Listen to this article
When the identity company runs a survey and the headline finding is an identity governance failure, it is worth reading twice. Okta's AI at Work 2025 report, published in August, surveyed 260 executives - 73 percent of them C-suite - across 12 countries, fielded in April and May. The adoption number is striking: 91 percent of organizations already use AI agents, averaging 4.8 distinct use cases each, with 81 percent putting them to work on task automation. Agents are not a pilot anymore. They are the installed base.
Then comes the second number, and it belongs on the same chart as the first:
Ninety-one percent of organizations are running software workers, and 10 percent have a well-developed strategy for managing the identities those workers operate under. That is an 81-point gap between deployment and governance, published by the vendor whose entire business is knowing who - or what - is behind a credential.
The leaders already know
What makes this report unusual is that the executives are not in denial. They can see the problem clearly; they just have not built anything to address it yet:
Eighty-five percent call identity and access management vital to successful AI adoption. Seventy-eight percent are worried about controlling what their non-human identities can access and do. The anxiety is fully priced in. The follow-through is not:
"Who is this agent" is only half the question
Think about what that 32 percent figure means in practice. A new human employee gets a background check, an onboarding process, scoped permissions, a manager, and a performance review. Per Okta's data, two thirds of organizations extend none of that rigor to their digital labor - software that holds credentials, touches production systems, and acts at machine speed, 4.8 use cases at a time.
Identity is the necessary first half: you cannot govern an agent you cannot name, and Okta is right to sound that alarm. But identity answers "who is this agent and what may it access." It does not answer the harder operational question: should this specific action ship? An agent with a perfectly scoped, perfectly managed identity can still push a bad config, apply a breaking update, or grant access it should not - all within its permissions. Authentication tells you the actor was legitimate. It says nothing about whether the change was.
The AuthorityGate take
Okta sells identity, so an Okta survey finding an identity gap deserves the standard vendor-report discount. But the adoption side of the chart does not come from Okta's catalog, and neither does the 32 percent who admit their digital labor gets less scrutiny than their humans. The diagnosis holds: organizations hired a workforce of software and skipped both halves of supervising it.
The two halves are identity and validation. Identity establishes who the agent is; validation gates what it does - every change checked against policy, scored for risk, and routed to a named human before it takes effect. That is the augmented model: the agent proposes, the gates verify, a person stays accountable. The 91 percent already running agents do not get to choose whether they need both. They only get to choose whether they build them before or after the incident.
The most honest reading of AI at Work 2025 is as a confession with a deadline. Fifty-eight percent of leaders say they are worried about AI governance over the next three years. The agents are already here, at 4.8 use cases per organization and climbing. The three-year worry is optimistic; the gap is operating in production today.
Go deeper
Every agent action, validated before it takes effect
AuthorityGate's newsletter breaks down real AI incidents and the governance failures behind them. Our configurable 8-gate validation model is how organizations keep a named human accountable for what their AI actually does.