."

Ashish Rajan: I was the one who was, like, giving it, "Allow for this time, allow for this time, allow for this time." After a point, I was like, "Ah, how many times do I do this?" Yes. And the, and I think maybe to what you said, it's such a human thing for us to just kinda go, "Okay, I know I'm gonna use this. It's in my environment.

Ashish Rajan: It should be fine." A lot of people, obviously the example that you gave earlier about the third party compromise, I thought OAuth and other things was kind of related. Doesn't OAuth consent kind of help? 'Cause [00:08:00] nowadays we obviously have, it's not just my cloud access, it's also my Slack access, my Asana, my Google Drive.

Ashish Rajan: There's so many interconnected capabilities that I'm single sign on or, uh, I'm, I'm doing a federated access to. Uh, how do... does OAuth is, does a better job in this?

Ely Kahn: Yeah, I mean, um, we've built our solution around OAuth. But- There is a pain point there. Imagine that you've built out an AI agent and you've asked it to check your team's Slack grab an update, look at your calendar, and then maybe update a project board on Trello.

Ely Kahn: Historically, to make all those apps talk to each other developers had two choices. Either give that AI agent a permanent master key, like a static API key, which is, as we know, very unsafe if leaked- ... or bombard the user with constant [00:09:00] annoying, "Do you give permission?" pop-ups every single time the AI tries to do something.

Ashish Rajan: Yeah.

Ely Kahn: And that's, that's where this new standard called Cross-App Access, or XAA, comes into play. So it's a new identity protocol.

Ashish Rajan: Okay.

Ely Kahn: Uh, Okta led the development of this, um, with a number of partners, including Anthropic.

Ashish Rajan: Yeah.

Ely Kahn: It's designed to let apps and AI agents securely pass the baton to one another without bothering the user and without using those sketchy permanent- Oh

Ely Kahn: access keys.

Ashish Rajan: How would that be different? 'Cause sounds like it is OAuth, but how is that different?

Ely Kahn: So under the covers, the way that this works is that, um, if you're using a platform like Okta, you can set up and define which apps your agent should have access to, and you, you essentially predefine which apps are approved.

Ely Kahn: And then, uh, we use [00:10:00] something a new standard called ID JAG, which is, uh, an identity assertion grant, and that allows us to have an identity provider in the middle of these interactions and automatically grant access without any sort of consent pop-ups, uh, happening. So- Oh,

Ashish Rajan: interesting. Yeah.

Ashish Rajan: So and I guess to your point, is that in the way sim- similar to the Claude ID that you, that you were referring to, where is it still using my identity or is it using its own identity? 'Cause I mean, that's kind of like the bottom line for what- Yeah ... most people would be wondering is that-- 'cause in an OAuth context, I'm giving my identity to Ely and-- or my Ely agent, let's just say, and like, "Hey, just do whatever, use my permission for it."

Ashish Rajan: What would be different in this context with XAA or ID JAG? Is it passed on?

Ely Kahn: Yeah. Uh, it can work in either way. Uh, you can work on behalf of a human, uh, and if it's [00:11:00] working on behalf of the human, it takes the intersection of the permissions that that human has and the permissions that have been granted to the agent.

Ely Kahn: So- Oh ... when you're setting up the agent's permission, you're giving the agent specific scopes that it has access to. So maybe it can read Slack, update your calendar, update Trello. Those are scopes that you grant it access to.

Ashish Rajan: Yeah.

Ely Kahn: And then, uh, but if the, the user doesn't have one of those scopes, it will operate at the intersection of the permissions.

Ely Kahn: So it'll always be least privilege, the combination of the human permissions and the scopes that have been granted to that agent. It could also work fully, in a fully autonomous mode where the agent has scopes and it's not tied to a human at all.

Ely Kahn: It just has its own unique, independent identity.

Ashish Rajan: All right. Okay. So to your point, this is more [00:12:00] like how we have dealt with service account for a long time, where it could be a service account or it could be Ashish's account, but at least you've granted the scope of the permission beforehand, unlike in OAuth where I think there's only one option.

