Okta's CEO is betting big on AI agent identity

Summary of Okta's CEO is betting big on AI agent identity

by The Verge

1h 6mMarch 30, 2026
Listen to Episode

Overview of Decoder — "Okta's CEO is betting big on AI agent identity"

This episode (host Nilay Patel) features Todd McKinnon, co‑founder and CEO of Okta, in a wide‑ranging conversation about how AI agents are reshaping enterprise identity and security. McKinnon explains why Okta is prioritizing "agent identity" (a new hybrid identity type), how the company is reorganizing and changing development practices to capture that market, and what guardrails (inventory, standards, kill switches) enterprises will need as agents gain access to corporate data and systems.

Key points and main takeaways

  • Big opportunity: Okta sees agent identity — managing AI agents that log in, access data, and act on behalf of people — as a massive new cyber/identity market, potentially far larger than current identity segments.
  • Paranoid but optimistic: McKinnon says Okta is "paranoid" about the SaaSpocalypse (customers building or instrumenting their own tooling), but believes Okta is defensible due to reliability, integrations, trust, and mission‑critical positioning.
  • Agent identity = hybrid identity: Agents are neither pure human identities nor pure system/service accounts. They need mapping, relationships to humans, roles/permissions, and lifecycle/ownership tracking.
  • Rails for agents: Okta proposes three foundational rails:
    • Inventory & system‑of‑record for agents (know what agents exist).
    • Standardized connection/permission models so agents access data safely.
    • A "kill switch" that revokes agents’ access (revoke tokens/credentials) when they misbehave.
  • Open agent experiments (transcript used the example name "OpenClaw") accelerated awareness of agent possibilities and risks, particularly when users hand agents broad credentials.
  • Market dynamics: The software "pie" is expanding — more software, more data, and more types of compute/work (digital workers/agents). Some app vendors will add agentic features; new players will also emerge.
  • Data vs intelligence: Raw data stores are necessary but insufficient — the intelligence layer (how data is interpreted, workflows, models) is where much value will be created. Vendors like Snowflake/Databricks help centralize data, but robust permissioned connectivity is another model.
  • Org & execution changes: To adapt, Okta is pushing a higher "change quotient" (more of the company focusing on change/innovation), reorganizing product/R&D around platforms, and deciding which strategic bets to make (agent identity is job #1).
  • Fraud and identity verification: Agent/bot fraud is accelerating. Digital offline identity (mobile driver’s licenses, passports) and stronger attestation can help distinguish humans from bots/agents, but raise privacy and regulatory tradeoffs.
  • Customer & regulatory role: McKinnon expects market pressure (and possibly regulators) to curb vendor lock‑in; customers will demand standards and multi‑vendor interoperability as agentic systems scale.

Topics discussed (detailed)

  • SaaSpocalypse and defensive posture
    • Why Okta is worried and how that informs strategy.
    • Why infrastructure/security SaaS is harder to vibe‑code and thus somewhat insulated (integration, reliability, brand/trust).
  • Agentic enterprise
    • What an "agent" is and why companies will want many of them.
    • Example of agent experiments that ran on isolated hardware and were given credentials — both exciting and risky.
  • Agent identity design
    • Inventory, permissions, linkage to human users, headless agents vs human‑in‑loop scenarios.
    • Kill switch mechanics: revoke access tokens/credentials rather than trying to “turn off” the agent’s local process.
  • Standards & interoperability
    • Need for industry standards on how agents authenticate/authorize across platforms; absence of universal agent connection standards today.
  • Org structure & decision making
    • Increasing the proportion of change in the company (from ~20% to 40–60%+).
    • Decision hygiene: decide which choices the CEO should make, focus deeply on those.
  • Data vs intelligence and new app economics
    • Debate about whether agents will bypass apps to access databases directly, or whether app/inference layers remain valuable.
    • Role of data warehouses vs fine‑grained permissioned access.
  • Fraud, identity attestation, and privacy
    • AI amplifies bot/fraud risk; digital, attested IDs (mobile driver’s licenses, passports) can help but involve privacy/regulatory tradeoffs.
  • Competitive and regulatory pressures
    • Risk of platform vendors locking agent access into their stack or charging access fees; market and regulators will mediate outcomes.

Notable quotes / insights

  • McKinnon: "We are paranoid" — Okta is actively treating the threat of customers building their own agentic tooling as real and urgent.
  • On agent identity: "Agent identity is something between a person and a system." — framing agents as hybrid identities needing new management patterns.
  • On the tradeoff of access vs safety: if you require zero tolerance for nondeterministic behavior, "you can't give the data" — effectiveness requires some level of risk and corresponding controls.
  • On strategy: focus on markets that are expanding (the software pie is getting much bigger) and position existing strengths (scale, integrations, reliability) to win in new agentic categories.

Practical recommendations & action items (who should do what)

  • For enterprise security/IT teams:
    • Start inventorying agents (internal builds + vendor agents).
    • Define an agent‑of‑record, ownership, roles and least‑privilege permissions.
    • Build / require the ability to revoke agent credentials quickly (token revocation, credential rotation).
    • Consider data‑access patterns (centralized warehouses vs fine‑grained direct access) and who should authorize agent queries.
    • Pilot digital attestation (where legally/ethically appropriate) for high‑risk flows to distinguish humans from automated agents.
  • For product and platform vendors:
    • Prioritize reliable integrations and operational resilience — customers pay for trust.
    • Publish clear APIs and standards for agent authentication/authorization to avoid vendor lock‑in.
    • Design observability and alerting for chain‑of‑action for agents (auditing, prompt injection detection).
  • For developers and teams:
    • Invest in skills to build, test, and maintain agentic workflows; expect to be building more software and maintaining agent‑generated code.
    • Emphasize determinism, validation, and monitoring in agent‑orchestrated systems.
  • For regulators and policymakers:
    • Track platform governance and potential lock‑in; consider rules that enable interoperability and consumer choice where appropriate.

What's next / what to watch

  • Okta will push agent identity tooling and a "blueprint" for the industry — watch product and standards announcements from Okta and other identity vendors.
  • Emergence of standards for agent authentication/authorization (analogous to SSO/OAuth standards today) — industry coordination likely to accelerate.
  • Deployment of digital IDs and mobile driver’s licenses as a mitigation against bot/fraud; monitor privacy/regulatory debates and pilot programs.
  • Competitive dynamics as large platform vendors (Microsoft, AWS, Google, Salesforce) and new entrants push agent offerings — pricing, API access, and potential anti‑competitive concerns to watch.

Context & audience

  • This interview is aimed at enterprise buyers, security and identity professionals, product leaders, and tech watchers interested in how AI agents will reshape identity, security, and org design.
  • It balances strategy, product direction, and operational security guidance, useful for anyone planning for an agentic future in 2024–2026.

Produced by The Verge’s Decoder with Nilay Patel; guest Todd McKinnon (Okta).