SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand
International Women’s Day
385 opinions Read now

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Cinematic soc night ai alert dashboards hidden apps control
#
PAM
#
Cloud Security
#
Application Security

Okta unveils tools to detect & govern shadow AI risks

Fri, 13th Feb 2026
Author image
By Sofiah Nichole Salivio, News Editor

Okta has launched new security tools aimed at identifying and managing "shadow AI", as companies face growing risks from employees creating AI agents and connecting them to business applications without formal oversight.

The update centres on a new Agent Discovery function within Okta's Identity Security Posture Management product. It is designed to find AI agents across approved and unapproved platforms, highlight identity risks and misconfigurations, and show what systems and data each agent can access.

AI agents are software programmes that can act on a user's behalf, automating tasks and interacting with other applications. That autonomy can also create operational and security problems when agents are deployed outside IT controls.

Shadow AI risk

Concerns about unsanctioned technology are not new. Many organisations have spent years dealing with "shadow IT", where staff use unapproved apps or services. Security teams now describe a similar pattern with AI, as staff use generative AI tools and agent-building services in day-to-day work.

Gartner reports that 69% of organisations suspect or have evidence of employees using prohibited generative AI tools. It also predicts that by 2030, more than 40% of enterprises will experience security or compliance incidents directly linked to unauthorised shadow AI.

Okta is positioning identity management as a primary lever for controlling AI agents. It argues that agents typically operate in the application layer using non-human identities that can carry broad access privileges.

"Identity is the control plane for the agentic enterprise," said Harish Peri, SVP & GM of AI Security at Okta.

Peri said AI agents "don't operate at the network, endpoint, or device layer-they live in the application layer and use multiple non-human identities with broad, long-lived privileges." He added that discovering and mapping each agent and its permissions is intended to give organisations the visibility and governance needed to secure both sanctioned and shadow AI at scale.

How it works

Agent Discovery is designed to detect OAuth consent grants that link an AI tool to a business application. OAuth is widely used for delegated access and can allow a tool to read or act on data in another system without exchanging a password, depending on the permissions granted.

The feature is intended to identify agents created in unsanctioned platforms and unvetted agent builders, and to surface these connections early-before they become deeper integrations between applications or custom API links.

Okta says the service integrates with web browsers, including Google Chrome. It uses browser signals to map the connection between the client application, which may be an AI tool, and the resource application, which is the data source. It can then alert security teams when an unknown agent gains access to sensitive systems.

The tool also shows the permissions and scopes granted to an agent, which can reveal when an application has bypassed internal review processes.

Governance and credentials

Alongside discovery, Okta is presenting the release as a governance step for organisations that already allow AI agents in some form. The product is intended to cover both sanctioned platforms and unsanctioned services, which often sit outside central procurement and security checks.

Okta says organisations can register legitimate agents in Okta, assign human owners, and apply baseline security policies. It is also promoting credential-hygiene measures, including identifying weak or overly permissive passwords and access keys used by agents.

Equals Money, a payments and financial services provider, described the issue as an emerging blind spot for corporate control.

"When an employee brings their own AI agents into the workplace, it creates a dangerous blind spot where unmanaged tools connect to enterprise data and systems without oversight," said James Simcox, Chief Operations and Product Officer at Equals Money.

Simcox added that organisations need continuous discovery to understand which agents exist, who owns them, and what they can access. He said solutions such as Agent Discovery can provide the visibility and control needed to secure shadow AI before it introduces security or compliance risks.

Next steps

Okta plans to expand continuous discovery beyond unsanctioned tools. It has highlighted managed AI and machine learning environments and large language models as the next area of concern, as more businesses operationalise AI in production systems.

The company also expects security teams to increase scrutiny of "crown-jewel" AI environments and the identities tied to them, as organisations formalise AI usage and adopt more agent-builder platforms across departments.

Related stories
Terra Security gains first AWS nod for AI threat tests
Misconfigured Microsoft 365 leaves big firms exposed
Dell email mixes payment-style header with promos
Private equity warned over fragile AI foundations
A resilient security culture is built in the flow of work, not the classroom

Top stories

Sama credential leaks raise fears over Meta glasses data
Hexnode debuts device-aware IdP to fuse identity & UEM
Tufin unveils AI assistants & executive security hub
Endor Labs launches AURI to secure AI-driven coding
ShinyHunters claims Woflow breach in supply chain hack