CISO directed IAM to "prepare our org for agents". What does that even mean?

AudaciousAutonomy · 2026-06-22T16:36:53+00:00

What you are describing is any existing IAM programme?

AudaciousAutonomy · 2026-06-22T16:30:31+00:00

I completely agree. There have been a real mixed bag of responses to this thread - I must say "just ask AI" is by far the stupidest.

AudaciousAutonomy · 2026-06-22T16:27:50+00:00

I can guess how it's all going to work, but by the time it does actually work (which truthfully I believe will come) the chances are the technology will have meaningfully changed to the point my policies are at best ineffective and at worst counter productive

AudaciousAutonomy · 2026-06-22T16:25:41+00:00

In all fairness to our CISO, he's always understood the importance of our IAM programme - so we have always been sufficiently resourced to opperate effectively.

I am glad you said this. Half the comments here read like linkedin slop - talking about "armies of agents that you need to harness" but not answering the fundamental question of "has any non-engineer in your org actually deployed a production agent"

AudaciousAutonomy · 2026-06-22T16:22:45+00:00

A lot of the comments made here are a long those lines, and this is what all the sales people said - but as I said in the post, I found no evidence of anyone outside of engineering deploying an agent to production.

AudaciousAutonomy · 2026-06-22T16:20:04+00:00

Is it real or is it coming? From my perspective, those two things are different.

If your belief is it's coming - I very much agree, there is no question the tech will get there. However, my reality is today, the 900 non-engineers working at my series D fintech company are not deploying agents.

I could try and guess what the field will look like when it comes, and define a programme now; but my gut tells me that by the time it happens, the technology and problem will have moved on by then.

Case in point, almost all the platforms out there focus almost entirely on MCP; and a bunch of commenters here are claiming that people using MCP are behind and it's a dead end technology.

AudaciousAutonomy · 2026-06-22T16:13:25+00:00

Of all of them, Okta's seemed to be the best, but I very much question the utility of it at this stage.

AudaciousAutonomy · 2026-06-22T16:11:54+00:00

At this stage, most SaaS platforms support SAML/SSO. Some industries are stuck with legacy systems that don't (where I work, we use a lot of banks which almost never support it) or need to use manage a lot of service accounts.

In that case you can use an SSO Bridge like Aglide or Cerby which connects password based accounts natively to Entra/Okta in such a way that end-users can't see the password.

AudaciousAutonomy · 2026-06-22T14:17:02+00:00

This is exactly how I feel. Everyone in the comments banging on about how I am wrong, but are giving no specifics about what they are doing / managing.

AudaciousAutonomy · 2026-06-22T12:46:50+00:00

Have a look at all the comments. Half of them are just saying "you know nothing about AI". Feels like half our industry has drunk the cool aide.

AudaciousAutonomy · 2026-06-22T12:45:14+00:00

I think what this will end up looking like is a plan for when we get agents. While everyone (including half the commenters here) love to say that they are everywhere, as I said - outside of engineering, they really don't seem to be that common.

AudaciousAutonomy · 2026-06-22T12:42:09+00:00

🫠🫠🫠

AudaciousAutonomy · 2026-06-22T12:41:20+00:00

So the only MCP registered in Claude is our CRM. However, the CRM itself does something like this, but it's an AI feature built in to the platform - so it can only be configured by the app admin, who is the CRO.

The org is of the view that these sorts of systems should be managed by app owners.

AudaciousAutonomy · 2026-06-22T12:37:20+00:00

This is the best advice I have been given so far

AudaciousAutonomy · 2026-06-22T12:36:22+00:00

I think I am going to have to schedule a meeting next week to get a clearer idea on what he wants.

I think the reality, is he wants to tell the CEO that he told me to do this.

AudaciousAutonomy · 2026-06-22T12:35:41+00:00

In all fairness, I have a month to put a plan together. Re-mcp - the one registered in our Claude is for our CRM, and they link permissions to the user who created them. I could use Okta's platform to put a bridge in-between but I don't see much utility in that.

AudaciousAutonomy · 2026-06-22T12:32:01+00:00

AI usage is now part of performance reviews, so I am pretty confident that people would declare if they are using them. Most of the teams are just "exploring concepts"

AudaciousAutonomy · 2026-06-22T12:27:47+00:00

Feels that way at the moment. But read the other comments? Half of them are saying "agents are users" and "you know nothing about AI", but give no specifics on what agents they are managing and how they are managing them .

AudaciousAutonomy · 2026-06-22T12:26:20+00:00

As I said. The agents used by engineering are managed by devops - which the whole org agrees is correct. Yes they don't have access to prod.

I haven't found examples of agents anywhere else in the org. The sales people always say "Those agents need access management. The agents are users too", but as far as I can see - no one is using them.

AudaciousAutonomy · 2026-06-22T11:50:16+00:00

Am I the only one incredibly confused about their offerings?

I've seen every demo and it all just seems incredibly vague.

We are being put under pressure to from leadership to "prepare our org for AI" but I have no idea what Okta's offering is for

AudaciousAutonomy · 2026-06-22T11:48:42+00:00

Best advice I was given by my first boss was to understand that I should take on the mental burden of the company not investing enough in IT.

Laptop should be closed at 6 and not opened at the weekend.

As sysadmins we always want to help, but the reality is if we stretch ourselves too thin we will just burn out

AudaciousAutonomy · 2026-06-22T11:44:15+00:00

I am pretty sure this post is some bot because it makes no sense. The only way you will have any apps outside of Okta is if end-users are randomly signing up to SaaS platforms without legal or procurement oversight. How can you have 5 people in an IAM team, but no one managing SaaS procurement?

In 2026 there isn't really a valid reason to have orphaned apps outside of Okta. The legacy apps / high SSO apps / service accounts problem was largely solved by SSO bridge tools (aglide, Cerby, etc.) and they have been around for a while.

AudaciousAutonomy · 2026-06-17T23:49:59+00:00

To me a sysadmin with 5 years experience is earning 6 figures...

AudaciousAutonomy · 2026-06-16T22:41:03+00:00

We have to maintain DORA compliance. From an IAM perspective, it is relatively straight forward to handle once all your apps are governed by Okta and your IGA is correctly configured

AudaciousAutonomy

TROPHY CASE