Machine identities—API keys, service accounts, OAuth tokens, workload identities, and now AI agents—represent a sprawling attack surface that traditional identity solutions weren’t designed to address.

Astrix Security has built its platform specifically to tackle this non-human identity problem, while WorkOS has established itself as the definitive solution for human authentication and authorization—and now, with AuthKit for MCP, a complete OAuth 2.1 authorization layer for AI agents and MCP servers.

Rather than competing, these platforms address fundamentally different layers of the enterprise identity stack. Understanding where each solution fits helps security teams build comprehensive protection across both human and machine access.

What Astrix Offers

Astrix Security emerged in 2021 from Tel Aviv with a singular focus: securing the non-human identities (NHIs) that now exceed human identities by orders of magnitude in cloud-first organizations. The company focuses on “shadow identities”—the service accounts, automation tokens, integration credentials, and machine-to-machine secrets that power modern software but often go unmanaged and unmonitored.

Core Platform Capabilities

Astrix centers its platform on automated NHI discovery, continuously mapping every non-human identity across SaaS apps, cloud platforms, on-prem environments, secret managers, and AI systems. This visibility addresses the root of the problem: most organizations do not know how many machine identities they have, where their credentials reside, or what those identities can access.

Once discovered, Astrix applies risk scoring to highlight dangerous NHI configurations such as:

• overprivileged service accounts

• API keys that have not been rotated in months or years

• long-lived OAuth grants with broad scopes

• stale or dormant machine identities still holding active privileges

Astrix’s Non-Human ITDR (Identity Threat Detection and Response) engine detects abuse indicators such as unexpected access locations, anomalous usage spikes, or credential misuse. This mirrors the ITDR movement for human identities—but refocused on the vastly larger machine identity population.

The platform handles lifecycle management across the entire NHI journey: provisioning, monitoring, rotation, policy enforcement, and decommissioning. Automated remediation workflows can rotate, revoke, or right-size permissions, reducing reliance on manual intervention.

AI Agent Control Plane

In December 2024, Astrix launched the industry’s first AI Agent Control Plane (ACP)—an identity governance layer built specifically for autonomous AI agents.

The ACP provisions agents with short-lived, tightly scoped credentials instead of long-lived static API keys. This reduces the blast radius of credential compromise, enforces policy boundaries, and gives enterprises real-time monitoring of agent behavior.

For companies deploying autonomous agents in customer support, sales automation, operations, and internal engineering workflows, Astrix argues that traditional secret management tools don’t fully address AI-specific identity risks such as:

• agents overstepping intended scopes

• prompt-injection-driven credential misuse

• agent-to-agent lateral movement

• long-lived secrets embedded in agent memory

The AI Agent Control Plane gives organizations a governance framework purpose-built for this emerging identity type.

Market Position and Traction

Astrix has gained meaningful traction among cloud-native enterprises with extreme machine identity sprawl. Customers include NetApp, Figma, Workday, Netflix, Priceline, and Xerox—organizations managing thousands to hundreds of thousands of machine identities.

The company reports zero customer churn over 15 months and a Net Promoter Score of 9.4, signaling strong product-market fit.

Astrix raised a $45M Series B in December 2024 led by Menlo Ventures’ Anthology Fund (created with Anthropic), bringing total funding to $85M. Astrix has been recognized as an RSA Innovation Sandbox finalist and a Gartner Cool Vendor, reflecting its category leadership in NHI security.

Pricing and Plans

Astrix uses an enterprise-model pricing structure based on the number of identities, integrations, and deployment size. It’s available through AWS Marketplace. Pricing is not publicly listed, which is typical for platforms targeting large enterprise security teams.

Astrix vs. WorkOS: Different Identity Types, Complementary Solutions

The most important distinction between Astrix and WorkOS is simple:

Astrix secures non-human identities.

WorkOS secures human identities—and with AuthKit for MCP, WorkOS now secures AI agents and MCP servers as well.

Astrix protects the credentials, tokens, and service accounts that AI agents, CI/CD pipelines, backend services, and automations depend on.

WorkOS provides SSO, MFA, directory sync, human user authentication, and—critically—a fully spec-compliant OAuth 2.1 authorization server for MCP, enabling secure access tokens, client registration, and scoped authorization for agentic workloads.

The Identity Stack

Modern enterprises operate on two parallel identity layers:

Human Identity Layer

Employees, partners, and admins logging into dashboards and products.

Requires: SSO, MFA, RBAC, directory sync, user session management.

This is WorkOS.

Non-Human Identity Layer

API keys, service accounts, ESP credentials, webhook secrets, server-to-server tokens, and now AI agent identities.

Requires: discovery, rotation, permission boundaries, behavioral monitoring, ITDR, lifecycle management.

This is Astrix.

A 1,000-person company may have 100,000+ machine identities, many of which authenticate thousands of times per hour. Human identities authenticate a few times per day. Both matter—but they are not interchangeable.

Where Each Solution Fits

Astrix addresses cases like:

• API keys embedded in CI pipelines

• stale OAuth refresh tokens granting broad access

• overprivileged service accounts accessing sensitive data

• secrets leaked into logs or agent memory

• AI agents obtaining more permissions than intended

WorkOS addresses cases like:

• enterprise customers requiring SAML SSO

• employee MFA enforcement

• SCIM syncing users and roles

• auditing human login events

• tenant-level user management

• MCP authorization for AI agents and servers

Security teams need both. Astrix prevents machine-credential compromise from bypassing all user-side controls. WorkOS ensures that humans logging into your product are properly authenticated—and that AI agents interacting through MCP are governed via standard OAuth flows.

WorkOS Integration Philosophy (Updated for MCP)

WorkOS integrates with identity providers (Okta, Microsoft Entra ID, Google Workspace) and provides SDKs for implementing SSO, MFA, and directory sync. It governs human users and their permissions.

With AuthKit, WorkOS now also acts as a full OAuth 2.1 authorization server for MCP:

• publishes OAuth 2.0 Authorization Server Metadata

• supports PKCE, scopes, refresh tokens

• provides a JWKS endpoint for token verification

• exposes OAuth token, authorization, introspection endpoints

• supports dynamic client registration so MCP clients can onboard automatically

• issues access tokens for AI agents

• can run in “standalone Connect mode,” letting customers keep their own login system while WorkOS handles MCP OAuth

This means AI agents, MCP servers, developer tools, and autonomous workflows can be secured with the same identity architecture that enterprises already trust for human users.

WorkOS handles the auth side.

You focus on your MCP resources and tools.

Final Thoughts

Astrix and WorkOS represent complementary layers of the modern identity stack. Astrix secures the machine identity explosion powering cloud-native and AI-driven architectures. WorkOS secures the human authentication workflows that enterprises demand—and now provides the OAuth 2.1 authorization foundation required for secure MCP deployments.

The 100:1 machine-to-human identity ratio is not a future trend—it’s already here. Securing both identity types requires different tools designed for their specific risks.

Astrix brings governance, visibility, and threat detection to the non-human identity layer. WorkOS brings battle-tested authentication and authorization to the human layer—and secure, standards-based OAuth for MCP agents and servers.

Enterprises deploying AI systems, automations, and cloud-native infrastructure need both to build a complete identity security posture.