Sponsored: AI Agents need distinct identities - Risky Bulletin

Summary5 min read

Risky Bulletin Podcast Summary

Episode Title: Sponsored: AI Agents need distinct identities
Host: Casey Ellis (Risky Business Media)
Guest: Harish Perry, SVP and GM for AI Security at Okta
Date: March 1, 2026

Episode Overview

This episode explores the accelerating adoption of AI agents within enterprises and the critical security challenges they introduce, particularly around identity. Host Casey Ellis and Okta's Harish Perry dive into why AI agents need distinct identities, how identity fundamentals are being relearned, and what Okta is developing to address these new requirements. The discussion delivers both high-level context and practical insights into securing agentic AI, highlighting the parallels between current challenges and those seen during previous technology shifts—albeit now at vastly increased speed and scale.

Key Discussion Points & Insights

1. The Rise of AI Agents and the Need for Distinct Identities

Organizations Are “Waking Up” to Agents: Businesses across all sectors are recognizing the presence and impact of AI agents—entities powered by LLMs, capable of acting autonomously to trigger tasks or access data.
Seismic Shift: Harish compares the rise of AI agents to the migration to cloud computing: “This is a seismic shift of that size, but it’s happening ten times as fast.” (03:08)
Fundamental Identity Problems: Agents live in the application layer, so every action they take is an access decision—making identity at the core of security for these new entities.

2. Emerging Security and Regulatory Challenges

Three Core Requirements for Securing Agents:
1. Agent Inventory: Organizations need visibility—“Where are my agents?” This “cocktail of LLM chaos” comes from officially sanctioned agents, developer-built scripts, and third-party vendor tools. (02:31)
2. Agent Capabilities: Understanding “What can those agents talk to?” Each agent requires its own identity, distinct from users, service accounts, or tokens, to allow for proper auditing and control.
3. Authorization Depth: Once an agent speaks to a resource, “what can they do?” Fine-grained authorization is required to specify exactly what records or actions are permissible.
Regulatory Forecasting: Harish predicts global regulations will soon require organizations to distinguish between data accessed by humans vs. agents, making individual agent identities essential for compliance. (03:33)

3. Back to Basics: The Identity Renaissance

Relearning Fundamentals: The speed of change is forcing technologists to revisit identity basics like OAuth 2.0, token exchange, and access tokens. Harish jokes, “Identity is cool again.” (03:15)
Casey’s Analogy: “They’ve been given a couple of espressos and a free puppy and it’s all moving a lot more quickly.” (04:58)

4. AI Agents: Attack Vectors and Security Concerns

Classic Threats, New Interfaces: Old attack vectors like token theft persist, but are now amplified by agents’ autonomy and ephemerality. Prompt injection could lead to exfiltration of access tokens or sensitive data. (08:40)
Authorization Sprawl & Chaining: There’s worry over scope escalation, especially as agents invoke other agents. Central policy enforcement is vital to prevent privilege escalation across agent chains. (10:08)
- “Scope needs to stay flat or be down scoped... Otherwise, it’s game over.” (10:10)
Ephemeral Agent Teams/“Swarms”: New AI paradigms like agent swarms create challenges in tracking and limiting identities/permissions as agents are spun up and down dynamically.

5. The Practical Role of Identity Providers (IDPs)

Identity as a Choke Point: Casey notes identity is the logical control point for governance, prevention, and containment of shadow AI or unsanctioned agents. (05:48)
Okta’s Response:
- Okta Agents: Harish describes a new identity type, “Okta agents,” built specifically for agentic AI and AI-to-AI authorization flows.
- Literal Approach: “We are very literal. Our customers are very literal. So, let’s call it what it is.” (12:32)
- Fine-Grained Authorization: New capabilities target permissions down to the specific tool/action level and combine traditional attribute/context-based models with policy based on the intent of prompts.
  - “It’s not about reback and abac... It’s about combining all of that along with the notion of intent.” (13:32)

6. Looking Forward

Transformation in Progress: Casey references past tech hype cycles, likening AI’s current moment to the early days of the web: “AI in 2023 was kind of like having a website in 1997… enormous hype… but then it does go on to ultimately transform everything.” (13:47)
Harish’s Call to Action: Okta is all in on agentic AI identity. Find details on their website or reach out on LinkedIn.

