What is an Agentic Control Plane?

An Agentic Control Plane is a governance layer that sits between AI coding agents and their tools. It logs every tool call, enforces permissions and policies, and provides audit trails — giving teams visibility and control over what their AI agents are doing.

How does ACP work with Claude Code?

ACP installs a PreToolUse hook in Claude Code that fires before every tool call (Bash, Read, Write, Edit, WebFetch). The hook sends the tool name and input to ACP's governance API for policy evaluation and audit logging. Round-trip is approximately 200ms.

How do I install ACP?

Run one command: curl -sf https://agenticcontrolplane.com/install.sh | bash. This auto-detects Claude Code and OpenClaw, installs the appropriate hooks, and opens your browser to set up your workspace.

Okta for AI Agents: a technical read on the launch

David Crowe · 8 min read

okta identity mcp news governance architecture

Okta announced Okta for AI Agents generally available on April 30, 2026, positioning it as a single control plane to discover, onboard, protect, and govern agents across “any dev framework, agentic runtime, hyperscaler, SaaS environment, or local machine.” This is a substantial launch from the identity vendor most enterprises already trust, and it deserves a careful technical read.

This post walks through what’s in the announcement, the architectural pattern Okta chose (and why it makes sense for them), the use cases the launch addresses cleanly, and the composition picture for enterprises whose stack extends beyond what an identity-perimeter product is designed to cover.

The five-question framing

The Okta launch leads with a useful framing: agentic security comes down to whether you can answer five questions.

Who is the agent?
What is it allowed to do?
On whose behalf is it acting?
Against which resource?
With what approval requirement?

This is the right framing for the category. It maps cleanly to the OAuth/OIDC-shaped questions identity vendors have been answering for human users for fifteen years, extended to a new class of principal. Anyone selling AI agent governance — including ACP — should be able to answer all five for any given agent call. If the framing becomes the canonical industry checklist, that’s good for practitioners regardless of which vendor they ultimately choose.

What the launch ships

Three architectural primitives:

1. Agent Identity

A distinct identity type for agents — not a human user, not a traditional service account. Lives in the existing Okta directory; integrates with Conditional Access, RBAC, SCIM, and the rest of the Okta toolkit. This is what only an identity vendor can ship credibly: directory-native primitives that fit existing identity operations without bolt-on tooling.

For shops where agent governance has been blocked on “we have nowhere to put agent identities,” this is a real unlock.

2. MCP Bridge

The headline new feature. From the announcement: “with our new MCP Bridge, developers can bring the agents they’re already using and the MCP tools they call inside the identity perimeter — without any code changes.”

Architecturally, this reads as an identity-aware proxy or router for MCP traffic. MCP-mediated agent tool calls flow through the bridge; Okta applies identity, scopes the call against the user’s permissions, optionally requires approval, and produces audit. The “no code changes” claim is plausible because MCP is a transport — agents speak it, servers respond, a proxy in the middle is structurally feasible.

For MCP-mediated workloads in environments where agents are already trusting Okta-issued tokens, this is a clean fit.

3. Discover / onboard / protect / govern tooling

Operational primitives for the agent lifecycle: find agents already deployed, register them with the platform, apply policy, monitor and audit. Familiar shape to anyone who’s deployed Okta workforce identity. The operational maturity of doing this at Fortune 500 scale is genuinely Okta’s home turf.

Which use cases the launch addresses cleanly

Reading the architecture, four use cases fit naturally:

MCP-aware agents calling enterprise resources. An AI agent inside a managed environment uses MCP to call Salesforce, Slack, Jira, etc. MCP Bridge intercepts; identity is verified; scopes are checked against the user’s permissions. This is the canonical sweet spot.
Agent onboarding governance. Discovering agents in an environment and registering them under managed identities — exactly the kind of thing CISOs have been asking for since shadow-IT debates of the 2010s, now applied to the shadow-AI debate of 2026.
Per-resource scope enforcement at the perimeter. “This agent can call Salesforce but not Workday.” Identity-perimeter governance is well-suited to that question.
Approval flows on sensitive actions. “This agent’s write actions to the CRM require an approval step.” Identity-perimeter approvals are mature in Okta’s existing product surface.

For these use cases — and for shops that operate predominantly in those shapes — Okta for AI Agents is a credible, integrated answer.

