Okta Identifies Critical Security Gaps as AI Agents Proliferate

The accelerating adoption of artificial intelligence (AI) across industries is ushering in a new era of digital operations, but it also presents a significant and growing challenge for identity management and security. Research from identity management specialist Okta reveals that the burgeoning presence of AI agents and other non-human identities (NHIs) is creating novel security problems that existing frameworks are ill-equipped to handle. This evolving landscape necessitates a fundamental rethinking of how organizations approach identity, access, and overall security in an increasingly automated world.

The Identity Crisis in the Age of AI

The digital world is grappling with an identity crisis, not in a philosophical sense, but as a critical security challenge. The exponential growth of non-human identities – encompassing AI agents, service accounts, and automation tools – means these entities now frequently outnumber human users within organizations. Okta’s research, including its "AI at Work" survey of 260 C-level executives across nine countries, underscores this trend. The survey found that while efficiency and speed are paramount in AI adoption, security remains a critical determinant of AI's full value realization. This delicate balance highlights the urgent need for robust security and governance frameworks tailored to the unique characteristics of AI agents and NHIs.

Governance and Oversight: The Primary Security Concern

According to Okta's findings, the foremost security concern related to AI agents over the next three years is governance and oversight, cited by 58% of organizations. This is closely followed by compliance and regulatory requirements, mentioned by 50%. The securing of NHIs has become a critical or very significant priority for 76% of global organizations, with a dominant 78% identifying the control of NHI access and permissions as their leading concern. Despite this heightened awareness, a stark reality emerges: only 10% of organizations currently possess a governance strategy for managing NHIs, even as 91% are actively deploying AI agents. This gap represents a significant vulnerability, as the proliferation of agents, especially when interacting with each other, introduces complexities in defining boundaries and preventing inappropriate data sharing.

Okta's Response: Auth for GenAI and Platform Enhancements

In response to these challenges, Okta has launched "Auth for GenAI," a suite of new tools designed to bolster the security of AI agents and their underlying infrastructure. This offering aims to provide app builders with enhanced protection against AI-specific security risks. Auth for GenAI delivers an identity backbone for building secure, scalable AI-driven applications, extending enterprise-grade identity management to AI agents. Key components include user authentication for AI agents, secure mechanisms for agents to call APIs on behalf of users, asynchronous authorization for managing delayed workflows, and fine-grained authorization for Retrieval Augmented Generation (RAG) to ensure data privacy. These innovations are part of a broader platform evolution by Okta, which seeks to unify identity across human and machine actors, extending zero-trust principles from the cloud to on-premises environments. Okta's vision is to provide complete visibility, automation, and control over NHIs, mirroring the rigor applied to human identities.

Addressing the Non-Human Identity Sprawl

Non-human identities, such as service accounts, API keys, and automation scripts, are notoriously difficult to secure. They often lack multi-factor authentication, rely on static credentials, and are non-federated, making them attractive targets for cyber threats. Furthermore, these identities frequently operate with excessive privileges, amplifying the attack surface and the potential impact of a breach. Okta's platform enhancements, including Identity Security Posture Management and Okta Privileged Access, are designed to help organizations discover, manage, and secure these NHIs. These capabilities ensure that machine-to-machine communications adhere to Zero Trust principles, continuously monitoring for risks and vulnerabilities. The company also emphasizes the importance of Identity Visibility, Hygiene, and Governance as foundational elements, aiming to provide a unified, end-to-end identity fabric that spans all identity types.

The Imperative of Red Teaming and Secure by Design

The cybersecurity industry, including identity providers like Okta, is increasingly recognizing the importance of proactive security measures such as red teaming. Okta's commitment to CISA's Secure by Design pledge is a step in this direction, but challenges persist. The company has faced several security incidents, including a source code theft and a customer support breach, which have underscored the need for more robust vulnerability management. Learning from AI leaders like Anthropic and OpenAI, Okta is encouraged to enhance its red teaming strategies by fostering continuous human-machine collaboration, adopting adaptive identity testing, and prioritizing specific domains for focused testing. More automated attack simulations and real-time threat intelligence integration are also crucial for staying ahead of evolving threats. The goal is to move beyond reactive security to a more preemptive and resilient approach, ensuring that security is integrated throughout the software development lifecycle.

Securing the Future with Open Standards and Collaboration

Okta is also championing open industry standards to address the interoperability challenges in securing AI agents. The company is collaborating with the OpenID Foundation and other industry players to develop new identity security standards, such as the Interoperability Profile for Security Identity in the Enterprise (IPSIE). These initiatives aim to create a framework for SaaS companies to enhance end-to-end security across their technology stacks, enabling secure agent-to-agent and app-to-app communication. By shifting control to the identity layer and enforcing centrally managed access policies, these standards can provide much-needed visibility and control over how AI agents interact with corporate data. The success of these efforts hinges on broad industry adoption and a shared commitment to building a more secure and trustworthy digital ecosystem.

Conclusion: Identity as the Foundation for AI Security

As organizations navigate the complexities of AI adoption, identity management emerges as the foundational element for ensuring security and trust. Okta's research and product innovations highlight the critical need to extend traditional identity and access management principles to the burgeoning world of AI agents and non-human identities. The challenges are significant, ranging from governance and oversight to securing dynamic and often excessive privileges. However, by embracing robust security practices, investing in advanced tools like Auth for GenAI, and fostering collaboration through open standards, organizations can build the resilient identity infrastructures required to unlock the full potential of AI securely and responsibly. The future of AI-driven operations depends on getting identity right, ensuring that every interaction, whether human or machine, is governed by principles of security, visibility, and control.