Okta, Inc. (OKTA) Earnings Call Transcript & Summary

This presentation contains forward-looking statements. We reserve the right to change the information in this presentation. More information can be found in our security filings. Please welcome Okta's CEO and Co-Founder, Todd McKinnon.

It's great to be here. We are really excited about some product innovation. We're going to show you some great co-presenters that are going to come up on the stage and show off some stuff we've been working on. But before you do that, I'm going to give you a quick little overview of Okta at a high level, and then we'll get to it. So again, thanks for joining us. It's a big, big time for Okta, and this event is a really great time to be together. Okta is an identity company. We are, by far, the largest independent and neutral identity company. And our strategy is we want to be the one-stop shop for identity. So every organization in the world, when they think about solving all their identity use cases, we want to do that for them. And we've had success, and we think this is a sound strategy because identity really unlocks a tremendous amount of opportunities in your organization. It lets you have a great user experience for all of your users. It lets you unlock business value, do personalized user experiences across all different kinds of constituencies and makes everything work well together, and that's a really good foundation to build on. But our -- vision of our company is not directly based in identity. It's actually far bigger. The vision for our company is we want to free everyone to safely use any technology. Identity for us is a means toward that end, but it starts with this desire and this drive to free you to use any technology and to do that in a safe and secure way. And that safe word is really important because what we've seen in the industry over the last 10 years and with all the changes going on, what's certainly going to be true for the next 10 years is that identity is security. You can't have a solid security foundation without a solid identity foundation. It's the cornerstone of what we're all trying to do with security. And it's a complex world out there with regards to security. We all know this as practitioners and people on the front lines fighting against attacks every day, 8 out of 10 security breaches involve some kind of compromised identity, whether it's the initial point of compromise or whether it's how the attackers use the initial point of compromise to move through a privileged account, escalate privilege, there are -- 8 out of 10 of them are based on identity. And we're very excited about the opportunity at Okta to -- if we can help solve the identity security challenge, we can solve the underlying issue for almost all of security breaches, which is pretty exciting. What's going on in the complexity of all your technology stacks, you're trying to bring different ecosystems together, use different cloud providers, different application stacks, different development platforms. Every new generation of technology has a new development platform. And that's a tremendous amount of complexity. And if we can provide a universal identity layer across all of that and free you up to choose the best technology and get secure outcomes at the same time, that's tremendously powerful. And then you layer on top of that, what we're all very excited about the potential of with AI and AI agents it's exciting, but it's also daunting because you have to make it all work together. You have to innovate, you have to mitigate your risks. And so the stakes for all of this have never been higher. And when we think about building our company, one of the most important fundamental things about this is our commitment to secure identity. And we think about this commitment as very deep. It's from our -- throughout our products, it's throughout the culture of our company, and we're very, very committed to leading the industry in the fight against identity-based attacks. 8 out of 10 attacks could be prevented if we solve the core issue of identity-based attacks. And that's a very important mission and tasks and journey we're on as a company. And this secure identity commitment has 4 really important pillars. It's very comprehensive in the way we think about this. They're all deeply important. The first one is hardening and securing our -- the actual corporate infrastructure that we provide or that we build Okta on, everything from IT systems, integrating with third parties, how we prioritize and manage risk in our internal environment is very, very important, and it's something that's like the core and the foundation of what we do. We want to make products that are -- not only provide great security outcomes for our customers, but those products are built and delivered in a way that's secure and secure by default. It's one thing to get a product that can have great security outcomes for your organization, but it has to be delivered in a way that is secure and sound and goes into your environment with security at its core and its default operating position. We want to champion security best practices within our customer base. We want to not only build secure products and deliver capabilities that allow you to be more secure, but we want to make sure that our entire ecosystem of customers and partners knows how to deploy these products and learns from best practices in deploying them and secure and leading to great security outcomes for our customers. And then finally, we want to lead the industry to make sure that all of this is more standardized and the industry has a common pattern for how to deploy technology in a way that leads to secure identity at its outcome. And by executing all of these 4 pillars, we believe that we can do something very important, which is lead the industry and eventually eliminate all identity-based attacks because the environment that you're all dealing with and that you're all managing and you're trying to use your technology environment to further your businesses, it's quite complex. It's -- you have -- at the foundation of this picture, you have all of the technology that you're trying to employ and use and innovate and many of its legacy technology that you're trying to manage and keep running in an economic way, while at the same time, trying to deploy new technology. And then the identity challenges with accessing all the -- allowing access from all the different types of internal users and