Governing AI to Close the Authority Gap
Governing AI to Close the Authority Gap is a Cloud Security Alliance Agentic AI Summit session uploaded in May 2026, with Jenna Cline and Harish Peri of Okta. Okta's companion streamcast page frames the problem as the "Authority Gap": AI agents are already making decisions and taking actions across enterprise environments, while the delegation, visibility, and audit trail behind those actions remain unclear.
The useful move is that the session treats agent governance as an operating problem, not a principles poster. The speakers connect business pressure, cost, compliance, audit committees, privacy, and security to one concrete question: when an agent retrieves data, approves work, purchases something, writes to a system, escalates a workflow, or invokes another service, what exact authority did it use? That belongs beside the site's authority map argument: an agent inventory cannot stop at model name, vendor, and tool list. It needs the authority envelope: human sponsor, business purpose, delegated permissions, data boundaries, side effects, approval gates, logs, and rollback paths.
The strongest section is about staged autonomy. A simple retrieval agent may act on behalf of a user inside a known permission boundary. The risk changes when the agent becomes an orchestrator, calls expert agents, crosses applications, or starts acting against systems rather than only answering questions. Before that expansion, the enterprise has to get the model behavior, identity binding, data access, and auditability right. That maps cleanly to AI Agent Identity, AI Audit Trails, AI System Inventory, and Agent Audit and Incident Review.
The supporting CSA and Okta material makes the same concern more concrete. CSA's note on Okta's Cross App Access work treats cross-application authorization as an identity-chain problem rather than a one-off integration problem. CSA's agent identity governance framework emphasizes intent-declared, time-bound, scope-limited grants. CSA's writing on the attribution gap argues that an agent action has to be traceable to an accountable human or governance system before it can satisfy regulatory expectations. Those ideas fit with OAuth Token Exchange, SPIFFE Workload Identity, and the Confused Deputy Problem.
Evidence and limits: this is a vendor/summit streamcast, not an independent product audit or proof that any specific Okta product solves agent governance. Its value is as an evaluation checklist for any agent program. Name every agent. Name its owner. State its permitted intent. Bind its actions to human or workflow authority. Constrain its scopes. Log decisions and tool calls. Review changes before increasing autonomy. Preserve revocation and rollback paths. The key lesson is simple: access is not authority. A token, API call, or retrieval permission is only defensible when the organization can prove why that action was allowed, who delegated it, who received the result, and what evidence remains afterward.