## The Non-Human Identity Explosion
When ServiceNow's Now Assist fires, it calls Datadog. When Databricks runs a pipeline, it calls your internal APIs. When your custom agents remediate incidents, they authenticate to dozens of services.
By the time most enterprises reach maturity with AI operations, they have 10x more machine identities than human identities. And most of them are governed with ad-hoc service accounts, shared credentials, and no audit trail.
Okta Identity Threat Protection (ITP) was built for exactly this problem.
## Classifying Your AI Agent Inventory
Before you can govern agents, you need to know what you have:
``
bash
# Okta API: List all service applications
curl -X GET "https://your-org.okta.com/api/v1/apps?filter=name+eq+%22service%22" \
-H "Authorization: SSWS ${OKTA_API_TOKEN}" | \
jq '.[] | {id: .id, name: .label, created: .created, lastUpdated: .lastUpdated}'
`
We typically find three categories of AI agent identity:
1. Platform agents (ServiceNow, Datadog connectors) — high trust, managed by vendor
2. Custom agents (your team built them) — variable trust, needs strict governance
3. Shadow agents (built by random teams without approval) — unknown trust, security risk
## Implementing Zero Trust for AI Agents
### Step 1: Enforce mTLS for all agent-to-agent communication
yaml
# Okta MTLS Policy
policies:
- name: "AI Agent mTLS Requirement"
conditions:
app_type: service_application
network: any
requirements:
authentication: certificate_bound_access_token
certificate_authority: internal-ca
token_binding: required
`
### Step 2: Identity Threat Detection rules
Configure ITP to alert on these AI-specific patterns:
json
{
"threat_rules": [
{
"name": "Agent credential used from new IP",
"severity": "HIGH",
"condition": "identity_type == 'service' AND new_ip_address == true",
"action": "suspend_and_alert"
},
{
"name": "Agent accessing unauthorized scope",
"severity": "CRITICAL",
"condition": "identity_type == 'service' AND scope_violation == true",
"action": "terminate_session_immediately"
},
{
"name": "Credential reuse across multiple agents",
"severity": "HIGH",
"condition": "credential_sharing_detected == true",
"action": "alert_and_rotate"
}
]
}
``## The Governance Dashboard
Once configured, Okta ITP gives you a real-time view of every machine identity event across your AI infrastructure. You can see:
- Which agents called which APIs in the last 24 hours
- Any anomalous authentication patterns (wrong time, wrong IP, wrong scope)
- Credential age and rotation history
- Risk scores for each machine identity
This is the visibility layer that turns AI operations from "hope it works" to genuinely auditable, enterprise-grade infrastructure.