customers and external users. And now with the world of agentic systems and nonhuman identity, it's even getting more and more complex. And at the middle of this web of complexity is our identity management products, everything from traditional identity access management to areas like identity governance and privileged access management, and we're bringing products that are trying to simplify this for all of you. And we deliver our products across this entire spectrum from 2 platforms. And they're 2 distinct platforms, and they're each focused on a separate set of use cases and a separate set of people that run and operate them inside of a company. The first is the Okta Platform, which is purpose-built for IT teams and security teams. And this set of products on the Okta Platform are -- we're really trying to set a new category here. And this is the first -- industry's first and only set of identity management products for IT and security that deliver an identity security fabric. And this is important to think about it this way because we are doing something different. This is access management. This is identity governance and privileged access management delivered as not only individually excellent products for their own use cases, but in a way that's integrated seamlessly across these products on the Okta Platform to deliver an outcome across this whole fabric that was not possible before. So your governance knows about your privileged access rules. Your core strong authentication can be used for privileged resources, and it all works seamlessly together. It's the identity security fabric, and that's what we strive to do here at Okta. And then for developers, for people building applications, whether that's building applications inside of your organization for internal use or that's you're building applications to be sold to your customers, that's the Auth0 platform. And this platform is purpose-built for developers, meaning that it has to work in every programming language. It has to have comprehensive SDKs and documentation. It has to be usable in bite-sized chunks so it can be embedded at just the right spot inside of an application. And again, with security at its core, supporting multiple use cases from log-in for people, for customers, but also, as we'll talk about later, agentic AI use cases. So it's purpose-built for developers. And we're having a ton of success with this. We have over 20,000 customers across both of these platforms, all kinds of customers around the world, all different industries. And the success is humbling, but we feel like we're just getting started. We're on this mission to be this one-stop shop for identity for every organization in the world. And last time I checked, there were more than 20,000. So we have a lot of work to do there. Now we're going to be talking about 2 specific kind of categories in this big landscape, in this big ecosystem today. And the first is around nonhuman identities. Nonhuman identities are things like service accounts, tokens, API keys. These are often overlooked and often underappreciated in the world of identity management. And we've made some exciting enhancements, and we're focused on really solving the problem of nonhuman identities inside of your environments. And this has been problematic for a long time. It's -- these accounts often have properties that make them pretty sensitive from a security perspective. They are often very broadly -- the permissions of these accounts are often broadly available because they need to be flexible and people want to use them for different capabilities. So they're really over-permissioned in many cases, leading to potentially negative security outcomes. And then also because they're for nonhumans, the access tokens or the keys get embedded in all these scripts and all these source code repositories. So they're easy to find, they're easy to exploit and they're easy to take these tokens and use them in ways that shouldn't be used. And it's -- these nonhuman identities are related but not the same thing as the next topic we'll talk about, which is what's happening with this in the world of AI. The world of AI is very -- as you've all heard, it's very exciting, and there's a lot of hype going on about it. But the power of AI is tremendous. And specifically when you talk about agentic AI and thinking about how we can deploy these AI agents that packaged software vendors are providing for us now or how we can build them ourselves, it leads to some very interesting security challenges, and we have some very innovative solutions to help you think about this whole world. And when you think about an AI agent, what makes it interesting and different and unique? Why is it different from just a software program or a batch job or a daemon you may have had in the past in your environment. Well, I think there's a couple of very important differences. The first difference is that they're autonomous, and they work in a nondeterministic way. So the software can use generative AI to go down paths or take plans of execution that weren't deterministic or weren't totally preprogrammed from the beginning, which is important because a lot of times, these AI agents have access to different systems. So it's very hard to predict exactly the order they'll go in and exactly the access patterns they'll need to access from these various systems they're pulling information from, which, as you can imagine, leads to when you deploy these agents in production, overprovisioned accounts because since you're not sure what the agent is going to do, the tendency is to give it service accounts and have it be overprovisioned, which can lead to bad outcomes if the agent gets compromised or if the tokens that the agent is using to access these repositories get compromised. And then the last thing is you want to make sure you have the ability to have humans in the loop so that as these agents are doing their job, you have a mechanism to have humans step in and give their approval or give their final sign-off on things the agents are trying to do. So it's a big, complex world, this world of identity and the products and the platforms and the security outcomes we can achieve. And today, we're going to focus on these 2 areas, nonhuman identity and then agentic agents or agentic AI in this world of agents and how the 2 areas overlap with each other and interplay. So next up is going to be Harish, who's going to talk about nonhuman identities. Welcome, Harish.