Notable Quotes & Memorable Moments

On the Speed of Change:

“This is a seismic shift of that size, but it’s happening ten times as fast.”
— Harish Perry (03:08)
On Identity Hype:

“Identity is cool again is what we’re seeing.”
— Harish Perry (03:15)
On Revisiting Fundamentals:

“Brush off the old MCSE from 2001 and some of those kind of fundamentals… It’s the same concepts, but for a different speed and also for an unpredictable entity.”
— Casey Ellis (05:35)
On Threats:

“The threat actors are after the same thing... But now you have a new window into that data that is an agentic interface with an entity that is created to please, meaning it will do what it needs to execute the prompt.”
— Harish Perry (09:22)
On Product Philosophy:

“We are very literal. Our customers are very literal. So, let’s call it what it is.”
— Harish Perry (12:32)
On AI Adoption Parallels:

“AI in 2023 was kind of like having a website in 1997… But then it does go on to ultimately transform everything.”
— Casey Ellis (13:47)

Timestamps of Key Segments

00:51–04:42 — Fundamental shift and three agentic identity requirements
05:07–06:33 — Return to identity security basics & need for rapid, real-time enforcement
07:54–11:42 — Attack vectors, scope sprawl, ephemerality, and agent swarms
12:23–13:47 — Okta’s new product capabilities; agent-to-agent authorization and fine-grained policies
13:47–14:52 — Parallels to previous technology transformations & Okta’s resources for further information

Takeaways for Listeners

AI agent adoption is accelerating—and bringing old identity issues back to the forefront, now amplified by the scale and unpredictability of LLM-driven autonomy.
Distinct, traceable identities for agents (separate from users, service accounts, and simple tokens) are essential for security, governance, and future regulatory compliance.
Traditional AAA (authentication, authorization, accounting) approaches are being adapted and extended for new threats and ephemeral, autonomous entities—requiring fine-grained, real-time controls.
Okta is investing deeply in purpose-built identity features for agentic AI, including unique agent entity types and advanced, intent-based authorization capabilities.
Now is the time for security and IT professionals to revisit identity best practices in light of agentic AI, before productivity gains are offset by governance and breach risks.

For more hands-on information about Okta’s agentic AI identity solutions, listeners are encouraged to visit Okta’s website or contact Harish Perry directly on LinkedIn.

