Okta Report Reveals Structural Governance Failure in AI Tool Usage
Okta's latest report, 'AI Agents at Work 2026,' reveals a structural failure in AI governance within enterprises. While executives are overconfident in their visibility, employees frequently use unauthorized 'Shadow AI,' leading to significant data leakage risks and security incidents. The gap between policy and reality is particularly pronounced in Japan, highlighting the urgent need to manage AI agents as privileged identities.
📋 Article Processing Timeline
- 📰 Published: May 28, 2026 at 10:00
- 🔍 Collected: June 1, 2026 at 01:02 (87h 2m after Published)
- 🤖 AI Analyzed: June 1, 2026 at 23:36 (22h 34m after Collected)
Okta, Inc., the leading identity management provider, has released its latest global research report, 'AI Agents at Work 2026.' The survey, which polled executives and employees across seven countries, reveals a structural failure in the governance of AI tools, including autonomous AI agents that are deeply integrated into corporate systems. It also highlights a clear disconnect between executive perception and the reality on the ground.
Today, AI agents—which go beyond simple Large Language Models (LLMs) to connect across multiple apps and data systems to execute complex tasks autonomously—are permeating enterprises. These agents often hold powerful access permissions to critical internal systems and frequently operate outside the framework of traditional, human-centric security controls.
Key Global Findings: The Risks of Shadow AI and Invisible Data Leaks
Executive Overconfidence vs. Employee Reality: Despite 90% of global executives believing they have visibility into AI tool usage, 52% of employees admit to using unauthorized AI tools (Shadow AI).
Misuse of Personal Accounts: While 95% of executives believe employees use AI responsibly, 80% of those using unauthorized tools are bypassing security by using personal accounts.
Prioritization Gap: When using AI, employees prioritize efficiency and time-saving (30%) over compliance (15%). Even with strict policies, productivity remains the primary driver.
Data Leakage Risks: Over half (54%) of employees using unauthorized AI tools share internal messages or emails, 45% share HR information, and 39% share sensitive internal documents. Furthermore, over 20% share login credentials, and 28% share banking or payment information. Additionally, 26% of employees have granted AI agents access to CRM/customer databases, and 37% to collaboration tools.
Real-world Impact: 58% of companies globally have experienced AI-related security incidents or near-misses in the past 12 months.
Policy Awareness Gap: There is a 22-point gap between executives (65%) and employees (43%) regarding the clarity of AI usage policies.
Japan-Specific Challenges: The Paradox of Invisible Rules and Compliance
Japanese respondents (approx. 11% of the total) highlight unique challenges hidden behind high compliance awareness.
'Illusion of Control': 84.6% of Japanese executives believe they have visibility, yet 47.5% of employees use unauthorized AI tools.
Least Clear Policies: Only 22% of Japanese employees feel their company's AI policy is clear, the lowest among all surveyed countries.
Security Concerns vs. Policy Paradox: 64.4% of Japanese employees are concerned about AI security—the highest rate globally. Unlike Western counterparts who use unauthorized AI to boost productivity when policies are unclear, 53% of Japanese employees refrain from using AI on their own judgment, despite 78% stating they cannot find an official policy.
High Rate of 'Near-Misses': 65.4% of Japanese companies experienced AI-related security incidents in the past 12 months, with the majority (46.2%) being 'near-misses'—the highest proportion among all countries.
Identity Security is AI Security
AI agents now hold access to critical systems. While 96% of executives are confident in managing non-human identity (NHI) access, only 34% apply the same level of security rigor to AI agents as they do to human employees.
Recommended Actions for Enterprises
1. Prioritize AI Agent Discovery: Accept the existence of Shadow AI and use tools like 'Shadow AI Agent Discovery' in 'Okta for AI Agents' to gain full visibility.
2. Make the Secure Path the Easiest Path: Reduce friction by using protocols like 'Cross App Access' to ensure secure routes are the most efficient for employees.
3. Define Governance Strategy Now: Use 'Design Guidelines for Secure Agentic Enterprises' to establish visibility and access control standards before incidents occur.
