Meet Willow (Formerly Webrix): One Governance Layer for Every AI Agent
Read More
Approve once. Enable thousands

Make IT the fast lane for AI, not the approval queue.

Extend Okta and Entra ID to every AI agent, MCP, and AI-built app. Approve the catalog once. Employees self-serve. Offboarding closes itself. Weeks of tickets become minutes to a governed connection.

Get Started
Book a Demo

The IT problem

Employees are wiring AI into your systems faster than you can approve it. Personal keys, random OAuth, zero inventory. Offboarding does not catch any of it. And when the CISO asks what is connected to what, the honest answer is "we do not know."

You have three bad options:

01

Block AI entirely

Block it and watch the productivity story walk out the door, then return as shadow IT anyway
02

Manual approvals

Approve every request manually. Drown in tickets. Lose nights, lose talent, lose the rollout
03

Build it yourself

Build it yourself. Eighteen months. Headcount you do not have. Still will not ship at enterprise scale
What IT cares about

One identity layer for every agent, tool, and AI-built app

Identity-native AI access

Extend Okta, Entra ID, and your existing SSO to every agent, MCP server, and AI tool. SCIM-driven group sync. RBAC the same way you already define it. One source of truth for AI access.

Self-service, not free-for-all

Employees connect approved tools in one click through the Willow Connect Panel and plugin marketplace. You approve the catalog. The ticket queue stops being the AI bottleneck.

Lifecycle that actually closes

Hire-to-provision and offboard-to-revoke for AI access. The moment Okta cuts the user, Willow cuts the agents, MCPs, OAuth tokens, and apps tied to that identity. No stale access.

Shadow AI and vibe app coverage

The Willow browser extension surfaces every unmanaged agent, MCP server, plugin, and AI-built app across the org. Bring safe work into Willow. Cut off the rest.

Audit on demand

Every connection, action, and deployment logged and forwarded to Splunk, Datadog, Loki, or your SIEM of choice. SOC 2 Type II. GDPR. Enterprise-grade from day one.

THE WILLOW APPROACH

The fourth option: One control plane

Willow extends your existing identity, access, and lifecycle systems to AI agent work. Deploy in days, run it in the background, and take AI access off the helpdesk queue for good.

Sits on Okta and Entra ID. No re-platforming, no new identity model.
Runs every agent and MCP through one governed gateway.
Self-service through the Connect Panel and plugin marketplace.
Lifecycle automation via SCIM. Provisioning and deprovisioning included.
Shadow AI and vibe app detection via browser extension and endpoint agent.
Audit trails streamed to your SIEM, ready for incident response.
Deploy SaaS, dedicated cloud, self-host, or air-gapped. Your call.

Think of it as IAM for AI agents, with provisioning built in.

HOW IT WORKS

Three jobs Willow does for IT

Provision. Monitor. Offboard. Without tickets.

Provision in minutes, not weeks

Employees request access through the Connect Panel. Approved tools are one click away. Net-new tools route through your existing approval flow, fast-tracked.

Monitor what is actually deployed

Browser and endpoint sensors discover every agent, MCP, skill, and AI-built apps across the org. One dashboard shows owner, scopes, integrations, and deployment status.

Offboard cleanly. The same instant.

SCIM-driven deprovisioning revokes AI access the moment Okta or Entra revokes the user. No stale tokens. No zombie agents still answering in Slack. No "we'll get to that one later."

Every action tied to a real employee. Everything logged. Nothing invisible.
Case StudyWIX.com

Wix.com rolled Willow out on their existing Okta groups.

~5,000weekly active users — more than their entire engineering org
~600governed tools and MCPs
300K+governed tool calls per week, across HR, legal, finance, design, and R&D

All behind the SSO and groups IT already ran.

We are six to ten months ahead of most companies in AI adoption. More code to production, fewer incidents, real outcomes. Willow is what made it possible to move that fast without slowing down our security posture.

Asaf Yonay, Head of AI Core, WIX
Asaf Yonay· Head of AI Core, WIX
Get Started
Deployment IT can actually schedule

Live in ten days, not a pilot.

A free 14-day POV with zero internal headcount.  

  • 1
    DAYS 1–3 · DEPLOY

    Helm chart on your cluster.

    On-prem, hybrid, or SaaS. Your data never leaves your environment. Standard Kubernetes — no new infra to babysit.

  • 2
    DAYS 4–7 · IDENTITY

    Sync with your IdP.

    SCIM sync from JumpCloud, Okta, or Azure AD. Existing groups become RBAC. Existing users get scoped access. No new directory to maintain.

  • 3
    DAYS 8–10 · CONNECT

    Wire up the tools your teams already use.

    HubSpot, Jira, Slack, Drive, GitHub, GitLab, custom APIs. Tool-level permissions per group, not blanket access per employee. Read-only by default. Scoped write where it earns it.

  • 4
    DAYS 11–14 · GOVERN

    Endpoint coverage and audit trail.

    Endpoint agent and Chrome extension pushed through MDM. Shadow AI surfaces. Unapproved MCPs get redirected to the gateway. Audit logs land in Splunk, Loki, Coralogix, or wherever your SIEM lives.

COMPATIBILITY

Built for the IT stack you already run

Identity

Okta
Entra ID
Google Workspace
Auth0
JumpCloud

Lifecycle

SCIM 2.0
Automated Provisioning
Automated Deprovisioning

SIEM & Observability

Splunk
Coralogix
Loki
Datadog

Deployment

SaaS
Private Cloud
GoogleCloud
Amazon Web Services
Azure

FAQS

Does Willow work with Okta and Entra ID?
Yes. Willow sits on top of your existing IdP: Okta, Entra ID, Active Directory, or JumpCloud. Groups, RBAC, and SCIM sync carry over on day one. No new identity model to build or maintain.
How does provisioning and deprovisioning work for AI agents?
Via SCIM, the same as every other enterprise app. New hires get the right AI tools based on their Okta groups. When the IdP revokes a user, Willow revokes every agent, MCP connection, and OAuth token tied to that identity, instantly.
What can Willow see that we can't today?
Unsanctioned MCP servers, agents, skills, and AI-built apps from tools like Lovable, Bolt, v0, Replit, and Cursor. Willow's browser extension and endpoint agent surface them on install, then let you govern or cut them off.
Which AI agents does Willow support?
Any agent: Claude, Cursor, ChatGPT, Codex, Gemini, n8n, and custom or homegrown agents. Willow is vendor-neutral by design, so one policy layer governs them all on equal terms.
Do employees have to change how they work?
No. They connect approved tools in one click through the Connect Panel instead of pasting personal API keys. Same tools, same workflows, governed access.
How long until we're in production?
Seven days. Visibility in the first two, identity via SCIM by day four, tools connected by day six, a governed 20-person beta on day seven. Free 14-day POV, zero internal headcount.

Your agents are already in the wild.

Give them a Basecamp. Go from AI chaos to AI work, in minutes.

Get Started
Book a Demo