As AI agents spread across the enterprise, executives like Todd McKinnon are rethinking how okta agent identity can secure both people and software in a fast-changing landscape.
Okta, AI disruption, and the SaaSpocalypse fear
Todd McKinnon, co-founder and CEO of Okta, runs a cloud identity and security platform that helps large companies manage access across apps and services. With a $14 billion market cap, the firm is a major software-as-a-service player. However, the industry faces growing pressure as AI lets customers build their own tools instead of paying recurring subscription fees.
This broad concern, sometimes labeled a “SaaSpocalypse,” has made McKinnon, in his words, “paranoid.” On Okta’s most recent earnings call in 2026, he warned that large language models and autonomous agents could reshape how security and identity products are built. That said, he also sees this disruption as a massive opportunity if Okta can move quickly enough.
McKinnon says he is challenge-driven and views AI agents as a shift potentially bigger than cloud computing. Moreover, he believes Okta has already succeeded in the first wave of identity services but must now adapt to capture new markets emerging around agent-based architectures.
The expanding market for agent identity
Asked why he is worried when the total addressable software market keeps growing, McKinnon splits his concerns into two buckets: market shifts and execution. On the market side, he argues that AI agents must log into systems, assume roles, and operate with defined permissions. That creates an entirely new identity category alongside traditional human users.
On the execution side, organizations need to absorb more change across technology stacks, team structures, and processes. In his view, companies must raise their “change quotient” to keep pace with agentic systems. Okta therefore needs to orient not just around workforce identity but around becoming an agent identity management platform that enables safe experimentation and adoption of new tools.
McKinnon believes the biggest opportunity is becoming the identity layer for AI agents rather than simply defending against cheaper, vibe-coded competitors. If Okta wins this layer, he says it could grow into the largest category in cybersecurity. Moreover, with cyber spending already in the hundreds of billions of dollars and identity security a major slice, the long-term prize is substantial.
Balancing core identity with the new agent layer
Interrogated about trade-offs, McKinnon rejects a zero-sum framing between traditional identity and agents. He argues that reliability, integration depth, and trust matter in both domains. Even if someone can recreate individual features, replicating thousands of robust integrations and keeping them reliable is extremely difficult.
He notes that security and infrastructure software have historically been more insulated from commoditization, partly because failure has severe consequences. That said, he remains vigilant about both competitive vendors and in-house engineering teams that might try to replace Okta with AI-built identity services.
For McKinnon, the competitive frontier is clear: enterprises will evolve into “agentic” organizations that rely heavily on digital workers. The requirement then becomes centralized control for these agents, including an inventory of where they run, what systems they connect to, and which permissions they hold.
OpenClaw, agent risks, and the need for control
The rise of tools like OpenClaw crystallized these issues for Okta. McKinnon calls OpenClaw a watershed moment that showed the art of the possible for agents. However, it also exposed how difficult it is for enterprises to connect the right data while maintaining strong security and governance.
Okta’s response is to build the rails for safe adoption. Those rails include an enterprise agent inventory system, a system of record for every agent running across vendors and platforms. Moreover, Okta wants to give companies precise controls over which data and applications each agent can access, plus the ability to pull that access immediately when something goes wrong.
When asked if a “kill switch” at the agent level is enough, McKinnon emphasizes that detection and response vary by use case. There is no magic algorithm that spots all bad behavior. Instead, Okta is working on standards and signals that can alert security teams and revoke access across systems when threshold conditions are met.
Inside Okta’s structure for the agentic future
Internally, McKinnon says Okta is structured around a people-centric philosophy. Capable leaders get clear areas of responsibility, related functions are clustered to reduce communication overhead, and strong management underpins execution. Moreover, research and development is organized by platform to keep teams focused on core capabilities.
His leadership style has evolved as the company scaled. Early in Okta’s life, decision-making slowed when responsibilities increased. Over time, he learned to trust his instincts more while being deliberate about which strategic choices require direct CEO involvement. That said, he still dives deeply into topics like agent architectures where long-term direction is at stake.
The strategic decision to pursue okta agent identity as a core pillar came directly from customers. During a series of meetings with many of Okta’s largest accounts and at the company’s conference, McKinnon initially pitched a broad unified identity platform. As he introduced agent concepts, customer interest spiked, and discussions increasingly centered on how to manage digital workers.
Can today’s LLMs support the agentic enterprise?
There is ongoing debate over whether current large language models can truly support production-scale agent systems. Agents can be brittle; when they hit boundaries, humans must intervene, slowing adoption. McKinnon acknowledges these concerns but insists the technology will improve rapidly enough to justify building around it now.
Even without extreme extrapolations, he believes the market created by agentic workflows will be massive. Moreover, he argues that far from eliminating developers, this future will require more software engineering. Teams will need to design architectures, maintain systems at scale, and understand how code generated by agents behaves over time.
Looking at education and talent pipelines, McKinnon expects computer science fundamentals to remain vital. However, curricula will evolve to emphasize coordinating agents, designing robust workflows, and architecting complex systems. Entry-level engineers, he says, will be crucial precisely because they are open to new ways of working.