All right. What's going on, everybody. Hello, everyone on the live stream. Hope you can see as well. Let's talk about nonhuman identities. What are nonhuman identities? Actually for the purpose of this presentation, I'm going to call it NHI because it's a mouthful if I say it 100 times, I think I'm going to trip over myself. So NHIs. NHIs refer to a broad category of identities that connect systems together. You have everything from service accounts to OAuth tokens to the identities of virtual machines, containers. You have device identities. It's a very large category. Don't take my word for it. This is how Gartner defines nonhuman identities. This is an excerpt straight from a Gartner report. You have everything from organizations to machines, to workloads, virtual machines, et cetera. And you have the second column that says animal. Yes. Animal identities are also part of nonhuman identities. Animals like this lovely dog here. This is my Golden Retriever. Her name is Willow. She's 5 years old. She's a really good girl. She posed for this photo. But the truth is, she has an RFID chip on her left leg in case she ever gets lost and we want to track her. That also counts as a nonhuman identity. And the reason I'm telling you this is it is a huge category. There's a lot of noise here. So it's upon us to help define it properly and help that we deploy it correctly to secure your organization. So thank you, Willow. Good job. I'll give you a treat when I get back to New York. The thing is there's nothing inherently wrong with NHIs. NHIs are actually critical for companies of every size because what they're doing is they integrate systems. They make processes run behind the scenes. They actually enable system -- they enable software to talk to each other. It's actually very, very critical for the functioning of business as we know it. So there's nothing fundamentally wrong with them. The issue is that securing NHIs is very, very difficult. Now think about this. What starts off as a convenient move by a developer. They introduce a little token or a little backdoor account into a program to make life easier for them, that gets forgotten. And then over time, that goes on to accumulate privileges and it becomes a risk factor, it becomes a threat vector because a lot of these NHIs lack a couple of fundamental security hygiene capabilities like they don't have MFA, they're not behind SSO. They have static non-rotated credentials. They're not federated. And over time, they do accumulate excessive privilege. It's a real problem. Here's another way to think about it. I know we have an intimate group, but show of hands. How many of you actually write down your passwords on yellow sticky notes and stick them on your laptop or your monitor. If you raise your hands, the gentleman in the back, we should have a chat afterwards because times have changed. Anyway, most people don't do that when it comes to regular credentials. But when it comes to service accounts, this happens. You have developers that are hard coding tokens in their code into config files, into environment files. I was a developer a long time ago. I did that. I'm guilty. It happens because it's easy for developers to do and then they forget about it. Then they share these config files, they give access to other devs and the risk spreads. This is a problem that exists here and now and probably in every one of your organizations. Here's a couple of stats to kind of set the theme. In a recent study by the Cloud Security Alliance, it was shown that 23% of users in most Snowflake environments were actually service accounts. So it was nonhumans posing as humans. It's kind of a meta problem. But on the flip side, you have 80% of companies saying they actually don't know what to do with these nonhuman identities. They know it's a problem. They don't know what to do, and they want to increase investment. So you have a disconnect. The problem is rising and you have customers and organizations that are like, what am I supposed to do with this? Again, we have this issue that's bubbling because most tools to manage identity were not made for the way NHIs are created, the way they're managed and the way that they sprawl over the long run. So today, we're going to talk about 3 critical things that every IT and security team across every organization must do today to get a handle on the sprawl of their NHIs. We're going to talk about visibility, meaning how do you actually see the things that can't be seen. We're going to talk about control. How do you actually bring all these NHIs under control? And finally, we're going to talk about governance and remediation. How do you manage these things that could be dangerous properly and in the right way over the long run. And as Todd mentioned, we're also going to announce some exciting products. But the one thing I want everyone here to walk away with is that the Okta Platform, which brings all this together, can actually help you see the things, control the things and manage the things all in one place. And that's what it really means to have an identity security fabric deployed across your organization. All right. Let's get into it. Let's start with visibility. That's part 1 of this 3-part journey. It sounds cliche, but it's true. You cannot secure what you cannot see. You need to see these NHIs in order to be able to secure them in the first place. And most organizations have thousands of NHIs that they don't even know exist in the first place. They're kind of lurking around corners. They're hidden in code, they're accessing systems. They're there. And without visibility, these NHIs become silent attack vectors because they're unmanaged, they're overlooked, and most dangerous of all, they're overprivileged. That's probably the biggest issue here is a shadow account is starting to accumulate more privilege than it needs to. So this is where Okta's