AI_AGENT_SECURITY

Your Identity Providers Are Full ofAI Agents You Don't Know About.

Butterfly scans your Okta, Entra ID, Auth0, Ping Identity, 1Password, Workato, Boomi, and Zapier configurations to find every AI agent registered as an OAuth app, service account, or API integration. Assess their risk, enforce policies, and back up the identity configs they depend on.

Request AccessSee Demo
butterfly agents discover --all-connections

[SCAN] Scanning OAuth apps across 8 providers...

Scanning Okta, Entra ID, Auth0, PingOne...

Scanning 1Password, Workato, Boomi, Zapier...

Matching against 10 AI platform patterns...

"Claude Code Assistant" (Anthropic) OAuth App Risk: 25/100

"GPT-4 Integration" (OpenAI) OAuth App Risk: 45/100

"svc-copilot@acme.com" (Microsoft) Svc Acct Risk: 60/100

! "LangChain Bot" (Self-Hosted) OAuth App Risk: 82/100 SHADOW

[RESULT] 4 agents found | 1 shadow AI | 1 critical risk

[BACKUP] Config backed up: 847 users, 42 recipes, 67 zaps, 6 vaults

AI Agents Are Embedded in Your Identity Infrastructure

AI agents connect to your organization through your identity providers. They register as OAuth apps. They use service accounts. They hold API keys. Most security teams have no inventory of these agents, what permissions they hold, or what data they can access.

What AI agents look like in your IdP

  • OAuth applications with names matching AI platforms (Claude, GPT, Copilot, Bedrock)
  • Service accounts created for AI integrations
  • API keys and client credentials granted to machine-to-machine flows
  • Redirect URIs pointing to AI platform APIs

What you don't know

  • How many AI agents exist across your identity providers
  • Which ones were approved vs. created without IT oversight (shadow AI)
  • What scopes, roles, and data access they hold
  • Whether their credentials have been rotated or are stale

Discovery Starts With What You Already Have

No new agents to install. Butterfly scans your existing identity provider connections and uses pattern matching against known AI platforms to find agents.

1

Connect Your IdP

Connect your Okta org, Entra ID tenant, Auth0 domain, Ping environment, 1Password vault, Workato workspace, Boomi account, or Zapier instance. The same connection used for backup powers agent discovery. No extra setup.

2

Scan for AI Agents

The discovery engine scans your OAuth apps, service accounts, and API integrations. It matches against known AI platform patterns: Anthropic, OpenAI, Microsoft, AWS, Google, LangChain, CrewAI, AutoGen, and more.

3

Assess Risk & Classify

Each agent gets a risk score (0-100) based on credential types, grant types, staleness, MFA status, and scope breadth. Agents without governance policies are flagged as shadow AI.

From Discovery to Recovery

A single platform that covers the full lifecycle of AI agent security across your identity infrastructure.

Agent Discovery

Build a complete inventory of every AI agent in your identity infrastructure.

  • Scan Okta, Entra ID, Auth0, Ping Identity, 1Password, Workato, Boomi & Zapier
  • Pattern-match OAuth apps, service accounts, and API keys
  • Detect shadow AI agents with no governance policies
  • Risk scoring from 0-100 per agent

Policy Enforcement

Define guardrails for what AI agents can and cannot do.

  • Access control and data boundary policies
  • Time-bound and rate-limited access
  • Human-in-the-loop approval workflows
  • Auto-shutdown on anomaly detection

Credential Management

Track every API key, token, and secret your AI agents use.

  • Full credential lifecycle management
  • Safe credential rotation
  • Expiry monitoring and alerts
  • AES-256-GCM encrypted storage

Backup & Recovery

Back up the identity configurations that AI agents depend on.

  • 8 providers, 140+ resource types
  • Point-in-time recovery with dry-run validation
  • Configuration drift detection between backups
  • Terraform HCL export

When an AI Agent Misconfigures Your IdP

An AI agent with admin-level OAuth scopes modifies your Okta sign-on policies. 500 users lose MFA enforcement. 20 app assignments break. Here's what happens next.

butterfly incident timeline
14:23

[ALERT] Policy violation detected

Agent "GPT-4 Integration" modified 3 sign-on policies

Exceeded access control boundary: write access to auth policies

14:23

[DRIFT] Configuration drift detected

Comparing current config to backup from 14:00...

- MFA required: true

+ MFA required: false ← 3 policies changed

- 2 groups deleted | 20 app assignments broken

14:25

[RESTORE] Dry-run restore initiated

Preview: 3 policies restored, 2 groups recreated, 20 assignments fixed

No conflicts detected. Ready to apply.

14:26

[DONE] Restore complete

MFA enforcement restored for 500 users

20 app assignments recovered

Time to recovery: 3 minutes

Platforms We Scan

OktaEntra IDAuth0Ping Identity1PasswordWorkatoBoomiZapier

AI Platforms We Discover

Anthropic (Claude)OpenAI (GPT)Microsoft (Copilot)AWS (Bedrock)Google (Vertex AI)LangChainCrewAIAutoGen

See What AI Agents Are in Your Identity Infrastructure

Connect your identity provider. Run a discovery scan. Know what you're dealing with.

Request AccessTry Interactive Demo

Free trial · No credit card · Setup in 5 minutes