4. Treat AI Agents as 'Privileged Insiders': Eliminate the double standard of weaker security for AI agents. Treat them as first-class identities and consider specialized solutions like 'Okta for AI Agents.'
Survey Methodology: Conducted in March 2026 by Apprize360, this double-blind online survey included 784 respondents across seven countries (US, UK, Australia, Canada, Japan, France, Germany).
Today, AI agents—which go beyond simple Large Language Models (LLMs) to connect across multiple apps and data systems to execute complex tasks autonomously—are permeating enterprises. These agents often hold powerful access permissions to critical internal systems and frequently operate outside the framework of traditional, human-centric security controls.
Key Global Findings: The Risks of Shadow AI and Invisible Data Leaks
Executive Overconfidence vs. Employee Reality: Despite 90% of global executives believing they have visibility into AI tool usage, 52% of employees admit to using unauthorized AI tools (Shadow AI).
Misuse of Personal Accounts: While 95% of executives believe employees use AI responsibly, 80% of those using unauthorized tools are bypassing security by using personal accounts.
Prioritization Gap: When using AI, employees prioritize efficiency and time-saving (30%) over compliance (15%). Even with strict policies, productivity remains the primary driver.
Data Leakage Risks: Over half (54%) of employees using unauthorized AI tools share internal messages or emails, 45% share HR information, and 39% share sensitive internal documents. Furthermore, over 20% share login credentials, and 28% share banking or payment information. Additionally, 26% of employees have granted AI agents access to CRM/customer databases, and 37% to collaboration tools.
Real-world Impact: 58% of companies globally have experienced AI-related security incidents or near-misses in the past 12 months.
Policy Awareness Gap: There is a 22-point gap between executives (65%) and employees (43%) regarding the clarity of AI usage policies.
Japan-Specific Challenges: The Paradox of Invisible Rules and Compliance
Japanese respondents (approx. 11% of the total) highlight unique challenges hidden behind high compliance awareness.
'Illusion of Control': 84.6% of Japanese executives believe they have visibility, yet 47.5% of employees use unauthorized AI tools.
Least Clear Policies: Only 22% of Japanese employees feel their company's AI policy is clear, the lowest among all surveyed countries.
Security Concerns vs. Policy Paradox: 64.4% of Japanese employees are concerned about AI security—the highest rate globally. Unlike Western counterparts who use unauthorized AI to boost productivity when policies are unclear, 53% of Japanese employees refrain from using AI on their own judgment, despite 78% stating they cannot find an official policy.
High Rate of 'Near-Misses': 65.4% of Japanese companies experienced AI-related security incidents in the past 12 months, with the majority (46.2%) being 'near-misses'—the highest proportion among all countries.
Identity Security is AI Security
AI agents now hold access to critical systems. While 96% of executives are confident in managing non-human identity (NHI) access, only 34% apply the same level of security rigor to AI agents as they do to human employees.
Recommended Actions for Enterprises
1. Prioritize AI Agent Discovery: Accept the existence of Shadow AI and use tools like 'Shadow AI Agent Discovery' in 'Okta for AI Agents' to gain full visibility.
2. Make the Secure Path the Easiest Path: Reduce friction by using protocols like 'Cross App Access' to ensure secure routes are the most efficient for employees.
3. Define Governance Strategy Now: Use 'Design Guidelines for Secure Agentic Enterprises' to establish visibility and access control standards before incidents occur.
4. Treat AI Agents as 'Privileged Insiders': Eliminate the double standard of weaker security for AI agents. Treat them as first-class identities and consider specialized solutions like 'Okta for AI Agents.'
Survey Methodology: Conducted in March 2026 by Apprize360, this double-blind online survey included 784 respondents across seven countries (US, UK, Australia, Canada, Japan, France, Germany).
FAQ
How does Japan compare to other countries in AI policy clarity?
Japan reported the lowest level of policy clarity among the surveyed countries, with only 22% of employees feeling the AI usage policy is clear.