Identity Security Posture Management, ISPM for short, comes in. Now ISPM is a product that exists today. It's a phenomenal product because what it does is it integrates to hundreds of SaaS applications, multiple cloud providers, multiple parts of an organization's ecosystem. And what it does is it detects overprivileged accounts. It detects orphan accounts and it detects other identity security posture risks. But now this extends to service accounts, which are probably the leading type of NHIs that need to be controlled. ISPM can now identify unused and overprivileged service accounts. It can detect unused admin roles. And the most important thing is because it's built into the same Okta Platform, it can take actions to remediate those risks automatically and fast because the thing more dangerous than finding a risk is not doing anything about it. And so ISPM can help make that happen on the same Okta Platform. Now from a product perspective, ISPM is available right now in North America and will be available globally very soon later this year. So stay tuned. Exciting things are on the horizon. Okay. Part 2 of this journey is control. You need to give your service accounts the right level of access control and manage that correctly. Because without strong access controls, NHIs can accumulate broad unchecked permissions over time. And here's the real reason that's a problem. Let's say a motivated adversary gets access to a token or a service account that they shouldn't have access to. What they're basically getting is the master key to move around your building freely. Fun example, this isn't in the script, but I noticed here in this amazing facility, everything is behind the right doors. You need to be escorted to places because the IP of McLaren is phenomenal, and they want to make sure that it's only about right person, right access, right time. But if you don't do that with service accounts, a motivated adversary can get in and laterally move across your organization. That is a gold mine for any hacker, and that's the thing that you need to prevent by adding the right kind of access control. Now here's another way to think about it. NHIs are typically nonfederated. There are cases where you don't -- you cannot manage them in a federated account. So IT and security teams usually have to go to a separate system. They have to go to a different system to manage service accounts, they are copy/pasting between that and their IDP. They have to manage authentication policies in a separate system. More systems that are more disconnected introduces more errors and more risks. This is a real problem from an access perspective until now. So with the Okta Platform, Okta's Privileged Access capability or OPA for short, complements ISPM. It's part of that security journey because what it does is it provides an active layer of protection and compliance for these service accounts. With OPA, you can take control of these risky service accounts. You can bring them under management. You can implement strong policies like vaulting, you can create an audit trail for their usage. Again, it's the part 2 of this journey, which is getting these things under control, all possible on the same Okta Platform. And this capability, which we're calling secure SaaS service accounts, it's a part of privileged access. It is available globally in early access today. We're going to share our announcements page at the end of the presentation. Please go check it out. It's pretty phenomenal stuff. It lets you do 3 things. The first is it lets you manage your service account passwords and enforce policies for who can access the secrets, how long can they check them out? Can they even do it in the first place? It lets you rotate secrets, which is very important. If these credentials get stale over time, that creates another attack vector. So we prevent that. And finally, from a compliance perspective, it lets you audit who's checking these credentials in and out because it doesn't matter if you're doing everything right. If you can't prove it to the right regulatory bodies, you're still going to be hit by a fine. And so this helps you control the compliance piece and the access piece in one place. All right. Let's move to the third piece of this puzzle, which is governance and ongoing fixing and remediation. This is really about life cycle management. Life cycle management for NHIs is critical. When I -- the sentence I'm about to say is kind of sad, but it's kind of true, which is a lot of NHIs are created and then they're forgotten. I feel bad for them. It's kind of like a poor NHI, you were created, you were helping a dev in the beginning and then we forgot about you. But that's why life cycle management is so critical from an NHI perspective. Because what happens is a lot of these NHIs, they stick around long after the original system they were intended to support gets deprecated. So system is gone, but the account isn't gone. Somebody gets access to it, a disgruntled ex-employee leaves, they get access to it. They get into your system, lateral movement. So governance and life cycle management of NHIs is critical. It's really, really important to close out the loop. And that is where the Okta Platform also helps. If you're not picking up on the theme, just as a side note, the theme here is that everything from visibility to access to governance is all possible on the same Okta Platform. And that's really, really powerful. One system for all of your identity security needs, bringing the fabric to life. But coming back to governance. We are investing actively in Okta Identity Governance so that IT and security teams will be able to enforce birthright policies on NHIs. They're going to be able to automatically provision and deprovision these accounts. And they can make informed decisions about the risk level of these accounts using Governance Analyzer, which is Okta