AI agents are moving rapidly into the enterprise, but Okta’s latest survey suggests organisations are not keeping pace with the security risks they create.
The result is a widening gap between executive confidence and employee behaviour, with shadow AI, unclear policies and inconsistent identity controls exposing firms to fresh risk.
The survey, based on responses from 292 executives and 492 knowledge workers across seven countries, found a striking disconnect. Ninety per cent of executives said they were confident their organisation had visibility into AI tools, while 95% said employees were using AI responsibly. Yet 52% of employees admitted using AI tools without approval, often through personal accounts.
Source: Okta 2026
That mismatch points to a governance problem rather than a technology one. As AI agents proliferate across apps, APIs, SaaS tools and data systems, the challenge is no longer whether companies can deploy them, but whether they can see, control and audit what those agents are doing.
Shadow AI takes hold
The survey suggests shadow AI is already embedded in day-to-day work. Of employees using unapproved tools, 54% said they shared internal messages and emails, 45% shared HR-related information and 39% shared confidential company documents. More than half of executives, 58%, reported an AI-related security incident or close call in the past year.
That creates a high-risk environment for identity, access and data protection teams. Only 34% of organisations apply the same security controls to their agentic workforce as to their human workforce, leaving a major gap in how privileges are assigned and monitored.
“[A] secure agentic enterprise requires a clear strategy,” Okta says in its blueprint for managing the new reality. The company’s core questions are straightforward: where are the agents, what can they connect to, and what can they do?
Policy lag and operational risk
The survey also found a policy problem. Sixty-five per cent of executives said their organisation’s AI usage policies were very clear, but 57% of knowledge workers disagreed, saying the rules were unclear, difficult to find or non-existent.
That discrepancy matters because agentic AI systems can act at machine speed and spawn new agents, creating thousands of black-box entities that may sit outside traditional human-centric security controls. Without visibility, approval workflows and identity governance, enterprises risk scaling productivity and insecurity at the same time.
Building the controls
Okta argues that organisations need a blueprint for the agentic enterprise, beginning with accountability and visibility before agents scale out of control. It also points to new tools for assessing AI agent architecture and governing the agentic workforce.
The broader trend is consistent with what other security observers have warned: AI adoption is moving faster than governance. As enterprises expand use of autonomous systems, identity becomes the control plane, and security teams will need to treat agents more like users than software.