Data, intelligence, and where value accrues
Some analysts claim the database will capture most AI value because agents need access to data. McKinnon takes a more nuanced stance, distinguishing between raw data and intelligence. Customers, he says, want analysis and insights rather than just storage.
He points to data platforms like Snowflake, Databricks, and Palantir as examples of systems that already bundle intelligence with data. The open question is who provides the primary intelligence layer in an agentic world: incumbent application vendors, new specialist players, or some mix of both. Moreover, he notes that apps are becoming more connected as agents span multiple silos, which raises demand for standards governing how agents access external systems.
This trend feeds into Okta’s broader vision of an agentic enterprise blueprint. In that model, data, applications, and agents interoperate through standardized identity and access frameworks rather than bespoke integrations that are difficult to secure.
The blueprint for agent identity and control
Okta has outlined a blueprint for the secure agentic enterprise built on three pillars: onboarding agents as a distinct identity type, standardizing connection points, and providing a robust kill switch. The first pillar treats agents as hybrid identities with attributes of both humans and systems.
McKinnon explains that enterprises first need a centralized inventory of agents spanning all vendors and platforms. Some agents are tightly mapped to individual employees, others are headless, and some form parts of larger multi-agent workflows. With centralized visibility, organizations can govern which systems each agent can access and can revoke those links when risk exceeds acceptable thresholds.
Designing agent permission and authorization models is tricky because agent behavior is non-deterministic. If companies demand perfect safety and deterministic outcomes, they must tightly restrict access. However, if they want agents to be powerful and autonomous, they must grant broader permissions and accept more risk. Okta’s architecture aims to let customers fine-tune this balance.
Onboarding and modeling agents
From an architectural perspective, onboarding agents as identity means representing them in identity stores with structured attributes, lifecycles, and entitlements. Some patterns require passing a human’s identity through an agent so downstream systems see actions in a user-centric context. Others require the agent itself to hold its own identity for independent authorization decisions.
This in-between state is what McKinnon means when he says agent identity sits between a person and a system. Moreover, by modeling agents explicitly, security teams can apply policies, audit activity, and interface with existing governance tools rather than treating agents as invisible background processes.
Detection, signals, and kill switches
Detecting when an agent does something unexpected depends on its intended purpose and technical implementation. There is no universal pattern that works in every case. Instead, Okta is focused on defining standards and signal types that applications and security platforms can use to raise alerts.
The kill switch concept is straightforward: revoke an agent’s access to systems and data quickly and consistently. However, coordinating that revocation across many vendors and clouds requires common protocols and integration work, an area where Okta sees a natural extension of its existing strengths.
Platform dynamics, interoperability, and regulation
Asked how major vendors like Salesforce and Microsoft might react if customers demand cross-silo agents, McKinnon expects tension between openness and lock-in. Vendors might try to limit access or introduce new pricing models and fees for cross-platform automation.
However, he believes customers will ultimately have leverage, especially large enterprises that rely on multi-vendor environments. If lock-in harms customers, regulators could intervene, just as they have in prior phases of the software industry’s evolution. Moreover, as multi-silo agent usage grows, industry norms and regulatory guidance will likely adapt to support interoperability.
At the same time, agents make it easier to remove traditional intermediaries in workflows, which could increase efficiency but also create new dependencies on platform policies. This dynamic reinforces the importance of neutral identity and access layers.
Fraud, digital IDs, and AI-powered threats
McKinnon also addresses the darker side of AI and agents: scams and fraud. Okta already plays a major role in authenticating customers, and AI-powered fraud tactics are evolving quickly. Offline credentials like driver’s licenses and passports are moving into digital forms, including mobile driver’s licenses and biometric systems.
In his view, these digitized credentials can help organizations distinguish between human users, bots, and agents. However, companies also need to balance fraud prevention with privacy protections and regional regulations. Moreover, combining digital IDs with strong identity platforms could give enterprises new tools against AI-driven attacks.
On age verification and youth safety, McKinnon says governments are actively debating digital ID standards and requirements. Okta’s role is to ensure customers can accept and enforce whatever regulatory frameworks emerge while maintaining robust security and flexibility.
What comes next for Okta and agent identity
Looking ahead, McKinnon frames Okta’s mission as helping enterprises build secure agentic environments. The company is advancing its blueprint and shipping tools that let customers onboard agents safely, standardize connections, and exercise controls such as kill switches when risk surfaces.
Moreover, he argues that as agents become pervasive, identity platforms must extend seamlessly from humans to software. In that vision, the same core principles that secured workforce logins will govern digital workers, unleashing productivity while preserving security, compliance, and organizational trust.
In summary, Okta is betting that the future of security will hinge on rigorous management of agent identities, giving enterprises a unified way to see, control, and audit every human and non-human actor across their systems.
Source: https://en.cryptonomist.ch/2026/03/30/okta-agent-identity-ai-security/