Loading summary

Transcript28 lines

[00:03]
A
Hi everyone, this is Casey Ellis with another Risky Business sponsored interview. Today we're talking with Harish Perry, who is the SVP and GM for AI Security at Okta. Harish, great to chat.
[00:15]
B
Yeah, yeah, thanks for having me on. This should be a fun conversation.
[00:18]
A
Yeah, there's a lot to talk about. I think AI just in general is kind of topic du jour right across the board and rightly so. But obviously, you know, when you start to deploy this stuff and you start to use it in the wild, all of the, the kind of the fundamental plumbing and security things start to kick in sort of downstream with that, you know, talking about identity and particularly identity as it applies to agents and AI security. I guess we were jamming a little bit on this before we kicked off, but you know, what are you guys saying? Because obviously Okta is going to get the phone call when, you know, anything identity kind of gets thought of or brought up.
[00:52]
B
Right? Yeah, two things, a couple of things. Pretty much every one of our, even our existing customers, so you know, we're in the 15, 18, 20,000 range of customers of multiple sizes, multiple geographies, public sector, private sector, they're all waking up to the fact that there is a thing called an agent. So I know it sounds pedantic, but just they're waking up to the fact that there is this thing called an agent that has an LLM or more than one LLMs which in response to a prompt or some kind of a system trigger then decides to invoke certain tools that are connected through mcps or direct OAuth connections or whatever. They're waking up. The fact that that is now a thing that can be very powerful for business. They're also waking up to the fact that there's a tremendous productivity gain for them if they get it right within their companies. And putting aside how it happens, at a minimum, it's making their existing people turbocharged in terms of productivity. They're also seeing that there's a tremendous gain from a customer experience standpoint because they can take what used to be very friction filled experiences and identify them. So regardless to say there's a ton of evidence that what we saw over the last 10 years to the move to the cloud, this is a seismic shift of that size, but it's happening ten times as fast. So that that reality is on the ground. It's happening. We're seeing it every day with all of our customers calling us now. The flip side is, and what actually is good for us is our customers also telling us, hey, look, we do understand that this is an identity security problem at the core of it, because agents live in the application layer. And so the minute an agent decides to access something, it is an access problem. So it actually is forcing everyone to relearn the fundamentals of OAuth 2.0 to really relearn ID, JAG and token exchange and refresh tokens and access tokens. And it's like identity is cool again is what we're seeing. And in all of that, there's a couple of requirements that are really coalescing in the market for our customers, which is one, where are my agents? Because there's, I think, the right amount of paranoia in terms of, hey, there's agents we know about on agentic platforms, there's agents that my developers might have created that are just Python scripts running in the cloud, there are agents that were buying from third party vendors. And so you mix all that together and you have this wonderful cocktail of just LLM chaos. So that's one thing. The second question they are looking to answer is what can those agents talk to? And that's the real core of the identity problem, because in order to make that happen, these agents all need distinct identities. And there's another interesting thing, which is the regulations globally around reporting and auditing for agents hasn't landed yet. But we're predicting that governments are going to start to say, hey, when you file this report, you need to show at an aggregate level what data was accessed by agents autonomously versus on behalf of users. So all that goes back to they need their own individual identity distinct from humans, distinct from service accounts, distinct from tokens and API keys and all that. So that's the second big piece. And then the third big thing that is popping up as a requirement is once those agents do talk to a thing, what can they do? And that's the authorization question, which is to say, how deep can you go within a certain resource? What records can you access? That's the intersection of authorization and data security. And that's like the common theme that seems to be popping up left and right. And there's a lot of urgency on this right now. Like companies just have to, have to, they got to wrap their hands around this, otherwise it's, it's going to be big trouble.
[04:43]
A
Well, it's, it's interesting hearing you kind of go through that because like none of those concepts that you just kind of listed out really, that kind of novel or new in, in terms of identity security, it's just, you know, it
[04:56]
B
is, it's Identity at the end of the day. Yeah.
[04:58]
A
They've been given, you know, a couple of espressos and a free puppy and it's all moving a lot more quickly than it has in the past. Is that, that would be a fair way to describe it?
[05:07]
B
Yeah, yeah, it's, it's. And it is exactly that. But what we, what we're seeing is because identity was just kind of, you know, it was just working for the last 10 years, I feel like people forgot the basics.
[05:20]
A
Right.
[05:20]
B
And this is forcing people to relearn the basics. So, you know, side note, if you, if you create a course or chatgpt to help you relearn identity, like I think there's some good money in that. Like, I think people really have to relearn the basics there.
[05:35]
A
Yeah. Brush off the old Mcse from 2001 and some of those kind of fundamentals.
[05:41]
B
It's the same concepts. The same concepts, but for a different speed and also for an unpredictable entity.
[05:48]
A
Right. So just on that part, because you obviously spend a lot of time talking with technology leaders, with CTOs, with different folk in these sort of wake up in the middle of the night sweating about a problem positions in some of the organizations you guys work with. Is it, I guess, is it the fact that, you know, you talk about like the growth of AI, the adoption, like the even, like even the potential for shadow AI that's kind of playing out not just in the workforce, but starting to show up in production and different things like that. Like it would seem to me that identity is actually a pretty logical choke point to get your arms around that type of thing. Like on top of everything that we just talked about around wanting to make sure that you're doing the right kind of governance, the whole idea of prevention and control seems to be.
[06:34]
B
Yeah, yeah, it's 100% identity is the. So zooming out even further, the whole notion of like making your company secure from an agentic perspective, you really have to lock down the model side of it, which is not an area we play in, but it's something that companies need to think about, which is, which foundational models are you using? Are they staying within guardrails, or the hallucinations, all those types of things, because that determines the actions that the agent is going to take. Then the second piece of that is what can that agent do? That's the identity piece of it and it's governance, but it's really real time policy decision and policy enforcement at extremely fine grained level, like at the individual tool call and Data access level that has to be executed at extremely low latency. So that's the part that is actually human readable, if you will, because it's policies, it's things you can, you know, check boxes and toggles in an admin console that gives you the only control you actually have on that agent. And then the last piece of it, again we're not super involved in is the data side of it is like how are you protecting your data? And there's some intersection with DSPM there. But that middle layer, the reason it's so exciting is it's the one piece of human control in this whole equation or these non deterministic entities.