Ashish Rajan: I mean, there are diff- multiple kinds of grants, but... 'Cause there's another, actually XAA, is that something that only can be used with Okta or are there other providers, any single sign-- 'cause obviously people are Microsoft people as well and all of that as well.

Ely Kahn: Yeah. So the great thing is that this is an open standard.

Ely Kahn: It can be used by anyone. So there's been a real surge in momentum around this standard because basically, you know, if you're one of these ISV vendors and you want your product to work seamlessly with agents, including things like Anthropic managed agents or Claude managed agents, this removes a lot of that friction.

Ashish Rajan: I think one more I guess in the world of acronyms, I'm sure there, um, people are tired of listening to ac- acronyms and identity.

Ashish Rajan: There's another one that's floating around [00:13:00] at the moment called SPIFFE, S-P-I-F-F-E.

Ely Kahn: Yeah.

Ashish Rajan: Yeah, sure. How does that compare to this? And obviously, am I an identity company-- Oh, sorry, never mind. I'm a identity team member in an, in a large enterprise where I already, I already have SSO, SAML, and all the other standards that I've implemented.

Ashish Rajan: How am I making a choice between SPIFFE versus XAA versus without, without-- Like, how do I know the difference between the two and what makes sense where?

Ely Kahn: Yeah. Yeah. And fortunately, you don't need to choose. These things are designed to work i- in tandem with each other. Oh. Yeah. So, you know, SPIFFE is, um, instead of using static passwords, SPIFFE gives every workload or every AI agent a unique verifiable digital identity.

Ely Kahn: So it's, it's, uh, a SPIFFE ID is cryptographically encoded-

Ashish Rajan: Yeah ...

Ely Kahn: into a short-lived, uh, document, you know, really typically an X.509 certificate. [00:14:00] And that is used to prove, the identity of that agent. Whereas XAA is s- solving a different problem. XAA is, okay, how do we remove the friction for what that agent c- can then connect to from a resource perspective?

Ely Kahn: So they're, they're solving different parts of the puzzle at different ends of the puzzle. SPIFFE, you know, is also really designed for proving identity within your own environment.

Ashish Rajan: Yeah.

Ely Kahn: There's also some really interesting new work, uh, happening to prove agent identities cross-domain, like sort of across companies.

Ely Kahn: The Linux Foundation just came out last week with a, a new initiative that's mirrored off the domain name, uh, system, the DNS system.

Ashish Rajan: Yeah.

Ely Kahn: And, uh, and is creating an agent domain [00:15:00] system, and this is designed to provide each agent essentially like a passport ID that can work cross-domain across companies.

Ely Kahn: So SPIFFE is very good for creating that unique cryptographically secure identity for an agent inside of a company, and then this new agent domain system would be cross-company.

Ashish Rajan: Well, I guess because to your point, most, and I guess the number one worry that people have with AI agent, it's not just the part where, hey, it can use credentials from Ashish, but it's more what it can access with Ashish's credentials, where it's like this.

Ashish Rajan: To your point, resources is the number one thing. I don't know what kind of resources. So, to, to your point then, if that is a concern that I have, then something like an XSA probably makes more sense, because I imagine most companies use SaaS providers these days, like, and workload and everything else is SPIFFE.

Ashish Rajan: Did I get that right?

Ely Kahn: Yeah. Yeah, that's right. That's right. I mean, XSA is, it's really about what resources can that agent connect to [00:16:00] versus SPIFFE is, you know, is this, what's the identity of this agent? You know, what's sort of a unique ID for this agent so I can ensure that this agent is who it says it is.

Ashish Rajan: I think the other part, which is, and I love how you kind of... Well, it was a great segway into my question, which is, uh, once I know who the agent is- How do I check whether the agent should be able to do this action or not, which is the authorization piece. Yeah. The agent authorization, there's an unfortunately or fortunately for me, I started my career in identity and- Okay.

Ashish Rajan: there, there, there used to be this thing- I was

Ely Kahn: wondering where all these really good questions came from. Yes.

Ashish Rajan: Yeah. I mean, funny enough I think my, the short story or the sad story behind this is that I, before I got into cloud, I was in identity for a long time, and I could not wait to get out of that.

