"The old adage in cybersecurity is that you can’t protect what you can’t see," Harish Peri, SVP and GM for AI Security at Okta, told The Register.
Okta's AI Agents at Work 2026 report: scope and definition
The findings come from the AI Agents at Work 2026 study, commissioned by Okta and conducted by Apprize360 in March. The survey polled 292 executives and 492 knowledge workers across seven countries: the US, UK, Australia, Canada, Japan, France, and Germany. Okta’s working definition of an "AI security issue," as explained by Harish Peri, covers both actual incidents — breaches, data exposures, or system disruptions — and "close calls," issues identified before they caused harm to the organization.
Incidents and close calls: how often organisations were hit
More than half of organisations represented in the survey reported an AI-related security problem in the past 12 months. Overall, 58 percent of executives said their organisation experienced an AI-related security problem; among respondents who reported problems, 26.7 percent described an actual incident and 31.2 percent identified a close call that was caught before it caused damage.
Knowledge workers, shadow AI, and risky behaviours
Okta’s research points to "shadow AI" — employees using unapproved AI tools — as a primary driver of those security headaches. Peri told The Register that 52 percent of knowledge workers admitted to using unapproved AI tools. The survey documents specific risky behaviours: employees shared confidential company documents with AI tools, handed over HR information to AI, and in 16 percent of cases, provided their login credentials to those tools.
Adoption levels and the confidence gap between leaders and staff
Adoption of AI agents and AI tools is widespread, the report found. Ninety-two percent of executives said autonomous AI agents are already in widespread or moderate use across their organisations. Nearly two-thirds of knowledge workers reported using an AI tool at least daily; among those daily users, 68 percent used AI agents and 62 percent regularly used LLMs and AI-infused chatbots.
Despite frequent unsanctioned usage by staff, executive confidence remains high: 90 percent of executives reported confidence in their organisation’s visibility into AI tools. That confidence is sharply out of sync with employee behaviour in some markets — the United States led surveyed countries with 67 percent of workers reporting they use unsanctioned AI tools, followed by Australia (60 percent), the United Kingdom (55 percent), and Canada (about 50 percent). France and Germany reported the lowest rates of unauthorised use, each at around 30 percent. The gap between executive perception and employee reality is widest in the UK, where 96 percent of executives said they had visibility into AI use while more than half of workers reported using unapproved tools.
What this means for security teams, procurement leaders, and knowledge workers
- Security teams: the survey signals an expanded attack surface driven by employee interactions with external AI tools and credential-sharing. Okta advises that identity-centric controls, automated discovery, and secure sandboxes be prioritised to regain visibility and reduce exposure.
- Procurement and IT leaders: Okta recommends assuming shadow AI exists, making discovery a priority, and “making the secure use of AI the easiest path.” Peri warned that strict bans may backfire by driving use further underground; organisations are urged to define an AI governance strategy now and offer approved, user-friendly alternatives.
- Knowledge workers: the findings document common behaviours — regular daily use of AI agents and chatbots, sharing documents, and supplying HR data and credentials — that organisations view as increasing risk. Okta’s guidance implicitly calls for clearer policies and better sanctioned tools to channel those workflows safely.
Peri’s prescription and the practical trade-offs
Peri framed shadow AI primarily as an unintended consequence rather than a deliberate, malicious act: "For most organisations, shadow AI emerges unintentionally and isn’t intended to be malicious," he told The Register. His practical prescription is procedural rather than prohibitive: discover what employees are using, prioritize identity-focused controls, provide secure sandboxes to test tools, and make approved tools easier to adopt than unapproved ones. He cautioned that strict bans risk worsening the problem by pushing usage underground.
The report lays out a clear tension: organisations are adopting and encouraging AI while simultaneously losing visibility into how their own people use it. Okta’s data — a majority of organisations hit by incidents or close calls and more than half of workers operating outside approval — suggests that the first step for many firms is not another top-down rule but a programme of discovery, governance and safer, sanctioned alternatives.




