The great AI gold rush is on. In a
recent survey commissioned by Okta, 91% of organizations queried said they used AI agents to perform tasks ranging from software coding to automating repetitive tasks to making market forecasts.
Productivity gains appear to be a chief motivator for
AI adoption. Another important (and legitimate) reason is the fear of falling behind the competition. Two-thirds of the organizations surveyed said using AI was "very critical" or "absolutely essential" for the success of their businesses.
Clearly, companies feel they don't have a choice but to forge ahead with AI. Yet they may be racing toward the edge of a cliff. Only 10% of the businesses surveyed said they had "well-developed" strategies for managing
non-human identities, including AIs. The rest were operating without proper safeguards.
It seems that organizations are rushing into AI without much thought to security or governance. Unfortunately,
AI security is a half-formed mess, and AI developers and users are repeating mistakes and creating vulnerabilities that we thought we'd solved 10 or 20 years ago.
"Unmanaged
AI agents introduce a new class of security risk because they act autonomously, often with broad access to sensitive systems," Arnab Bose, Chief Product Officer of the Okta Platform, told us. "Without proper controls, these agents can unintentionally leak data, trigger actions across connected applications, or be exploited by threat actors through techniques like
prompt injection or token hijacking."
To stop AI agents from going out of bounds, you need to tightly control their authorization, authentication and access. You'll need to integrate AI agents with
identity-security systems, which will let you manage who gets to use AI and, more importantly, what AI agents are allowed to use and to do.
Organizations may be receptive to such a familiar approach. Fifty-two percent of Okta survey respondents thought
identity and access management (IAM) was "very important" to successful integration of AI into their workplaces, and an additional 33% saw it as "important."
How and why AIs are used in the workplace
Okta commissioned AlphaSights to survey 260 IT-related executives, a mix of CTOs, CISOs, CIOs, CSOs and related VPs, in seven Western countries plus India and Japan. The survey was conducted online following telephone interviews to screen potential respondents.
The respondents saw many gains from using AI in the workplace, citing the chief benefits as increased productivity (84%), cost savings (60%), better customer experience (48%), streamlined workflows (47%) and faster decision-making (39%).
There's a lot of work for AI agents and large language models to do. Respondents said they gave AI tasks such as automation and process optimization (84%), coding and software development (74%), content generation (68%), natural language processing (66%) and predictive analysis and forecasting (55%).
Despite these obvious benefits, the respondents did have concerns about using AI. Top of mind was
data privacy (68%), followed by security risks (60%). Next were compliance and governance (37%), lack of transparency (35%) and ethical and bias issues (34%). Only 4% worried about jobs being displaced.
Yet there seemed to be an element of misunderstanding about the nature of AI agents. More respondents were confident about their abilities to manage AI than about managing non-human identities (NHIs), the broader category that includes AI agents and LLMs. AIs may "speak" so well that we sometimes forget they're not human at all.
Thirty-six percent of survey respondents said they "currently have a centralized governance model for AI," even as only 10% said they were properly managing NHIs.
Fifty-eight percent said they worried about AI governance and oversight, and 50% about AI-associated
compliance and regulatory requirements — valid concerns, but far less than the 78% of respondents who saw controlling NHI access and permissions, and 69% governing NHI lifecycles, as pressing security issues.
"When you consider the data AI agents have access to — or will have access to in the future — it's essential to have the same levels of controls as human agents," said one survey respondent, a technology executive in the UK.
The many security risks of AIs
If those confident respondents fully appreciated the security risks of AI use, they might not be as sanguine. AI agents are like small children in super-soldier mecha suits who can escape their sandboxes and wreak mayhem due to their sheer power, unpredictability, and failure to understand the consequences of their actions.
Too many company-run AI agents, such as customer-service bots, can be queried from the open internet. Too many AI agents collect data from anywhere on the internet, rendering them vulnerable to compromise via data poisoning. And once an AI agent is compromised, it can never be trusted again because the false information becomes part of the training data.
A
Salesforce study found that LLMs don't understand the importance of keeping sensitive data secret. Some AIs have even been found to assist attackers in exfiltrating sensitive data because they're designed to oblige.
Many LLMs can't tell the difference between data and commands, making it possible to embed prompt within supposedly innocuous data, analogous to SQL-injection attacks upon internet-facing databases.
Filtering out malicious prompts by blocking certain words and phrases is ineffective because language is flexible and prompts can be re-worded — a deterministic attempt to fix a non-deterministic problem.
That non-deterministic — i.e., unpredictable — nature of AIs makes them ill-suited to play nicely with
application-program interfaces (APIs), which require regular, predictable inputs. To solve that issue, Anthropic late in 2024 came up with the
Model Context Protocol (MCP), a server-client model that matches AI agents with applications and business tools that can carry out specific tasks.
MCP is already being widely adopted, but its security is jaw-droppingly bad. It is vulnerable not only to prompt injection, but to typosquatting, malicious tool/application updates, permission reuse and cross-tool contamination.
A rival standard, the peer-to-peer Agent2Agent Protocol (A2A) unveiled by Google in early 2025, is generally safer but can also be exploited by malicious tools.
Both MCP and A2A use the
OAuth standard to cross-authorize AI agents and tools/applications. But neither authenticates tools, making it possible for attackers to "win" jobs for malicious tools through name swaps or false capabilities.
"I'm most concerned about AI systems having too much access without proper controls," said one Okta survey respondent, an executive in the Australian healthcare and pharmaceutical sector. "If not carefully managed, they can expose sensitive data or be exploited for attacks. Strong oversight and access control are essential to keep AI secure."
How to extend identity controls to manage AI
The primary requirement for AI security is that organizations understand that their AI agents will make mistakes and are vulnerable to attack. Otherwise, it's as if everyone in the neighborhood went out and bought super-fast sports cars without any seatbelts or airbags. People will get hurt.
Where can you find those seat belts? They already exist in the form of identity and access management controls. Everything an organization needs to manage and control who and what can access AI agents and LLMs, and to manage and control what the AI agents and LLMs themselves can access, is part of identity-security frameworks.
To make this possible, researchers have come up with extensions to the OAuth standard that let identity-provision systems control access to and from AI agents and the tools they use. Okta calls this combination
Cross App Access, and it should be compatible with any identity provider or IAM system that supports OAuth.
"With Cross App Access, organizations can define exactly which agents or applications are allowed to connect, what data they can access, and under what conditions," Bose told us. "IT can centrally manage these connections, audit them, and revoke them instantly if needed."
Just like the humans they imitate, AI agents and LLM can be authorized, authenticated, provisioned and given access to specific tools and data sources, and denied access to others. The
principle of least privilege can be implemented, with each AI given permission to access only those resources and tools necessary to do its job. Permissions and privileges can be revoked or even assigned only temporarily.
At Black Hat 2025, one briefings presenter said that we must impose a
zero-trust model on AIs. We have to assume that AI agents can be compromised at any time and build our security architecture around them accordingly.
Or, as an Okta survey respondent who works in the U.S. banking and finance sector recognized, "governance and access control are critical given the level of access and ability to execute that AI may have."