Use cases that need a different architectural intercept

A control plane intercepts somewhere. The choice of intercept point determines which questions it can answer well and which it can’t. Identity-perimeter intercept is the right pattern for the four use cases above. It’s a different fit for these:

Coding agents on developer machines. Claude Code’s PreToolUse hook fires for every tool the agent dispatches — Bash, Edit, Read, Write, file globs, MCP tools alike. Cursor and Codex CLI have similar hook surfaces. These tool calls happen on individual developer laptops, against local file systems and shells, outside any identity perimeter. Governance for this surface needs an intercept point inside the agent runtime itself, not at the network edge.
In-process framework dispatch. When a CrewAI agent hands off work to another CrewAI agent, when a LangGraph supervisor routes between workers, when an Anthropic Agent SDK loop dispatches a tool — these are in-process Python or TypeScript function calls. They don’t cross a network boundary an identity-aware proxy could see.
Tool-output content policy. PII redaction, secret detection in tool returns, content-aware truncation (“the database returned 50,000 rows — don’t feed all of it to the model”). The intercept point for these is the tool result boundary, after the tool runs and before the model consumes the output. That’s downstream of the identity-perimeter point.
Per-call delegation chain audit. Multi-agent systems compose. The chain — who initiated, who delegated to whom, with what scope narrowing at each hop — is the audit-relevant artifact. Tracking that requires intercepting in the call path with structured chain semantics, which is a different architectural commitment than identity-aware proxying.

These aren’t bugs in Okta’s product. They’re scope. A full control plane composes multiple intercept points: identity-perimeter for who-can-call-what, tool-call-layer for what-the-call-actually-does, content-layer for what-flows-through.

What the launch validates for the category

A real product from a real incumbent is the strongest signal that a category exists. Okta launching Okta for AI Agents shifts the conversation in every CISO meeting from “is agent governance a thing?” to “what’s the right architectural layering?” That’s a productive shift. It doesn’t matter who eventually wins which slice — the category needed validation, and Okta just provided it.

The other useful thing the launch validates: the five-question framing should be table-stakes. Any agent governance product should be able to answer all five for any given agent call. Practitioners have a sharper checklist now than they did yesterday.

If you’re building an AI product yourself

A specific note for the cohort doing the most interesting work in agentic right now: AI app builders, autonomous-agent products, multi-agent workflow companies. The use cases that fit Okta’s identity-perimeter intercept cleanly are mostly the ones that look like traditional enterprise software with an AI layer added on top — workforce identity, scoped access against named SaaS resources, approval flows on sensitive actions. If your product is shaped that way, Okta for AI Agents is a credible answer.

Most of the interesting agent-shaped products being built in 2026 don’t look like that. They look like Lovable, Bolt, V0, Replit Agent, Cognition, Sierra — products where the agent itself runs autonomously, edits files, executes commands, calls MCP servers, dispatches sub-agents, makes direct LLM calls. The MCP Bridge intercept covers a meaningful slice of that traffic but not the majority of it.

For builders in that cohort, the questions worth asking yourself:

What percentage of my agent’s tool calls actually go through MCP? If the answer is “a small slice,” identity-perimeter governance is one component of the answer, not the whole answer.
Where do I want governance to fire — at the network edge, at the dispatch layer, or at the model boundary? Each intercept point has different latency and coverage tradeoffs.
Do I need per-end-user identity propagation past the agent boundary? This is the question CISO buyers ask when they evaluate your product. The answer requires thinking through which intercept point can attribute calls to specific humans, not just to your platform.

Tool-call-layer governance — @governed decorators on individual tools, hook integration in coding agents that don’t fit the perimeter model, output redaction on tool returns, delegation-chain audit when agents call agents — fits a different intercept point than identity-perimeter, and that intercept point matters more for how AI builder products actually work.

Useful regardless of vendor: get clear on where in your stack governance should fire before deciding who should provide it.

What customers should think about today

For enterprises evaluating their agent governance posture in light of the launch:

If Okta is already your IdP, expect to use Okta for AI Agents for the identity-perimeter layer. The integration cost is low and the benefits compound with your existing identity operations.
Audit your scope. Make a list of where agents actually run in your environment. Coding agents on developer laptops, self-built agent code on cloud runtimes, multi-cloud workloads, multi-framework deployments — none of those are inside Okta’s identity perimeter. Plan a complementary layer for those scopes.
Treat the five-question framing as a checklist. When evaluating any vendor, including ACP, verify they answer all five questions for every agent call you care about. If they can’t, that’s the gap to flag.
Don’t treat governance as a single-vendor decision. A mature stack typically composes identity-perimeter (Okta), tool-call-layer (ACP or equivalent), and cloud-native primitives (AgentCore, Foundry, Vertex Agent Builder for the respective clouds). Single-vendor stories are convenient but rarely complete in this category.

Where to read more

ACP and Okta for AI Agents: composition, not collision — the composition picture in detail
/integrations/okta-for-ai-agents — install / setup guide
AWS Bedrock / Microsoft Foundry / Vertex AI Agent Builder — equivalent technical reads on the three hyperscalers’ agent governance launches

Share: Twitter LinkedIn

← back to blog