Blog Agentic AI Governance September 30, 2025 4 min read

91% of Companies Run AI Agents. 10% Have a Plan to Govern Their Identities.

Okta surveyed 260 executives across 12 countries for AI at Work 2025. The identity company found an 81-point gap between agent adoption and agent governance.

By the AuthorityGate Architect Team

When the identity company runs a survey and the headline finding is an identity governance failure, it is worth reading twice. Okta's AI at Work 2025 report, published in August, surveyed 260 executives - 73 percent of them C-suite - across 12 countries, fielded in April and May. The adoption number is striking: 91 percent of organizations already use AI agents, averaging 4.8 distinct use cases each, with 81 percent putting them to work on task automation. Agents are not a pilot anymore. They are the installed base.

Then comes the second number, and it belongs on the same chart as the first:

Agents everywhere. A strategy almost nowhere. Share of organizations, Okta AI at Work 2025 (260 executives, 12 countries)
Already use AI agents
91%
Have a well-developed strategy for non-human identities
10%
the governance gap: 81 points

Ninety-one percent of organizations are running software workers, and 10 percent have a well-developed strategy for managing the identities those workers operate under. That is an 81-point gap between deployment and governance, published by the vendor whose entire business is knowing who - or what - is behind a credential.

The leaders already know

What makes this report unusual is that the executives are not in denial. They can see the problem clearly; they just have not built anything to address it yet:

The concern is not the missing piece Share of leaders agreeing, Okta AI at Work 2025
Identity and access management is vital to AI adoption
85%
Concerned about controlling non-human identities' access
78%
Worry about AI governance over the next three years
58%

Eighty-five percent call identity and access management vital to successful AI adoption. Seventy-eight percent are worried about controlling what their non-human identities can access and do. The anxiety is fully priced in. The follow-through is not:

Who actually built the machinery Share of organizations with each capability in place
Centralized AI governance model
36%
Treat digital labor with the same rigor as human workforce
32%
Well-developed non-human identity strategy
10%

"Who is this agent" is only half the question

Think about what that 32 percent figure means in practice. A new human employee gets a background check, an onboarding process, scoped permissions, a manager, and a performance review. Per Okta's data, two thirds of organizations extend none of that rigor to their digital labor - software that holds credentials, touches production systems, and acts at machine speed, 4.8 use cases at a time.

Rows of identical glowing employee badges hanging on a wall rack in a dark office, most slots empty with badges missing
The digital workforce clocked in. Almost nobody issued it a badge - or a manager.

Identity is the necessary first half: you cannot govern an agent you cannot name, and Okta is right to sound that alarm. But identity answers "who is this agent and what may it access." It does not answer the harder operational question: should this specific action ship? An agent with a perfectly scoped, perfectly managed identity can still push a bad config, apply a breaking update, or grant access it should not - all within its permissions. Authentication tells you the actor was legitimate. It says nothing about whether the change was.

The AuthorityGate take

Okta sells identity, so an Okta survey finding an identity gap deserves the standard vendor-report discount. But the adoption side of the chart does not come from Okta's catalog, and neither does the 32 percent who admit their digital labor gets less scrutiny than their humans. The diagnosis holds: organizations hired a workforce of software and skipped both halves of supervising it.

The two halves are identity and validation. Identity establishes who the agent is; validation gates what it does - every change checked against policy, scored for risk, and routed to a named human before it takes effect. That is the augmented model: the agent proposes, the gates verify, a person stays accountable. The 91 percent already running agents do not get to choose whether they need both. They only get to choose whether they build them before or after the incident.

The most honest reading of AI at Work 2025 is as a confession with a deadline. Fifty-eight percent of leaders say they are worried about AI governance over the next three years. The agents are already here, at 4.8 use cases per organization and climbing. The three-year worry is optimistic; the gap is operating in production today.

Share this post: LinkedIn

Go deeper

Every agent action, validated before it takes effect

AuthorityGate's newsletter breaks down real AI incidents and the governance failures behind them. Our configurable 8-gate validation model is how organizations keep a named human accountable for what their AI actually does.