Okta has expanded its Cross App Access ecosystem to 25+ software makers, creating a standardized way to govern how AI agents connect to enterprise applications through centralized identity controls. The framework, which routes agent-to-app connections through a company's existing identity policies, addresses a critical gap in how organizations manage autonomous AI systems accessing sensitive business data.

Why Do Enterprises Need Identity Controls for AI Agents?

As AI agents become embedded in daily workflows, they're accessing corporate data and executing tasks across multiple applications. Most agent connections today rely on static API keys and user consent screens that IT administrators never see, creating permanent standing privileges and blind spots that force teams to choose between accepting unmanaged risk or slowing agent rollouts.

Okta's Cross App Access, or XAA, solves this by extending OAuth, the industry standard for secure access, into a framework specifically designed for agent-to-app and app-to-app connections. The framework now serves as an official authorization extension for the Model Context Protocol, the standard that connects AI models to outside data and tools.

Who Are the Early Adopters?

The 25+ partners span three categories of the AI agent ecosystem. Requesting apps, which initiate data requests, include Anthropic's Claude, Anysphere's Cursor, Docker, Microsoft's Visual Studio Code, and Zoom. Resource apps that hold downstream data include Asana, Atlassian, Canva, Datadog, Figma, Linear, Slack, and Supabase. A third group of identity infrastructure providers, including Cloudflare, Keycloak, and Stytch by Twilio, routes and secures traffic between agents and applications.

In practice, the framework works like this: a product manager asks Claude to assemble a launch readiness summary. The agent pulls project milestones from Asana or Linear, documentation from Atlassian, designs from Figma or Canva, and meeting notes from Zoom or Granola. Under XAA, each request runs against the user's active Okta identity and is checked against enterprise policy before access is granted, with every action logged and scoped to what the agent actually needs.

"With AI agents becoming increasingly core to daily workflows, organizations are aligning around XAA as the secure path to deploy agents in production," said Ely Kahn, Chief Product Officer at Okta.

Ely Kahn, Chief Product Officer at Okta

How to Implement AI Agent Identity Governance in Your Organization

• Evaluate Your Current Agent Connections: Audit how AI agents currently access your applications. Identify which connections rely on static API keys or unmonitored user consent, as these represent the highest governance risk.
• Select XAA-Compatible Tools: Prioritize AI platforms and business applications that support Cross App Access, ensuring your agent ecosystem can enforce centralized identity policies rather than managing permissions separately for each tool.
• Define Access Policies Before Deployment: Establish clear policies for what data each agent can access, which applications it can connect to, and what actions it can perform. Test these policies in pilot workflows before scaling to production.
• Monitor and Log Agent Activity: Ensure your identity infrastructure logs all agent requests and data access. This creates an audit trail for compliance and helps detect unauthorized or anomalous agent behavior.

The expansion reflects a broader shift in how enterprises view agent identity. Okta has been building toward treating agent identity as a distinct category rather than an extension of workforce or customer identity. In May, the company extended its Okta for AI Agents platform to Amazon Web Services' Amazon Bedrock and opened it to rival identity providers, signaling that agent identity governance is becoming infrastructure-level rather than vendor-specific.

Okta is also pointing to early production validation. The expansion builds on Anthropic's beta program, in which Okta serves as the featured identity provider helping joint customers including Ramp, Webflow, and HubSpot govern how Claude reaches participating Model Context Protocol providers. The program is meant to validate the protocol's ability to centralize authorization, enforce access policies, and automate the removal of agent permissions when they are no longer needed.

What's the Timeline for Availability?

Okta Workforce customers will be able to access supported XAA applications through the Okta Integration Network starting in August 2026. For Auth0 B2B software-as-a-service customers, XAA is slated for early access at the end of July 2026.

To push XAA toward becoming an industry standard, the official Model Context Protocol software development kits are adopting it as an enterprise-managed authorization extension. Support is available for TypeScript and Java, with Python support planned.

"By supporting Cross App Access as both a requesting and resource application, we're ensuring that AI agents can securely bring meeting context to other workflows," said Brendan Ittelson, Chief Ecosystem Officer at Zoom.

Brendan Ittelson, Chief Ecosystem Officer at Zoom

The timing aligns with broader enterprise adoption trends. According to industry forecasts, 80% of enterprises will have deployed generative AI-enabled applications by the end of 2026, up from less than 5% just a few years ago. As adoption accelerates, governance remains one of the biggest barriers, with risks around data exposure, compliance, and shadow AI growing alongside agent deployment. Okta's expanded XAA ecosystem addresses this governance gap by making identity controls a foundational layer of agent infrastructure rather than an afterthought.