AI built into it. So our AI powering smart IT and security decisions in line where they're working. And when you add the power of our orchestration to this, you can actually automate a lot of the remediation by triggering automatic certification campaigns. So we're investing tremendously now with products now and products that are coming very soon to ensure that you have one-stop shop to control what is an emerging threat vector that are NHIs. And this capability for Okta Identity Governance is coming in Q3 and is going to be a core part of extending the amazing product that already is Okta Identity Governance. Now I just want to zoom out for a second. I started at the 3 things that are required for security teams. I kind of went deep into it, but I want to come back out for a second. When you bring this level of visibility, access control and governance into the same place, when you have it implemented on the same platform, that's really what it means to have an identity security fabric deployed across your organization. Because at a macro level, it's all about all identities, all identity use cases, all resources, all capabilities, fully orchestrated, fully integrated across your organization in one place. That's the power of a true Identity security fabric, and we are bringing that to NHIs with all of our innovation. Okay. I think I talked a lot. I did a lot of gesturing. I talked about my dog. It was a little personal moment, but you came here to see product. You came here to see demos. Let's see what this looks like. And for that, I want to bring up the stage my friend, Mallory Sword Glenn. Now Mallory is going to help us drive the demo, get that. We're at McLaren. We're driving. Am I allowed to do more dad jokes or no?

I think we can get through the demo without any dad jokes.

No more dad jokes. Okay. Sorry, sorry.

That will be good.

We're having back and forth, but I think I'm capped on dad jokes. Okay. No more of that. So we're going to cover, in this demo, nonhuman identities. That is the emerging new risk vector from the overall identity spectrum that exists in an organization. And in this demo, we're going to cover 3 things. We're going to talk about how an IT and security professional can get visibility into their NHIs, how they can bring it under control from an access perspective and how they can govern it and manage its life cycle on an ongoing basis. Let's see how we make this happen. We're going to start with visibility. This is Okta's Identity Security Posture Management, or ISPM. It is already a phenomenal tool because what it does is it connects to your entire technology stack, and it's kind of like your command center for all of your identity security posture risks. It's doing some pretty cool stuff when it comes to NHIs because what it's doing is it's looking at repetitive behavior patterns, like repetitive access patterns. It's looking at naming conventions of accounts that could match up to what a service count could be. So it's very smart stuff, and it brings all this information into one place. Okay. Now on the specific service account, we can actually see a set of things like the access keys, the credentials associated with this one specific service account. And ISPM is also showing me things like stack rank risks by type. It's showing me insights like how I compare to industry standards like NIS and over time, we'll be adding other global industry standards as well. And it shows me remediation paths for potentially risky accounts. Now in the case of this one service account, I can see that it has a very specific risk, which is it is unvaulted and it has no security policies. That's a real problem. Because this service account has high privileges, which means if it's not vaulted, that's outside of what best practices dictate. Best practices dictate that it actually needs to be vaulted and brought under control. Now imagine this, if this was just a system that showed you risks, as a security professional, I would have to go to a different system and manage the vaulting and the rotation and then copy/paste. You don't have to do that here. With the power of the Okta Platform, I can directly bring this risky account under management using Okta Privileged Access. I can do things like setting up security policies. I can categorize this account to be with others like it. I can set up a whole host of advanced security controls like password rotation, complexity requirements, request and approval flows, phishing-resistant MFA factors and time-bound password checkouts. These are like advanced-level security capabilities to ensure that my service account is brought under control, again, available in the same platform. This is a problem that a lot of organizations face. Now you might be saying, well, why can't I just have this be a federated account? Isn't that what you guys do? It turns out there's a lot of accounts that are like break glass accounts or legacy accounts where you need to manage the credentials, and this helps you bring that under control in a way that conforms to best practices. All right. Now let's go back to ISPM. What we can see here is that risk factor that we had is gone. It was on the active side. It's now in the resolved tab. So again, ISPM is that central command center to help you manage all of your identity security risks, and it shows you what you've -- what your problems are. But you know what, as a security professional, I'm happy that I have one less thing to worry about today, which is my service account that was risky is now under control. Now let's close out this demo. If you remember, I'm checking, I'm checking if people are tracking. There were 3 things we talked about: visibility, we talked about control, and we talked about governance. Let's close out the demo and see what it's like to govern the life cycle of these service accounts. And for that, Mallory, over to you.