Ashish Rajan: I was like, "How long can I talk about username and passwords?" And you know what, Ely? I am still talking about username, passwords, and identity after all these years. Like that has not left me, and I'm like, "Oh, wait, identity is the core of a lot of [00:17:00] things." So I understand why I still talk about it. But- Yeah

Ashish Rajan: the po- the part being-

Ely Kahn: I'd say- Yeah ... I'd say, uh, just one quick point on that, I think identity is having its moment right now.

Ashish Rajan: You know? Yeah. Yeah. I know. Which is why it's like- Yeah ... it's a sad thing as well. I'm like, "Wait, I was supposed to leave this field." No, no. Behind me, but it, it somehow is getting more popular day by day.

Ashish Rajan: More pe- more people want to jump onto it. I'm like, "Why? Why haven't we solved this?"

Ely Kahn: I think the reason why... So I, I think about identity as suddenly it's invited to the, the cool kids' table.

Ashish Rajan: Yeah. It's on the big table now, yeah.

Ely Kahn: Yeah. I think- Especially because- I think the reason for this-

Ashish Rajan: Yeah ...

Ely Kahn: is agents will be breached.

Ely Kahn: I don't think this problem of prompt injection- ... is, is gonna go away anytime soon.

Ashish Rajan: No.

Ely Kahn: And we have to assume breach on agents. Yeah. And, you know, as a result, we have to think about how do we reduce the blast radius if an agent is compromised, and a lot of that comes [00:18:00] down to identity issues.

Ashish Rajan: Yeah. Yeah.

Ely Kahn: Um, you know, in terms of securing your AI agents, uh, you know, I would, I would argue that, you know, ensuring that they have secure, least privilege identities is the highest ROI security action that you can do.

Ashish Rajan: Yeah. Yeah. I think it's proven even more, uh, valid after a lot of research came out around the fact that prompt injection is almost an impossible problem to solve with the way we use systems today.

Ashish Rajan: Systems have to be completely different for it to not be a thing. But one thing on that with the prompt injection being, again, on the server side and the client side, whatever, the thing that has been interesting is that we spoke about validating who the agent is and what credential they have. The second part of it, which is always an interesting conversation, like when we were doing work with SAML and single sign-on, the least friction part was that, hey, we let the authorization part to be with the application team.

Ashish Rajan: Now, I don't know how that works in an AI agent con- category where now I am talking to all these third party, which is a Slack, Asana, Google Drive, and all of [00:19:00] that. How do people approach agent authorization and should it be-- Like where should the layer of authorization sit in terms of how do you govern the connection as well?

Ashish Rajan: Like what's your take over there for that?

Ely Kahn: Yeah. I think there are three maturity levels when it comes to agent authorization. And maybe I'll put a I'll put a fourth in there as well as, as a bonus one that is sort of where, where we're headed. You know, the most basic one and, and the the least secure one is, you know, just giving your agents...

Ely Kahn: treating your agents like service accounts and just giving them, broad access via API access keys. I think that's, that's where a lot of agents started, and that's where we need to move away from as quickly as possible because the blast radius is so big there if that agent is compromised. Next up, which, you know, where a, a lot of, of companies are now moving, is granting [00:20:00] agents coarse-grained access via scopes.

Ely Kahn: Um, very similar to how you'd set up, an OAuth pr- flow, but, you know, granting those agents specific scopes to go do jobs and then, when they're then granted short-term ephemeral tokens specifically around those scopes. And that's how XAA works. Now the next up is fine-grained access controls. And with fine-grained access controls, you can go beyond just those coarse-grained scopes and ta- take into account things like data sensitivity. Maybe you want to grant that agent a read access into your Google Drive, but you also want it to obey data labels that you've attached to files in Drive so that maybe it can access, you know, things labeled as restricted.

Ely Kahn: The next level beyond that, [00:21:00] which, uh, I'd say in general we're not quite there yet as an industry, but there's some really exciting research happening and some new new standards that are starting to be thought about, is, uh, what's sometimes referred to as intent-based security With intent-based security, the agent has zero standing privilege.

