Okta's Peri offers CIOs AI agent security advice

Data security and privacy remain among the biggest concerns as IT organizations help their companies move ahead with agentic AI. In recent research from Dresner Advisory Services, more than 60% of 500 organizations surveyed said data security and privacy are “critical” to successful agentic AI initiatives. The percentage increases to 85% if you add those who say it is “very important.”

To better understand how identity and access management are evolving for AI agents, I recently spoke with Harish Peri, senior vice president and general manager for AI security at Okta. Our conversation covered shadow AI, agent governance, authorization and the challenges of securing non-human identities.

The shadow AI problem CIOs aren’t seeing

Peri said the biggest risks right now stem from shadow AI — agents operating in your environment that you don’t know about. This is different from the shadow IT security issues CIOs have dealt with for decades.

“A compromised AI agent isn’t your run-of-the-mill breach — it’s an autonomous attacker that doesn’t sleep, with the keys to the kingdom,” he said.

Organizations are struggling to keep up with the democratization of agent creation, which allows any employee to provision a “digital worker.” Teams are spinning up new agents so quickly, and without the right identity and access controls, these agents can run wild and untraced.

Three distinct risks from AI agents

Peri outlined three risks determined with help from Okta’s customers. The first is the risk of an employee with ill intention. The second is a motivated hacker who finds a hole from the outside and performs a prompt injection attack. The third is an agent that incorrectly responds to a prompt and exposes sensitive data or misappropriates data it has access to.

Current identity and security stacks were tailored for humans and traditional software. Human users have predictable lifecycles, and software has fixed execution paths, but autonomous agents break these assumptions. The non-deterministic nature of agents creates gaps that existing tool stacks aren’t built to close.

Some vendors are pushing the idea of writing job descriptions for agents. Peri said AI agent access should be incredibly granular. Agents need to be treated as their own unique, first-class identity type.

Treating agents as first-class identities means moving away from managing them as unmanaged service accounts or static API keys. Instead, organizations should discover, onboard, protect and govern them with the same security rigor, lifecycle controls and visibility applied to human employees.

Governance at machine speed

AI agents operate at machine speed, potentially executing thousands of API calls in a matter of minutes. Traditional identity governance isn’t built for the dynamic authorization necessitated by agents. Organizations need to control every app, tool, MCP and API that an agent interacts with.

Effective governance requires the ability to continuously authorize all of those individual tool calls and understand the context and intent behind those decisions.

Peri said the answer to keeping up with governance is agents themselves. In this case, it is agents that can identify improper behavior and crack down on that behavior. Authorization agents can look at real-time, fine-grained authorizations.

Organizations need fine-grained configurations defined at the start so these guardian agents can stop inappropriate behavior. They also need to broaden their use of fine-grained permissions at the app layer, the process layer and the data layer.

“Organizations need to govern agents whose privileges can be more than the human who commanded them,” Peri said. “And this is not just role-based security — it is attribute-based control.”

Who gets to build agents

The democratization of AI and building agents is a net positive, Peri said. It’s less a question of who should be allowed to build, but whether the right controls are in place to secure and manage the agents that teams are spinning up.

Every homegrown agent needs to be registered into a central directory, granting security teams the visibility to manage its permissions and lifecycle just like any other enterprise asset.

Visibility is the top concern Okta is hearing from customers. It starts with being able to discover agents, regardless of where they were built or being deployed — including the shadow agents spun up without permission. Once discovered, it’s about centralized control over agents’ connection paths.

By having a singular control plane to manage agent access, organizations can observe and audit agent actions, and manage the full lifecycle of an agent from onboarding to decommissioning.

Because agents interact with sensitive data autonomously, the most effective way to protect databases is to rigorously secure and govern the non-human identities accessing them. Peri said enforcing strict, identity-centric access controls and continuous behavioral monitoring builds a dynamic fortress around critical data.

At the end of the interview, Peri said it was Okta’s customers — early adopters of agentic AI — who led the way. As these customers began implementing agents, they became aware of how agents could be manipulated. These vanguard customers helped Peri and his team rethink the concept of zero trust. It does seem strange that agents will protect us from other agents — and from agents acting with ill intent.