Great. So beyond the management and remediation of these service accounts, another best practice, as we talked about, is being able to govern those service accounts on an ongoing basis. So as an IT or security professional, I can do exactly that using Okta Identity Governance. I can take immediate action like revoking access from a user that maybe doesn't need that access anymore. So in this certification review that you can see here, we see 3 things. First is all service accounts. The second is which users can actually access those service accounts. And then finally, we can see the risk levels for each user. For this particular account, Governance Analyzer with Okta AI is showing me that a user is high risk. And based on its recommendations, I'm actually going to revoke access to this specific service account, and I can do that really easily, typing in my justification and then hitting submit. Back to you, Harish.

Okay. That was pretty cool. I want to pause and kind of recap what we saw because we covered a lot. We saw what it's like to have the power of a single platform help you get visibility into your potential -- an emerging new threat vector, which are your service accounts. We then saw what it's like on the same platform to bring those under control and enforce best policies like vaulting and rotation and managing their credentials. And then finally, we saw how easy it is to maintain the life cycle and govern these on an ongoing basis. And again, this is only possible because they're all built on the same singular Okta platform. And when you zoom out and look at this from a holistic perspective, what you saw is really what an identity security fabric looks like when deployed in a real organization. All right. Now Todd talked about 2 emerging trends in the industry. The first was NHI, but the second are AI agents. AI agents are all around us. They're growing faster than we can possibly imagine, and it's up to us to keep up the pace with the growth of agents. Now it's very critical that agents are built securely from day 0. You need to embed security in agents before you even start thinking about what you're going to build. And to talk more about how to make that happen, I want to bring to the stage, Shiv Ramji. All right.

Hello, everyone. Hi to everybody in the room and for those who are online. I'm really excited to share our innovations in securely enabling AI agents either in your environments, your ecosystem or your applications. Now AI is evolving faster than any other technology shift we've ever seen. 82% of organizations plan to integrate AI agents in the next 3 years and for good reason. When surveyed, more than 1/4 of all consumers said they would use AI agents for faster service. We are seeing an explosion of AI-powered applications like assistants that can answer complex questions, automate workflows and can even take action on behalf of users. However, security is being left behind. And we know that AI security starts with identity. Now currently, most AI applications are being built without identity or access controls. It's because developers are wholly focused on getting AI agents to work, connecting them to data sources, automating tasks and integrating with different APIs. But few, but few are thinking about how to secure them. Now once these AI agents are live, it's too late and a whole lot more difficult to add security. If they have access to the wrong data, if they can perform sensitive actions beyond their intended purpose, if an attacker can take control, the damage is already done or certainly underway. AI agents must be built securely right from the start. Now apps that leverage generative AI like chatbots or AI agents use user interaction and authentication patterns that are different from those used by web and mobile apps. We are in new territory here. Now to understand the identity requirements needed to build generative AI into applications securely, we've been talking with experts experimenting and also watching the industry very, very closely. We've identified 4 critical requirements where identity is crucial. Now these identity requirements are not brand new, but they just became a whole lot more relevant with generative AI applications. So first, let's start, authentication. So for AI agents to operate securely, they must be able to authenticate users just like any other application. It needs to confirm who the user is before providing access or making decisions. Now this could mean verifying a customer's identity before a purchase or a patient's credentials before giving them access to medical records. And just like any other application, authentication must be seamless and secure. Two, calling APIs. AI agents must interact with applications on behalf of users. Now to do this, they need to access APIs. Now without strong identity controls, AI agents could access APIs, they shouldn't, leak sensitive data to unauthorized sources or be completely unable to perform tasks on behalf of users. That means tokens aren't hard-coded, they're vaulted and secured. Three, asynchronous workflows. Now unlike humans, agents don't always complete tasks instantly. Some actions like data processing, transaction approvals or decision-making can take minutes, sometimes hours or even days. But security systems today aren't built for these long-running asynchronous workflows. An AI agent