Ely Kahn: No access is given to the agent in terms of standing privileges. And instead, at tool invocation time, an assessment is made as to whether that agent is trying to make a tool call that is aligned with the intent of that agent. And then a dyna- dynamic permission is generated and granted for that agent to make just that single tool call, and then is revoked once it's completed.

Ely Kahn: That's sort of the, the grand vision here. It's something that, you know, we're thinking a lot about at Okta right [00:22:00] now. And that's where I think, you know, where we have to ultimately move towards when it comes to agentic identity security.

Ashish Rajan: I think to your point, because if most systems are going to be autonomous using AI agents, the volume would just grow to a point where there's no human way possible for you to sit and approve every single scope out there.

Ely Kahn: Exactly, exactly. We're gonna have to use things like guardian agents that are assessing whether that tool invocation is, is acceptable or not and aligned to what that agent was set up and intended to do.

Ashish Rajan: Yeah. I think this made me just think of something. We-- So far we, we have been talking about onboarding of AI agents.

Ashish Rajan: We haven't really spoken about offboarding, and I don't know anyone who's talking about offboarding an AI agent. I don't even know if that's a thing people do. People just make agents and they walk away from it. But if we were to use your analogy of, okay, so the, the different levels to having an AI agent maturity, onboarding, cr- et cetera, what does it look like from [00:23:00] an offboarding perspective?

Ashish Rajan: I guess, is that the same as me offboarding Ashish on the system or-

Ely Kahn: Yeah.

Ashish Rajan: How do you guys see that? Yeah,

Ely Kahn: so I'll, I'll talk about offboarding in a couple different ways. One, through the lens of identity governance and administration. And another through the lens of something we call a kill switch. So when it comes to identity governance and administration actually agent off-boarding does look a lot like human off-boarding.

Ely Kahn: Sort of-

Ashish Rajan: Oh,

Ely Kahn: okay ... human leaver, joiner, mover functions.. We support both reviewing whether humans should have access to these agents, and the new capability is whether agents should continue to have access to specific resources.

Ely Kahn: And those can, that can be done via standard campaigns. We'll also layer in AI to help automatically assess whether a particular agent is overprivileged relative- Yeah ... to [00:24:00] what, you know, its current behavior is. Like, does it have, uh, scopes that it never uses? Like, those would be good ones to revoke, as an example.

Ely Kahn: And then, typically agents don't leave a company, but- ... maybe they're not used for an extended period of time, and if agents aren't being used for an extended period of time, uh, yes, they should be, uh, they should be off-boarded and, uh, both in terms of human access to them or if they're an autonomous agent, you know, just removing their access to resources.

Ely Kahn: So it's, that, that's actually pretty similar. In fact, we've got customers that just, they want the same capabilities that they have for humans, like-

Ashish Rajan: Yeah ...

Ely Kahn: separation of duties and analysis of toxic combinations of permissions, just like we do for humans.

Ashish Rajan: Would you say then the XAA protocol or whichever ID Jag and I think we, the, some of the protocols you spoke about, is that...

Ashish Rajan: 'Cause obviously not everyone may be an Okta customer, so for people who may not be an Okta customer today, for them to [00:25:00]understand this, they probably should consider having, if they're thinking of building an identity program, should consider having a, sounds like XAA, the open standard, or SPIFFE, whichever one that fits right for them.

Ashish Rajan: In terms of off-boarding a user then, does that protocol, does, help them identify and kind of go down that path of, you know, do, do what people used to do with SAML and single sign-on there? Hey, I, uh, one thing you said, mentioned this earlier, my list of approved apps versus ones that I don't want people to go on.

Ashish Rajan: Can the similar thing happen in XS- XAA? There's too many acronyms. In XS- Yeah. Oh, not XS. I'm thinking of XSS. Like XAA. I'm like, too mu- spent too much time in cybersecurity, you think of all the XSS. XAA protocol, uh, does that also allow for people to use that for an AI agent i- almost like a inventory, for lack of a better word?

Ely Kahn: Yeah, yeah. It does give you the visibility that you may have been missing in terms of- What are the [00:26:00] approved SaaS applications, and even like the specific scopes with those SaaS applications that your AI agent should have access to?

