Three of these seven terms are authorized for federal procurement today, one carries unconfirmed federal status that requires SE verification before positioning, and two are commercial-only. The final entry, Identity Security Fabric, is the architecture narrative connecting the other six into a single story about governing AI agents on the platform the buyer already owns. It is not a product anyone purchases.
| Term | Status | FedRAMP |
|---|---|---|
| OIG | GA | High ✅ |
| Universal Directory | GA | High / Moderate ✅ |
| ITP | GA | Moderate ✅ · High unconfirmed |
| OPA | GA (commercial); EA (agent use cases) | ⚠️ Unconfirmed |
| ISPM | GA (commercial); Agent Discovery EA | ❌ None |
| XAA | EA (commercial only) | ❌ None |
| Identity Security Fabric | Architecture concept | N/A |
Federal-Ready
Okta Identity Governance (OIG)
Availability: GA (October 2025). FedRAMP High authorized for Okta for Government High and eligible Government Moderate customers. The strongest federal expansion play in the current Okta portfolio.
Last public confirmation dated January 27, 2026 via Okta product blog (updated that date); no subsequent status changes found as of May 26, 2026. No help.okta.com product overview page was confirmed; FedRAMP status sourced from Okta product blog.
What it is. OIG automates access certifications, entitlement reviews, and separation-of-duties enforcement so an organization can continuously prove who has access to what and why.
Why the buyer cares. Federal auditors increasingly require continuous, automated access certification over point-in-time reviews, and agencies that cannot demonstrate this face both compliance risk and delayed ATOs.
What to say.
"You already run Okta for authentication; OIG extends that same platform to automate the access reviews your compliance team is doing in spreadsheets today, all at the FedRAMP High level you're already operating on."
Universal Directory
Availability: GA (core platform component). FedRAMP High authorized as part of Okta for Government High (March 2023); FedRAMP Moderate authorized as part of Okta for Government Moderate (April 2017). Included in both FedRAMP Marketplace authorization boundaries as a foundational capability, not a separately scoped add-on.
Verified May 26, 2026 via FedRAMP Marketplace listings and Okta Government High press release.
What it is. Universal Directory is Okta's centralized identity store that maintains a single authoritative profile for every user, device, and, with recent extensions, AI agent across all connected applications.
Why the buyer cares. As agencies deploy AI agents alongside human users, the buyer needs one registry where every identity has an owner, a set of attributes, and a governance trail — or the agency loses visibility into what is operating inside its authorization boundary.
What to say.
"Universal Directory is the identity registry your agency already has; the difference now is that it registers AI agents the same way it registers people, so every agent has an owner and an audit trail from day one."
Identity Threat Protection with Okta AI (ITP)
Availability: GA (Workforce Identity Cloud). FedRAMP Moderate authorized for Okta for Government Moderate. Audit-ready for Government High, but formal FedRAMP High authorization has not been publicly confirmed as of May 2026. If your buyer operates in a Government High environment, verify current authorization status with your SE before positioning.
This is the Workforce Identity Cloud ITDR capability, distinct from the Customer Identity Cloud product announced in EA for February 2026. Verified via Okta Secure Identity Commitment (last updated August 26, 2025); Government High status rechecked May 26, 2026 with no public confirmation found.
What it is. ITP continuously evaluates user risk signals from first- and third-party sources and automatically remediates identity-based threats, such as session hijacking or credential compromise, across the environment in real time.
Why the buyer cares. Perimeter security does not catch an attacker who holds a valid session token, and agencies operating zero-trust architectures need continuous identity risk evaluation that responds automatically, not after a SOC analyst reviews a log.
What to say.
"ITP watches every active session for signs of compromise and can force a step-up or kill a session automatically; it's the layer that makes your zero-trust architecture respond to identity threats in real time."
Federal Status Unconfirmed — Verify with Your SE
Okta Privileged Access (OPA)
Do not position OPA as federal-ready without SE confirmation. Okta has published explicit authorization announcements for OIG, Workflows, and ITP as each reached federal milestones; OPA has not appeared in that list.
Availability: GA (commercial, core PAM capabilities). Early Access for AI agent-specific use cases (January 2026).
No help.okta.com FedRAMP status found; sources checked include Okta FedRAMP blog topic page, Launch Week announcements (June and September 2025), Okta Secure Identity Commitment (August 2025), and Okta newsroom. Verification date: May 26, 2026.
What it is. OPA manages and controls access to privileged resources, including servers, secrets, and SaaS service accounts, using Okta group-based policies to enforce who can reach what, how, and for how long.
Why the buyer cares. Privileged access is the highest-value target in any environment, and agencies migrating workloads to cloud need a PAM solution that enforces least-privilege, time-bound access with a full audit trail, not a standalone vault disconnected from the identity platform.
What to say.
"OPA brings privileged access under the same Okta platform your team already runs, but let me confirm the current federal authorization status with our SE before we scope it for your environment."
Commercial Only — Not Authorized for Federal Procurement
Identity Security Posture Management (ISPM)
Do not position ISPM or its Agent Discovery capability for federal procurement. Neither holds FedRAMP authorization at any impact level.
Availability: GA (commercial). Agent Discovery capability: Early Access, US cell only (February 2026).
Verified May 26, 2026 via Okta ISPM release notes at help.okta.com.
What it is. ISPM discovers and prioritizes identity vulnerabilities, including MFA gaps, overprovisioned permissions, and incomplete offboarding, and monitors the environment continuously against frameworks such as NIST, CIS, and SOX.
Why the buyer cares. Most identity breaches exploit misconfigurations that already exist, and without continuous posture monitoring the buyer's team discovers dormant accounts, excessive permissions, and missing MFA only after an incident or an audit finding surfaces them.
What to say.
"ISPM continuously scans your identity environment for the misconfigurations attackers actually exploit, but today it's available on our commercial platform only, so if your deployment requires federal authorization let's discuss the timeline together."
Cross App Access (XAA)
Not available in any Okta for Government environment. Do not raise on federal calls without explicit commercial-track context.
Availability: Early Access (January 2026, commercial only). XAA is a new open protocol; no FedRAMP authorization exists or is publicly scheduled.
No help.okta.com product page confirmed; definition sourced from Okta developer blog. Verified May 26, 2026.
What it is. XAA is an open protocol that extends standard application-authorization flows to secure agent-to-app and app-to-app access at scale, bringing those connections under centralized identity control with visibility, policy enforcement, and audit.
Why the buyer cares. As AI agents proliferate they need to authenticate to dozens of applications on behalf of users, and without a standardized protocol for those connections each integration becomes a bespoke security risk with no central visibility or revocation path.
What to say.
"XAA is how we're solving the agent-to-app authentication problem at the protocol level; it's in Early Access on our commercial platform today, so for your federal environment let's track the authorization timeline together."
The Connecting Architecture
Identity Security Fabric
Availability: Architecture concept, not a separately purchasable product. No help.okta.com or developer.okta.com page exists; the definition below is grounded in Okta's published blog (September 2025, March 2026). No FedRAMP status applies.
Verification date: May 26, 2026.
What it is. Identity Security Fabric is Okta's architecture framework that unifies governance, privileged access, posture management, and threat protection across human, machine, and AI agent identities into a single security layer with shared context, policy, and response.
Why the buyer cares. The six capabilities above share user context, risk signals, and policy enforcement as layers of one architecture, which means the buyer extends a platform they already manage rather than integrating six separate tools with six separate management planes.
What to say.
"The platform you already run for workforce identity is the foundation, and Identity Security Fabric is how we extend it to govern AI agents, enforce privileged access, and detect threats, all sharing the same identity context so you're building on what you have instead of starting over."
Things to follow up on...
-
MCP's enterprise auth roadmap: The official Model Context Protocol roadmap (updated March 2026) explicitly names Cross App Access as the path away from static client secrets for enterprise MCP deployments, which means XAA's GA timeline will directly affect how quickly agencies can govern agent-to-app connections through the protocol their AI tools are already adopting.
-
ISPM's Agent Discovery expansion: Okta's ISPM release notes indicate Agent Discovery EA for EMEA is planned for Q2 2026, and the OAuth grants inventory powering it is now GA on the commercial platform, so the capability set available to commercial buyers is moving faster than the FedRAMP authorization timeline.
-
CSA's NHI governance vacuum report: The Cloud Security Alliance published a whitepaper in May 2026 documenting that 51% of organizations have no clear AI identity ownership and 16% do not track new AI credential creation at all, framing the governance gap that OIG and Universal Directory are positioned to fill for federal buyers.
-
OPA's missing FedRAMP announcement: Okta's FedRAMP blog topic page includes an April 2026 Company & Culture post that was not fully retrieved during research and may contain updated authorization status for OPA or ITP Government High, making it worth checking before your next federal call.