Okta finds AI agent governance lags enterprise adoption

Okta has released its annual Businesses at Work report on identity management and AI governance, finding that most organisations are using AI agents without a comprehensive strategy to govern them.

The findings highlight a gap between board-level concern and operational controls as companies expand their use of autonomous systems. Globally, 99% of C-suite leaders view Identity and Access Management as important to AI adoption, while 58% identify AI agent governance and oversight as their top security concern.

Even so, 90% of organisations do not yet have a comprehensive strategy for governing autonomous agents. The report also found that 91% of enterprises surveyed are already using AI agents, although most remain in early or limited deployment stages.

The research drew on anonymised data from more than 8,000 enterprise integrations in the Okta Integration Network. It portrays businesses moving quickly to introduce AI-driven tools while control frameworks lag behind.

Governance gap

One of the clearest findings is the uneven treatment of AI systems compared with human users. Only 32% of organisations govern AI agents with the same level of scrutiny applied elsewhere, leaving a significant share of non-human activity outside established oversight processes.

That matters because non-human identities are becoming more common across enterprise systems. The report found that 42% of organisations now have widespread use of non-human identities, suggesting autonomous software is moving into routine business operations rather than remaining in isolated pilots.

Okta linked that trend to a broader rise in governance activity. Access requests per company increased 158% year on year and 1,140% over two years, indicating a sharp increase in the amount of access organisations are trying to monitor and manage.

Service account governance also rose quickly, with centrally managed non-human identities up 650% year on year. That suggests many businesses are laying the administrative foundations for more extensive use of automated systems, even if formal governance of AI agents remains incomplete.

Security pressure

The report also highlights a widening mismatch between the pace of threats and the pace of defensive upgrades. It says the threat landscape is accelerating 6.3 times faster than organisations are adopting high-assurance protections, creating what it describes as a phishing gap.

Credential-based attacks remain a central risk. They account for 60% of all security incidents and 88% of web application breaches, reinforcing the importance of login controls and authentication policies in reducing exposure.

At the same time, the data suggests companies are putting more effort into stronger authentication methods. FastPass phishing-resistant authentications grew 81% year on year, pointing to increasing adoption of passwordless and phishing-resistant approaches.

These shifts come as regulators and policymakers place greater focus on accountability in AI systems. For businesses operating in Europe, governance around access, authentication and oversight is likely to face closer scrutiny as AI compliance obligations take shape.

Regional stakes

The report places particular emphasis on EMEA organisations as they assess how identity controls apply to AI tools and agents. The issue is not simply whether businesses are adopting AI, but whether they can establish clear lines of control over systems that may act autonomously across applications and workflows.

Industry forecasts cited in the report point to further growth in this area. Gartner predicts that 40% of enterprise applications will feature task-specific AI agents by the end of 2026, up from less than 5% in 2025, suggesting identity governance questions are likely to spread well beyond early adopters.

That projection helps explain why senior executives are paying closer attention. More than half of C-suite leaders surveyed, 52%, said IAM is very important to AI adoption, up from 46% in 2024, indicating growing concern as AI moves deeper into day-to-day operations.

For Okta, the results underline a tension between adoption and control. Businesses appear willing to introduce AI agents into the enterprise, but many have not yet matched that rollout with the same governance discipline used for employees, contractors or conventional service accounts.

Matt Ellard, General Manager EMEA at Okta, said: "For organisations across EMEA, the challenge now is to make sure governance catches up with AI adoption. As AI agents take on more operational roles, identity is what gives businesses the visibility and control to deploy them responsibly."