What happened
Okta has expanded its Cross App Access (XAA) framework, integrating over 25 software providers, including Anthropic, Canva, and Atlassian, into its ecosystem. XAA, initially shipped in June 2025, now functions as an official authorisation extension for Anthropic's Model Context Protocol (MCP), an open standard introduced in November 2024 for AI systems to integrate with external tools and data. This expansion leverages the Identity Assertion Authorization Grant, a specification progressing through the IETF's OAuth Working Group, enabling AI agents to request permissions via existing Okta identity, ensuring policy checks, logging every action, and scoping access to specific tasks.
Why it matters
AI agent governance improves as Okta's XAA provides security teams with central audit trails and granular control over agent access. An Okta survey in June 2026 revealed only 13% of Australian firms could restrict a rogue AI agent, with just 9% possessing full visibility of non-human identities across their environments. XAA's integration with MCP and its use of identity-based tokens address standing privilege, offering platform engineers a standardised approach to manage agent interactions. This aligns with recent industry efforts to restrict frontier AI model access, such as Anthropic and OpenAI limiting access in May 2026.
