Secure your AI-driven solutions using AI agents
Advanced Identity Cloud lets you secure your organization’s AI-driven solutions using AI agents. AI agents are specialized OAuth 2.0 clients that are onboarded with their own identities. They can securely perform tasks on behalf of end users through a delegated token exchange process, ensuring distinct accountability and granular access control.
You can use AI agents to securely build digital assistants that operate on behalf of end users, such as a chatbot on a retail website helping a user navigate products, or an internal workforce assistant acting on behalf of an employee to access enterprise tools like Salesforce.
Advanced Identity Cloud models AI agents as OAuth 2.0 clients with their own identity and privilege object types:
-
AI agent object type: This is distinct from the user object type and lets AI agents have unique identities, allowing for clear accountability and distinct audit trails for their activities, with Advanced Identity Cloud acting as the dedicated Identity Provider (IdP).
-
AI agent privilege object type: This lets AI agents have delegated privileges, ensuring that they can only access specific applications, act for specific end users or groups of end users, and use specific OAuth 2.0 scopes.
This structure lets you configure AI agents to use delegation rather than simple impersonation and ensures that when an AI agent requests access to an application, it uses a token exchange process that presents both its own identity and the end user’s identity. This granular approach to token exchange improves security by preventing unauthorized access and stopping autonomous agents from executing unintended or destructive commands. It also enables “human-in-the-loop” workflows, where end users must explicitly approve high-risk or sensitive operations.
Key capabilities and benefits
The following table summarizes the key capabilities and benefits of integrating your AI-driven solutions using AI agents:
| Capabilities | Benefits |
|---|---|
Specialized agent identity: Treats AI agents as distinct entities with unique identities and privileges, rather than using simple impersonation. |
Granular security and least privilege: Eliminates "over-privileged" accounts by applying tailored security policies specific to autonomous entities. |
Streamlined onboarding & lifecycle: Manual onboarding using OAuth 2.0 grant flow or automated onboarding via Dynamic Client Registration (DCR), with centralized lifecycle management. |
Operational efficiency: Reduces administrative overhead and "agent sprawl" while ensuring agents can be instantly revoked or rotated. |
Advanced access and token delegation: Sophisticated token exchange mechanisms to manage "on-behalf-of" permissions and resource scoping. |
Reduced complexity: Simplifies the "who, what, and how" of agent access using low-code tools, ensuring secure delegation without custom-coded security logic. |
Dedicated agent observability: Isolated logging and monitoring that separates agent telemetry from end users and static applications. |
Clear auditability: Provides an auditable trail of AI activity, making it easy to prove compliance and understand exactly when an agent acted autonomously. |
Enable the AI agents feature
The AI agents feature is enabled by default for sandbox tenants created on or after March 31, 2026. For sandbox tenants created before that date, you can enable the AI agents feature using the instructions in Enable the AI agents feature.
Create an AI agent
Use the following steps to create and configure an AI agent in Advanced Identity Cloud:
-
Follow the instructions in Create an AI agent. This creates a new AI agent, but it doesn’t have any privileges or access to applications.
-
Complete the configuration of the AI agent by creating custom attributes, configuring its OAuth 2.0 client, and assigning it privileges and access to applications using application policies:
-
Manage an AI agent’s application policies: