Customer-pull determines order. Okta SSO shipped. Then a new item every two weeks. Each one scoped, costed, and ready to start.
Okta SSO is live. Access follows your identity provider via verified domain. Pre-provisioned members; admins control roles in-app. End-user installs the MCPB, clicks Connect, IdP redirects, done. No per-machine keys, no shared credentials, nothing for IT to rotate.
Today permissions are scoped per agent. This adds team-level grants. Assign a SaaS platform to a team and every agent any team member spawns inherits the team’s scopes plus per-agent attenuation. Approval delegates set per team, per platform, or per scope category. Audit log filters by team.
In development. Tier 2 of the encryption architecture. Customer holds the KEK in their own key management service (Key Vault, Cloud KMS, or AWS KMS). AgentValet holds only the DEK ciphertext. Revoking AgentValet’s permission on the customer’s vault is a hard kill switch no AgentValet engineer can bypass.
Presidio-based PII redaction is live today, gated by the PII add-on and tag-based governance. This sprint adds the AIMS-aligned consent and audit layer: mark specific scopes as PII-handling at the platform-catalogue level, gate those scopes with a per-call consent prompt, and record each access as a separate audit row with the data category requested. Aligns with AIMS draft fields canProcessPII
and requiresHumanApprovalForPII.