[07:55]
A
So when you're having conversations with leaders around this type of thing, what I guess are some of the use cases or the specific concerns they've got. Because I think the thing to me that's really interesting about this whole agent identity issue is that it's been theoretically a thing that is about to become a trash fire. I think ever since commoditized AI dropped. Right. It's like an extension of NHI and service accounts and those type of access and authentication issues, but with autonomy behind it and ephemerality and all those different things. I guess when you're talking to leaders, what are the specific kind of downsides that they're concerned about or the kind of main things that wake them up at night? I guess is really the question that I'm asking there.
[08:40]
B
Yeah, it's actually the same old attack vectors. So token theft they're actually very worried about because when you look at what an agent has to do in order to access data, there is an access token and token exchange that is given for a certain MCP driven tool call or direct tool call. There is a fear that if an agent gets prompt injected, it may actually exfiltrate the token. And worse than that, you could actually exfiltrate sensitive data because you were able to spoof an agent into taking an unauthorized action. So the end result is this good old attack pattern. I say that facetiously, it shouldn't happen to anyone. But the threat actors are after the same thing. Because the whole point is always let's get an access token and then you can escalate privilege and move laterally. It's the same attack. It's just that now you have a new window into that data that is an agentic interface with an entity that is created to please, meaning it will do what it needs to execute the prompt. And that's only for on behalf of Agents. Um, so that, that's, that's one big fear. The other big fear is for leaders is I need this agent to, to stay within the 100% within the authorization guardrails of the invoking user. So that's the other pieces. They, they're very worried about scope. You know, scope increase between agent authentication,
[10:09]
A
sprawl, that kind of thing.
[10:11]
B
Yeah, and, and actually between agents calling agents. They're very terrified of is the access scope going to increase. Scope needs to stay flat or be down scoped. And that's where having a central IDP policy enforcement engine comes into play. Because if you're just passing scopes from one agent to another without a central enforcement policy, the agent can make a call to say, well I was configured to have higher scope because I'm a sub agent that has a specific skill, but for that skill I have got access to, that's game over. So that, that like chain of custody, maintaining scope flat or down scoping is another big concern that people have because look, it's only a matter of time before somebody there is a breach of this sort and then that spreads and our friends on the other side of the ethical line will take advantage of that. So that's the second big thing. And then the, what else? The third big one which is coming up a little bit is agent teams and agent swarms. So this is a newer pattern where you have the model can be trained, where ephemeral agents can be spun up in a swarm to help a supervisor agent. Well, in that case, what is the identity? This agent came and went. So if you can't control its identity, you have to control its authorization. And that's where extremely fine grained intent and context driven authorization is a third big fear area that our customers have.
[11:42]
A
Got it, Got it. So in terms of. Because I mean obviously as such a kind of dominant player in the IDP space, like Okta's got really a bird dog seat on the problems and the potential solutions that are out there. I guess what's new because to me the thing that stands out is that these are again fairly kind of traditional AAA kind of routines that we're talking about here. But they need to happen a lot more quickly. They need to consider ephemeral. You know, the whole idea of swarms being spun up and spun down, all those different things. Is Okta, I guess starting to build into its product things that are like fit for purpose for that type of use case, or is it really just an extension of what you guys are already doing?
[12:23]
B
Oh no, we have an entirely new set of capabilities. You know, for very, very creatively called Octave agents. We are very literal.
[12:32]
A
There you go.
[12:33]
B
Our customers are very literal. So we don't, we don't need to dance around them. Let's call it what it is.
[12:37]
A
Smart. Let's not confuse people. That's a good call.
[12:40]
B
Exactly, exactly. Especially IT and security folks. You gotta call it like it is. So no, it's a new set of capabilities that builds on the same core platform. But it's agents are a new identity type within okta, the SSO if you will. For the agents are like a whole new set of connection types. And specifically what's new connecting an agent to other agents, connecting it to mcps, connecting it to third party resources with OAUTH connectors. All those things are new constructs. Like MCP is, well in AI land it's not new, but it's new for large enterprises. So that's another big piece of the capability. And then the next one is this whole highly fine grained authorization at the tool call level. Which, that part I think there's a lot of creativity there for the industry to start thinking about. It's not about reback and ABAC and all this. It's about combining all of that along with the notion of intent to say is this action commensurate with the intent of the prompt? So that, those are, those are. So that's all baked into our capabilities today.
[13:47]
A
Very cool. Very cool. Well, yeah, look, I mean it's been great to catch up on this. It's just fascinating watching the way this intersection between something that you said earlier around it being transformative. One of my favorite quotes was the idea that AI in like 2023 was kind of like having a website in 1997. There's this like enormous hype cycle and you know, there's a lot of things that are kind of wheat and chaff to sort out in that particular spike. But then it does go on to ultimately transform everything. Like seeing that actually play out in some of these areas is fascinating to chat about. How do, how do people get in touch? If there's folk that are listening that want to kind of dig into this problem, how do they get in touch with you guys?
[14:26]
B
Yeah, it's, you know, you mentioned website. Yeah, we have, we have a whole section there on Octave for AI agents and you can get in touch with. And we're, we're. Or if you already have, you know folks at Octa, you're connected with hit about because this, this is our number one priority for. For the company right now. And if nothing else, find me on LinkedIn. I'm there. I am. This. This. This is what I do. So I'm happy to answer any questions.
[14:53]
A
All right, well, it's been great to chat, everyone. This has been Harish Perry from Okta talking through agentic AI security and all of the different things that are happening now and into the future. Appreciate your time, Harish. Cheers.
[15:05]
B
Okay. Thank you for the time.