Shadow AI discovery operates at the browser and network layer and does not depend on Okta acting as the primary Identity Provider (IdP). Organizations using third-party providers such as Ping or Microsoft Entra can successfully use the Secure Access Monitor (SAM) browser plugin and Identity Security Posture Management (ISPM) to detect OAuth grants and browser-based agent activity. Administrators often question whether Shadow AI discovery requires an Okta-managed identity layer.

• Okta Identity Engine (OIE)
• Okta for AI Agents
• Secure Access Monitor (SAM)
• Identity Security Posture Management (ISPM)

Does Shadow AI discovery require Okta as the primary IdP?

Shadow AI discovery uses the SAM browser plugin and ISPM to detect OAuth grants and browser-based agent activity. Because this process operates at the browser and network layer, it functions regardless of whether Okta, Ping, Microsoft Entra, or another provider serves as the primary IdP.

The SAM Plugin Detects Agent Activity Directly

The SAM plugin observes OAuth consent events and browser-initiated agent interactions directly.

NOTE: Certain governance and policy enforcement features within Okta for AI Agents require an Okta-managed identity layer. Full lifecycle governance and policy enforcement on discovered agents necessitate Okta in the identity path. Validate which specific governance capabilities apply to the current configuration and confirm the feature scope with the Okta account team.

Related References

• AI agent discovery in ISPM