Ely Kahn: You know, what it doesn't have, which is, you know, where like an identity governance product would come into play is, the campaigns, the access reviews, the access certification workflows to continually assess whether it has the right access over time.

Ashish Rajan: Yeah. And do you find that with the board today asking questions about, "Hey, what are we doing about AI?" And, "We should have shipped the agents yesterday." I-- Is there a governance bar that-- 'Cause o-obviously every enterprise out there and most organizations have done the standard, "Hey, I want federated access for every employee.

Ashish Rajan: I want them to single sign on," whether it's Okta or whatever the provider, identity provider they might be using through Microsoft, et cetera. In terms of, we spoke about onboarding, we spoke about off-boarding, is-- And you men-mentioned the different levels of AI [00:27:00] agent usage people can have as well. Is there a minimum or do you feel like an MVP governance bar that people who may already have an identity program should think about before having agents access, say, production data or being deployed into production?

Ely Kahn: Yeah. The way that, that we think about it is, uh, is through three simple questions in terms of that governance bar, and you should be able to answer these, the, these three simple questions. First, where are my agents? And this is both your known and your unknown or shadow AI agents. So you need the ability to register your known agents into a universal directory or agent registry, and you need the ability to discover shadow AI agents inside your organization.

Ely Kahn: And, you know, that can be complex because you need to be able to discover shadow AI, AI agents maybe operating at the browser level but you also may want to be able to [00:28:00] discover things installed locally on machines, whether it be agents or the MCP servers that they're using. And so, yeah, you need to be able to answer that question, where are my AI agents?

Ely Kahn: From there, the second big question is what can those agents connect to? And this is where XAA comes in. Also, if you have an agentic identity governance solution like the one I mentioned, uh, this is also where that would come in. The third question is what are they doing?

Ashish Rajan: Mm-hmm.

Ely Kahn: And being able to do runtime monitoring of these AI agents.

Ely Kahn: Typically for that, you would want some sort of agent or MCP gateway to facilitate that so that you're logging every agent tool invocation. But you also wanna be using those logs to look for anomalies or other types of behavioral indicators of malicious activity. And, you know, the last piece would be like once you've identified That there is malicious or [00:29:00] suspicious behavior, you want an ability to cut off agent access immediately and universally.

Ely Kahn: And this is where the idea of a kill switch comes into play. And, uh, thi- you know, kill switch or universal logout is something that Okta offers for human identities. Now we're, we've extended it to agentic identities. So the ability to ultimately, if something bad is detected, you know, if a threat is detected associated with that agent, to be able to immediately automatically shut off access, contain that blast radius.

Ashish Rajan: Interesting. I think, um, it just, just made me think of something as well. You know how obviously XSA is being, is open and vendor neutral.

Ely Kahn: Yeah.

Ashish Rajan: And obviously, uh, you mentioned it's Okta's obviously spearheading it. How do you- It's,

Ely Kahn: it's, it's extension of OAuth, by the way. I don't know if I mentioned that earlier, but

Ashish Rajan: XSA- Oh, no, no

Ashish Rajan: extension of OAuth Okay. So it's an extension of O- existing OAuth standard.

Ely Kahn: Yes. It's a, it's an extension of OAuth. Yeah.

Ashish Rajan: And but is with, uh, with Okta kind of [00:30:00] spearheading this at the moment, obviously a lot of people would ask, how are you gonna keep it vendor neutral, and how do you keep it open for everyone else to a- adopt the standard?

Ashish Rajan: Is there, I, I don't know, is there measures you guys are taking, or how are you guys approaching this to maintain that leading standard for- Yeah ... agentless authentication?

Ely Kahn: I mean, w- that's the great thing about Okta, I think, is we, our entire strategy as a company is focused around open standards.

Ely Kahn: So, you know, it, in some ways it, it causes us to operate a little bit slower, because we work- ... based through standards bodies.

Ashish Rajan: Yeah.

Ely Kahn: Uh, but yeah, XAA it's extension of OAuth, so it's, it's worked through OAuth standards bodies. Um, you know, it's certainly been buoyed by, you know, adoption of Anthropic, and Anthropic built it into the MCP server protocol.

