On June 18, 2026, Anthropic, Okta, and the Model Context Protocol project shipped enterprise-managed authorization, a way for companies to control which AI tools reach which internal systems through their identity provider. The shift is simple to state and large in consequence: identity, not a pile of individual consent screens, now becomes the governance plane for agentic AI.
What Changed on June 18
The Model Context Protocol (MCP) is the open standard for connecting AI models to external tools and data, a topic we covered in depth in what the Model Context Protocol is and why your business should care. Until now, connecting an AI assistant to a tool like Figma or Atlassian worked the way consumer apps do: each user clicked through an OAuth consent screen, app by app, granting access on their own.
The new enterprise-managed authorization extension changes who is in control. According to the MCP project, an administrator authorizes a connector once through the company identity provider, and users inherit access through the groups and roles they already have. The connector is simply present the first time someone opens the AI client, with no setup screen to navigate. The project calls this zero-touch access.
Underneath, the mechanism reuses an emerging identity standard rather than inventing a new one. During single sign-on, the client obtains an identity assertion token from the identity provider and exchanges it for an access token from the target service. This is the Identity Assertion Authorization Grant, an approach being standardized through the IETF OAuth working group and branded by Okta as Cross App Access. Okta is the first featured identity provider, and the supported connectors reported at launch include Asana, Atlassian, Canva, Figma, Granola, Linear, and Supabase, with Slack noted as coming soon.
Why This Is a Governance Story, Not a Feature
It is tempting to file this under developer convenience. That undersells it. The real problem it addresses is one most companies have not yet measured: nobody knows what their employees' AI tools can already touch.
Over the past year, knowledge workers quietly connected AI assistants to their calendars, design files, project trackers, code repositories, and databases. Each connection was a personal OAuth grant, invisible to IT, scoped by whatever the individual clicked through. That is shadow integration, and it scales badly. When an agent can read your design system, file tickets in your tracker, and query your database, the question of what it is permitted to do stops being a personal preference and becomes a security boundary.
The timing is not a coincidence. Stanford's 2026 AI Index found that 62% of organizations now cite security and risk as the primary barrier to scaling agentic AI, a 24 point margin over the next most cited obstacle. We unpacked the broader findings in our look at what the Stanford AI Index means for business strategy. Enterprise-managed authorization is a direct answer to that barrier: it gives security teams a single place to grant, scope, and revoke what AI agents can access, with the audit trail that personal OAuth grants never produced.
How It Fits the Larger Agent Control Picture
This is one more piece of an enterprise control layer that has been assembling quickly. Microsoft Agent 365 reached general availability in May as a control plane to discover and govern agents across clouds. Identity providers are now claiming the access layer underneath that. The pattern is consistent: the industry is rebuilding for autonomous software the same identity and access management discipline it spent two decades building for human employees.
The distinction worth holding onto is between identity and authorization. Knowing which agent is acting, the problem behind frameworks like the one we examined in the identity layer of agentic commerce, tells you who is at the door. Authorization decides what they are allowed to do once inside. Enterprise-managed authorization is squarely about the second question, and it routes the answer through infrastructure most companies already run.
For organizations, getting this right is less about adopting one vendor's button and more about treating connector access as part of architecture. The harder, durable work is mapping which internal systems an agent should reach and building governed automation between AI and your business tools so that access is auditable and reversible by default, rather than a sprawl of grants nobody can enumerate later.
What This Means for Your Business
Our take: the headline is a partnership, but the lesson is a deadline. The plumbing to govern AI agent access centrally now exists, which means the excuse for not knowing what your agents can touch is expiring. Three practical implications follow.
First, the convenience that drove shadow integration is now available in a governed form, so there is little reason to keep tolerating the ungoverned version. If your identity provider supports the standard, routing AI connectors through it is a near-term win rather than a research project.
Second, this raises the floor on what production-grade agent deployment looks like. An agent that only drafts text is low stakes. An agent that can write to your project tracker, modify design files, or query customer data is operating inside your security perimeter, and it should be subject to the same access controls, scoping, and logging you apply to any other privileged system.
Third, the standard is multi-vendor by design, built on an open identity grant rather than a single company's proprietary flow. That matters for the same reason portability always matters: betting your governance model on infrastructure that several major players support is safer than betting on one vendor's roadmap.
How to Get Started
- Inventory what your agents can already reach. Before adding controls, find out which AI tools employees have connected to company systems and what each connection can read or change. You cannot govern access you have not enumerated.
- Route new connectors through your identity provider. Where the standard is supported, make IdP-managed authorization the default path for connecting AI to business tools, so access maps to existing roles instead of personal grants.
- Scope to least privilege, then log everything. Grant the narrowest access an agent needs to do its job, and require audit logging before any agent is allowed to write to or act on production systems.
- Set a policy gate for write access. Reading data is one risk tier. Taking actions is another. Define which agents may move from read-only to acting on systems, and who signs off.
Common Mistakes to Avoid
Treating AI connectors as a personal productivity choice. Once an agent can act on shared systems, its access is an organizational security boundary, not an individual preference. Govern it accordingly.
Confusing convenience with control. Zero-touch access is genuinely convenient, but the value for the business is the central visibility and revocation underneath it. If you adopt the convenience without using the governance, you have gained little.
Granting broad access because it is easier. The instinct to give an agent wide permissions to avoid friction is the same mistake that produced over-privileged service accounts. Scope to the task, not to the convenience.
Key Takeaways
- On June 18, 2026, Anthropic, Okta, and the MCP project shipped enterprise-managed authorization, letting companies govern AI agent access to tools through their identity provider.
- Admins authorize a connector once and users inherit zero-touch access through existing roles, replacing per-user OAuth consent screens with centralized control and audit trails.
- The mechanism reuses an open identity standard, the Identity Assertion Authorization Grant, rather than a proprietary flow, with Okta as the first featured identity provider.
- The release directly targets the top barrier to scaling agentic AI: Stanford's 2026 AI Index found 62% of organizations cite security and risk as their primary blocker.
- The strategic move for businesses is to inventory existing AI connections, route new ones through identity, and gate any agent that can act on production systems.
The businesses that move early on AI agent access governance will have a meaningful advantage as agents shift from drafting text to acting on real systems. If you want to be one of them, let's start with a conversation.