What happened
On June 23, 2026, Okta announced 25+ ecosystem partners for Cross App Access (XAA) — an OAuth extension (based on IETF ID-JAG draft) that routes AI agent connections through the enterprise IdP rather than static API keys. Partners span requesting apps (Claude, Cursor, Docker, VS Code, Zoom), resource apps (Asana, Atlassian, Datadog, Figma, Slack, Supabase), and gateway infrastructure (Cloudflare, Zuplo). XAA is now the official Enterprise-Managed Authorization extension for MCP, which went stable June 18, 2026. Okta Workforce GA via Integration Network planned August 2026; Auth0 EA in July.
Why it matters
Replaces static API key governance with IdP-policy-governed, short-lived tokens for every AI agent connection — enabling instant revocation, full audit trails, and centralized access control. IBM data shows 97% of orgs suffering AI-related breaches lacked proper AI access controls. With Claude, Cursor, and 20+ others as launch partners, this is the leading candidate to become the de-facto agent authorization standard.
Applicability
Any enterprise deploying AI agents through MCP-connected tools; Okta customers should enroll in the August GA; non-Okta customers should evaluate XAA/ID-JAG alignment now.