AI Agents Expose a New Identity Security Gap, Okta Warns

As AI agents become more embedded in daily operations, organizations are beginning to recognize the critical role of identity security in managing these digital entities. According to new research from Okta, most IT leaders still lack a mature strategy to govern non-human identities, which pose a growing risk to enterprise security.

Okta conducted a global survey of 260 executives across industries and countries to understand how organizations are integrating AI and managing associated risks. The study found that 91 percent of organizations are already using AI agents primarily for task automation. Companies use AI agents for five different use cases, including IT support, customer service, as well as coding and software development.

Identity and access management at the core of AI security

According to Okta, Identity and Access Management (IAM) is increasingly seen as essential for integrating AI into business operations, with 85 percent of leaders emphasizing its importance. Unlike human users, AI agents operate without personal accountability, have short lifespans, use machine-based credentials, and require temporary access rights. These differences make visibility, lifecycle management, and risk mitigation key challenges for IT teams.

Concerns around data privacy and security are rising as AI agents require granular permissions for limited periods. However, they often lack traceable ownership and consistent logging, which makes it difficult for organizations to perform post-breach audits and remediations. Consequently, most IT leaders are concerned about managing access and permissions for these non-human identities, with many also worried about their lifecycle, visibility, and the ability to quickly address potential risks.

Only 10 percent of organizations have a well-developed strategy for managing non-human identities (NHIs) like AI agents. Less than a third of organizations consistently apply the same governance standards to AI agents as they do to human workers.

“We are missing a roadmap and are not aligned on how we as a group should implement AI. Some of the team are working as silos, so we do not yet have a cohesive approach to adopting AI,” said one retail VP in France.

Recommendations to strengthen AI identity governance

Okta has offered several key recommendations to help organizations securely manage AI agents and non-human identities (NHIs).

1. Strengthen identity governance for AI agents

Okta recommends organizations treat AI agents as distinct digital identities with unique lifecycles, requiring tailored provisioning, de-provisioning, and access controls. They must avoid giving long-term permissions and enforce granular, time-bound access instead.

2. Adopt modern authentication standards

Administrators should replace outdated methods like static API keys and basic authentication with OAuth 2.1, which supports short-lived tokens and scoped access. They can also prevent credential leaks by using secure vaults and runtime secret management.

3. Centralize oversight and visibility

Organizations are advised to implement centralized governance models to monitor and control AI agent behavior across systems. They should also ensure consistent logging and traceability to support audits and incident response.

4. Empower security teams

Lastly, IT admins should provide security teams with tools to manage AI identity risks, including lifecycle tracking, permission reviews, and remediation workflows. They must require phishing-resistant authentication and secure workstations for development environments.