AI is moving fast, can security keep up? Okta's 2025 Showcase on security
Non-human identities are here and they are challenging traditional security models. Okta provides a unified approach to securing service accounts and other NHIs.
Thank you to Okta for sponsoring this blog post. The content and opinions are my own.
Do developers need to worry about security?
As developers we want to build exciting features. Not be security experts. Regardless of this, security is important to me as a fullstack developer and it is important to have a good understanding and awareness of security. How? We can use tools and platforms that allow us to be secure without needing to go into all the intricacies of how we got to that point. It’s a bit like being able to drive a car but not having to be a mechanic to do so.
Judging by one of my recent tweets though….I might be part of a small group of developers who feels this way.
However as it turns out, companies do want to hear what developers think about this topic!
Okta Showcase
I was invited to report on Okta’s Showcase which took place on April 9 here in England, in what is perhaps one of the best (if not the best) venue for an event that I have ever been to…McLaren’s R&D facility! It is like the Apple Park but in the UK.
For those of you who don’t know, Okta is a cloud-based identity management service that helps organisations manage and secure user access to applications and resources as well as having an authentication providing through their platform Auth0. They recently announced a partnership with McLaren Racing to identify new ways to secure and improve the digital experience for not only the McLaren employees but also the millions of fans who love watching the Formula 1, IndyCar and Le Mans races around the world.
So when I had the opportunity to participate in a roundtable with journalists in the tech space as well as leading key figures at Okta, I …raced at the chance (get it?). As a developer it was super interesting to hear how leading voices in tech news perceive security and AI, and to ask the type of questions I don’t always get a chance to when attending a developer conference or online on social media. So I wanted to share my thoughts and findings with you.
“Identity is security”
These were the thoughts of Todd McKinnon, CEO and Co-Founder of Okta during his Showcase talk. What does he mean by this? There is a need for the tech industry to be more standardised so that we can get to the point where all identity based attacks are eliminated.
There are already authentication standards, for example OAuth and Open ID. Most people, whether they are developers or not, will be familiar with accessing a web app securely through social login without sharing their credentials with said web app. Plus in my experience of working with teams of developers, my opinion is that the vast majority of us are keen to comply with existing standards. Standards lead to a more secure outcome: not only does the end user only have to be identified and authenticated once by an identity provider, standards will contribute towards privacy compliance.
However it would be impossible to ignore that some still try to circumvent this or “roll their own”, under the misguided impression that this will be faster.
"You cannot secure what you cannot see"
Harish Peri, SVP for Product Marketing at Okta highlighted how securing NHIs (Non-hHuman Identities) is a very difficult task during his talk. These cannot be taken lightly as they have become silent attack vectors and over privileged. Without realising perhaps, owners are unknowingly giving NHIs greater power than required, for the sake of convenience.
Even the smallest project requires multiple tokens or API keys (which are the equivalent of passwords) to function effectively. I recently created a small SaaS and that had three tokens for multiple platforms. Now think about this on a larger scale.
The likelihood is that when a developer or sys-admin creates tokens, API keys or service accounts these are usually forgotten: either because the author has moved on or the reality is, if the integration is working why would you give the tokens or API keys are second thought about what permissions they have? What’s worse is that even when the project has moved to a new integration, the likelihood is that no one will think to revoke the tokens or keys. Plus, upon a system being deprecated the privileges it has from tokens or API keys are not automatically revoked - they still remain.
“AI agents must be built securely right from the start”
It is no surprise that AI is evolving faster than any other technology shift. What is surprising and even a little scary is that in the opinion of Shiv Ramji President of Auth0 Okta, “security is getting left behind”.
A staggering 82% of organisations plan to integrate AI agents in the next three years, not only for assistance but also to take actions on behalf of the user. Once these AI agents are online without the correct security, it is too late. They can have access to sensitive data and potentially allow an attacker to take control.
During his talk I was excited to hear from Shiv that “Auth for GenAI” was built for developers! As a fullstack developer myself, I don’t want to get into the intricacies and details of security but I know it is important. That is why tools and platforms like Auth0 are great as they allow me to be secure without worrying about the details of the security at the same time. That way I can focus on building the business value for my users and still keeping them secure.
The main features of Auth for GenAI are:
Authentication for GenAI - tailored made login experience for AI agents.
Token Vault - AI agents can call APIs on the user’s behalf using secure standards, therefore allowing the AI agents to securely connect to platforms like Gmail, Slack etc to automatically handle token refreshes and exchanges.
Asynchronous Authorisation - from interactive chatbots to background workers, AI agents can perform tasks on behalf of the user and have the user notified to provide consent for critical actions.
Fine Grained Authorisation of RAGs - only retrieve data or documents the user has access to.
This is available for developers to start using Auth for GenAI today, and I am excited to have a play! What about you?
Okta’s private tour of McLaren
After hearing the talks those attending the event had an amazing private tour of the McLaren facilities. I got to see the most amazing cars but also the workshops with the engineers in action (what struck me was how clean and tidy the work stations were - not what I was expecting). But as there is proprietary information and work going on 🤫 I wasn’t able to take any photos of this area… you will just have to use your imagination!
This blog post only really scratches the surface of what Okta and Auth0 are doing in the security space. If you want to learn more I would recommending taking a look at “A blueprint for Identity Security in the era of AI and NHIs”.
Security is definitely important. Especially with the whole vibe of coding and shipping in an afternoon trend, a lot of code is being written, and many potential bugs are also present.
I believe we should have security in mind right from the start and keep perfecting the code to minimize the risks.
It's an important topic, and we'll just have to wait and see what the future ho