might need to perform a task long after a session has ended. So we need an approach that allows AI agents to authenticate just in time when they need to act without leaving the door open for attackers. Four and the final one is authorization. Now not every AI agent should have the same permissions. Some should only retrieve data, others should execute commands and some should make high-risk decisions like approving a loan or processing a refund. Now AI agents should only get the permissions that they need and nothing more. And these permissions need to be dynamically updated to reflect changing business rules, adherence to compliance requirements and risk levels. We've discussed these challenges and solutions with companies of all sizes, including Fortune 100 companies, 2-person start-ups, fast-growing businesses and established enterprises. And as a result, we're focused on creating a new product that makes it easy for developers to solve these requirements. That's why we built Auth for GenAI. Auth for GenAI packages what we've learned working with generative AI frameworks and product builders and builds upon Auth0's decade-long experience in identity. With Auth for GenAI, you get 4 things. First, you get authentication for generative AI applications. This allows you to implement tailor-made log-in experience for AI agents. This includes linking of all accounts for the user profile and step-up authentication. Second, you get token vault. Securely connect AI agents to tools like Gmail, Slack, HubSpot, Salesforce using OAuth 2.0 for token management while also automatically handling token refreshes and exchanges. Three, you get asynchronous authorization. This allows you to enable AI agents to perform tasks with human-in-the-loop approvals. Four and the final one is fine-grained authorization for RAGs. This capability allows you to protect sensitive data by ensuring AI agents only retrieve documents or data that the user has access to. Auth for GenAI is available today in developer preview. This capability is available for free for everyone during this initial phase, and I encourage all of you here in the room and your teams to leverage this as you start experimenting with your own emerging AI applications or agents. We are really interested in your feedback. And so please experiment with the product. We want to continue iterating on these capabilities throughout the rest of the year. Now with the rise of an AI agent ecosystem, Auth for GenAI will help businesses build their generative AI applications securely from the start. Now I've talked a lot about these capabilities. Let's see all of these features and capabilities with a demo. I'm going to hand it over back to you, Mallory.

Awesome. Thank you, Shiv. Okay. So we've learned one thing today, it's that these modern tech stacks that we all have, they're creating these massive identity silos and fragmentation. And as we just heard from Shiv, AI agents are really only making that problem worse. So we're going to go through how Auth0 can actually help you eliminate that complexity. You're going to see this from 2 perspectives today. The first perspective is how a developer can use Auth for GenAI to build their AI agents securely from day 1. And then you'll see what it looks like for an end user to actually interact with one of these AI agents. Before we get started, let me introduce you to MarketZero. MarketZero is a fictitious AI agent that we are creating. It's autonomous and it can perform all kinds of tasks on behalf of investors, things like executing trades or generating information using retrieval augmented generation, or RAG. In this demo, you are going to see MarketZero retrieve a lot of information for me. And in order to do that, it's accessing a lot of documents behind the scenes, both public and private. Because of that, it needs the ability to have fine-grained permissions and human-in-the-loop processes. Fortunately, Auth for GenAI gives developers a really easy way and all the tools that they need to build this AI agent securely and with less code. As a developer, I can get started pretty quickly by creating an account on Auth0, and I can do that in just a few clicks here. And then from here, I'll be taken to a quick start page. I can select my use case. For this use case, we're going to select call APIs on the user's behalf. And then from here, I can select my preferred language and get step-by-step instructions for setting this up in my app. Now let's actually look at the code that was created using this QuickStart. This is just a few lines of code. It doesn't look like much, but this is actually super powerful. We are not hard-coding any sensitive tokens here, and we are not writing complex authorization logic from scratch. Now just for comparison, I also want to show you what this code would look like without Auth for GenAI. It's a little scary. So we'll bring it up here. That is a lot of code. That is code that took some developer a lot of time to build. And each line of code represents a potential entry point for attackers. So this is a really big deal. All right. So now that we've built our AI agent, let's see what it actually looks like when an investor interacts with Market Zero. To get started, we will sign in, and we can do that really easily using passkeys. So it gives me a really smooth and phishing-resistant way to log in. And that