On the same day that Okta unveiled its AI agent security platform, SailPoint and AWS quietly signed something potentially more consequential: a multi-year strategic collaboration agreement to build a unified identity governance layer for all identities — human and non-human — interacting with AWS services.

The deal positions SailPoint as the preferred identity governance solution for agentic AI builds on AWS. Given that AWS is where most enterprise agent infrastructure lives, this is a land grab for the identity layer of the agentic stack.

What They’re Building

The collaboration centers on creating a single governance framework that manages human employees and AI agents through the same identity plane. No separate systems. No bolted-on agent governance. One layer for everything.

Key Deliverables

Complete lifecycle governance for all identities Every identity — human, machine, or agent — gets managed from onboarding through certification to secure decommissioning. AI agents spawned in Bedrock AgentCore get registered as governed identities in SailPoint, with clear human ownership assigned.

Continuous least-privilege access Real-time enforcement using AWS CloudTrail data. The system analyzes actual usage patterns and automatically right-sizes permissions so agents only have access to what they actually need — not what they were initially granted.

This is critical. Agents tend to accumulate permissions over time as developers add tool access during development and never revoke it. Continuous least-privilege fixes the permission sprawl problem automatically.

Unified identity graph A single, authoritative view of all access relationships between workloads, federated identities, services, and data. Think of it as a map of who (and what) can access what across your entire AWS environment — including every agent, every MCP connection, every API call.

Automated policy enforcement Security guardrails that continuously enforce access policies, with workflows that instantly trigger access revocation based on changes in risk, role, or behavior. An agent’s permissions change in real-time based on what it’s doing, not just what it was authorized to do at setup time.

The Bedrock AgentCore Integration

The most technically significant piece: SailPoint integrates directly with AWS Bedrock AgentCore by discovering AI agents and governing them as identities. This means:

  • Human-agent attribution: Every agent action is traced back to the human who owns it
  • Lifecycle governance: Agents are subject to the same onboarding, access reviews, and decommissioning as human employees
  • Permission right-sizing: Agent access gets reviewed and trimmed automatically
  • Policy enforcement: Enterprise security policies apply to agents the same way they apply to humans

Future capabilities will allow SailPoint to provision accounts on behalf of AgentCore agents and manage access requests — meaning agents can request elevated access through the same governance workflows that humans use.

The Bigger Picture: Agent Identity Is a Platform War

Today’s dual announcements — Okta’s AI agent platform and SailPoint’s AWS collaboration — mark the beginning of a platform war for the agent identity layer.

The thesis is simple: as AI agents proliferate across the enterprise, someone has to be the source of truth for agent identity. The identity provider that governs your agents controls a critical chokepoint in the enterprise security architecture.

Consider what’s converged in the past month:

  • OWASP Top 10 for Agentic Applications listed inadequate access controls as a top risk
  • NIST called agents Non-Human Identities requiring formal governance
  • AvePoint AgentPulse launched for shadow agent discovery
  • Singulr Agent Pulse launched for runtime governance
  • Okta announced a full agent identity platform (today)
  • SailPoint + AWS signed a multi-year agent governance partnership (today)

The pattern: identity governance for agents is moving from “nice to have” to “table stakes” in enterprise procurement decisions.

What This Means for OpenClaw Users

If you’re running OpenClaw agents that interact with AWS services — Bedrock for models, S3 for storage, Lambda for execution — your agent will increasingly be governed as a non-human identity. That means:

  1. Your agent needs an identity: Not just an API key, but a registered entity with an owner, permissions, and audit trail
  2. Permissions will be dynamic: Static IAM roles won’t cut it. Expect continuous evaluation based on agent behavior
  3. Shadow agents will be found: Running an ungoverned OpenClaw agent connected to company AWS resources will trigger security alerts
  4. The kill switch is real: Suspicious agent behavior can trigger instant access revocation across all services

For enterprises evaluating self-hosted agent deployments, this is actually good news. The identity governance problem has been the biggest blocker for enterprise adoption of autonomous agents. With Okta and SailPoint both solving it, the “it’s too risky” objection loses its teeth.

The Bottom Line

SailPoint’s AWS deal is less flashy than Okta’s product launch, but potentially more impactful. By embedding agent identity governance directly into the AWS infrastructure layer, SailPoint is making agent governance a default rather than an add-on.

Mark McClain, SailPoint’s CEO, framed it well: “The proliferation of AI agents is creating a new class of non-human identities, and each one represents a new attack surface.”

Every attack surface needs a security control. SailPoint and AWS just agreed to build it together.

Keep Reading