Ely Kahn: So it's also now part of the MCP server protocol, which is been maintained by Anthropic [00:31:00] And yeah, so we've been working collaboratively. You know, any identity provider is open to uses, use XAA just like they're open to use OAuth 2.0.

Ashish Rajan: Interesting. And for CISOs who are probably, uh, watching or listening to this, what's your take on them building an identity program or up-upping an identity program?

Ashish Rajan: Any thing-- Obviously, you called out the fact that hey, knowing what agents you have, can you off-board them? How do you onboard them? What the list is. Is there a easy hanging fruit or is there a tactical thing that they can use to approach today? Because as we were saying earlier, I mean, I joke about the fact that the agent should have shipped yesterday.

Ashish Rajan: They have shipped yesterday. We're just finding out about them today is a reality for a lot of people. I'm curious as to if in the order of things you kinda called out, is there one that you recommend over the other that, hey, maybe that's a good one to start with as a tactical thing while they figure out SPIFFE and XSA and everything else that they have to think about?

Ely Kahn: Yeah. You know, I think the two pieces where I [00:32:00] see customers starting out and, having the strongest need for, you know, regardless of your AI agent maturity- Mm-hmm ... uh, is knowing where your agents are and importing them into a registry. And then secondly, ensuring that you're at least assigning those AI agents core screened scopes, and not using, API access keys with broad permissions to give them Access to downstream resources.

Ely Kahn: Those are the two pieces where I'd recommend folks start.

Ashish Rajan: Yeah, I guess to what you said earlier in the beginning of the recording as well, that the standards haven't changed, it's just that we have a different environment that we're dealing with.

Ely Kahn: Yeah, exactly. Exactly. Like, the building blocks are all the same.

Ely Kahn: You, you need- Yeah ... the same set of identity tools, ISPM, ITDR, identity provider and uh, yeah, there's, there's some new standards, but yeah, the building blocks are the same.

Ashish Rajan: Awesome. That's all the [00:33:00] questions I had for you. Obviously, uh, you... We spoke about the cross-app access announcement that you guys did as well.

Ashish Rajan: Where can people learn more about the work that Okta is doing and the cross-app access and everything else that you guys are building towards?

Ely Kahn: Yeah, check out our blog, uh, o-okta.com. We've got, uh, a number of resources there in terms of some of these recent announcements that we've done with Anthropic and those 25 plus other, uh, ISVs that are adopting XAA.

Ely Kahn: We've also got a really cool resource for developers called xaa.dev. Okay. So if you wanna learn more deeply how to build XAA into your agentic applications and into your AI agents, xaa.dev is a great place to start.

Ashish Rajan: Awesome. I'll add those in the shorts as well. And, uh, for people to reach out to you, I imagine LinkedIn.

Ashish Rajan: You've come here-

Ely Kahn: Yeah ... before. I'm al- I'm always on LinkedIn, so- I'll, uh- ... uh, so you can find me there ...

Ashish Rajan: I'll, I'll put your LinkedIn information in there as well. Uh, but thank you so much for coming on the show, man. I really appreciate you doing this and sharing about the open standard that you [00:34:00] guys are building.

Ely Kahn: Thank you. Appreciate it, Ashish.

Ashish Rajan: Thanks, everyone. Thank you for listening or watching this episode of Cloud Security Podcast. This was brought to you by techriot.io. If you are enjoying episodes on cloud security, you can find more episodes like these on cloudsecuritypodcast.tv, our website, or on social media platforms like YouTube, LinkedIn, and Apple Spotify.

Ashish Rajan: In case you are interested in learning about AI security as well, do check out our sister podcast called AI Security Podcast, which is available on YouTube, LinkedIn, Spotify, Apple as well, where we talk to other CISOs and practitioners about what's the latest in the world of AI security. Finally, if you are after a newsletter, it just gives you top news and insight from all the experts we talk to at Cloud Security Podcast.

Ashish Rajan: You can check that out on cloudsecuritynewsletter.com. I'll see you next episode.

Peace out.

No items found.
More Videos