authentication is proving who I am, and so it's going to kind of frame the rest of our interaction with Market Zero. Now I am tracking ZEKO. So first off, let's just go ahead and see the latest stock price for ZEKO. MarketZero is going to retrieve that information for me using real-time market data. And then from there, let's research ZEKO to see if it might be a good investment for us. MarketZero will generate this forecast for me that you see here, and it's doing that using RAG on public earnings documents. So things like SEC filings and earnings transcripts. Now as you can imagine, if this agent pulls the wrong documents for me and gives me that information, that could be a huge security and compliance risk. And that is where Auth0 fine-grained authorization, or FGA, comes in. It protects those RAG calls to ensure that the AI agent can only access the data that I'm actually entitled to. Now this is useful, but I want a little bit more context. So let's get more in-depth analysis on ZEKO. To do that, I'm going to join the MarketZero newsletter here. And now when I ask for that forecast, I'm going to get something a lot more useful. That's because the MarketZero newsletter gave me access to premium analyst forecasts. So I have access to a lot more documents and a lot more information. So what happened here is when I subscribed to that newsletter, it changed all of the documents that I had access to on the back end and FGA handled all of those permission checks behind the scenes. Now I also want to set up an automated trade. We can do that pretty easily. We'll ask MarketZero to buy some more shares for us if the P/E ratio falls below 15. Now I don't know when or if that will ever happen, but that's all right. MarketZero is going to continuously monitor the price for me in the background. And then it will notify me in the app on my phone to execute that trade if and when the conditions are met. So in order to complete this, we're going to be asked to set up Async Authorization. So we'll go ahead and enroll in that. And that is also super easy, as you can imagine. We'll scan the QR code with our phone, and that is done, okay? So we'll see if that condition is ever met, if we ever get to execute on that trade. But what's important to note here, without Auth for GenAI, we would have to implement the [ Ceba ] protocol manually and build custom logic for user approvals. With Auth for GenAI, all it took me was a couple of lines of config and we get a secure and user-friendly flow that you just saw on the screen here. I'd also like to keep up with ZEKO as a responsible investor. So I want to be reminded of upcoming events. Let's just start off by seeing what events exist. Now from there, I want to stay organized and add some of these events to my Google Calendar. MarketZero requests access to read and write my Google Calendar. I'm going to go ahead and allow that. Now behind the scenes, Auth for GenAI helps ensure that the AI agent calls that Google Calendar API using a scoped OAuth token, never a hard-coded credential. That token is vaulted and it's time-bound, again, all done using a few lines of code. And now as we can see, those events show up right there on my Google Calendar. And one more thing, look at this, that alert that we set up earlier to buy more ZEKO if the P/E ratio dropped below 15 just triggered. MarketZero prompts me to approve that trade right here in the MarketZero app on my phone. I can go ahead and approve that really easily with one click, and we have a happy investor. That's it. Okay. So we just saw a lot happen there. Let's recap what we actually saw. We saw how Auth for GenAI can do 4 things, all 4 of the things you heard Shiv talk about: first, authenticate users, and we did that using passkeys, a really smooth and phishing-resistant way to authenticate; second, it can help us control AI agent permissions using fine-grained authorization; third, securely call APIs on behalf of users and vault those tokens; and then finally, how we can add human checks for any sensitive AI actions. So really powerful stuff. I'm glad you all got to see it today. And with that, I'm going to hand it back over to Todd.

All right. Thank you so much. Great job, Mallory, Harish and Shiv. We are really, really excited about these products. And we encourage you if you're building AI agents or you're curious about the authentication security identity requirements, please -- you can scan the QR code here. You can sign up for the developer preview, get a feel and play around with the innovation in Auth for GenAI or if you're trying to struggle with managing nonhuman identities in your enterprise, you can learn about the enhancements to privileged access management, Okta Privileged Access to Okta Identity Governance and then Identity Security Posture Management because these important areas, nonhuman identities and Auth for GenAI are 2 of the key components in this -- what we're trying to build for all of you is try to be the one-stop shop for identity. And so we encourage you to learn about the products, play with them, give us feedback. And it's all up to the high-level vision, which is we want to free everyone to safely use any technology. And we're honored and privileged to do that for all of you, and we look forward to working with you in the future. So thank you for your time and attention, and have a good day.