Most Enterprises Have AI Agents IT Doesn't Know About

When Okta names your project as the textbook example of a security threat, you have officially entered the mainstream.

On March 16, according to Okta press release, Okta published its blueprint for the secure agentic enterprise and, in the process, called out OpenClaw as a canonical superagent — a class of AI system that "can now operate directly on users' machines, executing terminal commands, accessing the file system, transferring data between applications, maintaining long-term memory, and autonomously performing complex workflows." The framing was cautionary: these capabilities are exactly why enterprise security needs an identity layer built for non-human actors.

The announcement introduces Okta for AI Agents, a platform designed to answer three questions that most organizations currently cannot: where are my agents, what can they connect to, and what can they do? Early access is live; general availability is set for April 30, 2026.

The three-question framework is the core of Okta's pitch. Discovery tools flag agents running in production environments that IT doesn't know about — the "shadow AI agent" problem. Registration assigns those agents a first-class identity in Universal Directory with a named human owner. Credential vaulting and automated rotation ensure agents never ship with static API keys baked into code. And the "Universal Logout" feature acts as a kill switch: if an agent behaves unexpectedly, all its access tokens get revoked across the entire ecosystem in one move.

The urgency behind the launch isn't manufactured. Okta cited research from Gravitee's State of AI Agent Security 2026 Report, published February 4, which surveyed over 900 executives and technical practitioners. The numbers are stark: 88% of organizations reported confirmed or suspected AI agent security incidents in the past year. Only 21.9% — Okta rounded it to 22% — treat agents as independent, identity-bearing entities. Healthcare organizations hit 92.7% incident rates. Nearly half of all agents operate without any security oversight or logging.

The gap between adoption and governance is structural. Traditional identity systems were built around human provisioning: HR triggers account creation, IT approves access, a lifecycle tied to hire and fire. Agents have no HR record. They spin up in a developer's environment, get handed a long-lived API key, and run with permanent access to production systems that predates any modern zero-trust controls. When that developer leaves, the agent often keeps running. When the agent's use case shifts, its permissions don't.

Okta's answer is to apply the same identity primitives used for humans to non-human actors. Agents get registered, classified by risk level, and subject to access reviews. The Agent Gateway — a centralized control plane with a virtual MCP server — logs every interaction between agents and resources. Privileged Credential Management vaults secrets so they never appear in plain text or logs.

The partner list is notable: Boomi, DataRobot, Google Vertex AI. Okta is extending its Integration Network of 8,200+ connectors to cover agent platforms directly. The broader Cross App Access (XAA) protocol, which standardizes how agents and applications connect securely, counts Salesforce, Glean, AWS, Box, and Grammarly among its backers. XAA extends OAuth to cover agent-driven and app-to-app interactions at machine speed — shifting access control from individual applications to the identity layer.

The counterargument is real: Okta is selling the solution to a problem it has a financial interest in exaggerating. The Gravitee data is from a vendor-produced survey, not an independent academic effort. And the three-question framework, while coherent, describes capabilities that many organizations are still piecing together from point solutions rather than a unified platform.

What's less debatable is the identity gap. The fact that 88% of organizations have experienced incidents while fewer than a quarter treat agents as first-class identities tells you where the attack surface actually is. Agents are in production. They're moving data, executing workflows, and spawning subtasks — 25.5% of deployed agents can create and delegate to other agents, which makes audit trails a dependency chain rather than a straight line. The question isn't whether the kill switch matters. It's whether any single vendor can own the identity layer for an ecosystem that runs across cloud, on-prem, and developer workstations.

For builders and infrastructure teams, the Okta announcement is a signal: the agent OS layer is forming, and identity is one of the first tables stakes being negotiated. For VCs, the incident-rate data makes the compliance and governance tooling space worth another look. For enterprises still running agents on shared API keys and hope, April 30 is a date worth marking.