As AI is used to automate critical tasks, the possibility of undermanaged AI agents traversing enterprise networks and accessing sensitive information should make any CIO or CISO pause.
An agent's risk profile is different from other non-human identities. It has much more power — it's constantly available, it has the ability to make autonomous decisions, and potentially chain together permissions to access critical information. These factors highlight precisely why your privileged access management strategy must integrate AI agents.
"AI agents must be treated as privileged machine identities," says Jason Fehrenbach,
Group Product Manager at Okta. "They operate at machine speed, access sensitive data, and can make high-impact decisions."
According to Okta's AI at Work 2025 report, 78% of respondents identified controlling access and permissions as the most pressing security concern related to non-human identities (NHI) in 2025. Sixty-nine percent mentioned governing the NHI lifecycle, including the creation and deactivation of accounts.
The good news is that executives understand the role identity and access management (IAM) needs to play in AI adoption, with 85% regarding IAM as either “very important” or “important” to its successful adoption and integration. But despite this stat, many organizations lack a comprehensive understanding of where all their agents are, what they’re doing, and what access permissions they have, says Fehrenbach.
"Agent sprawl is one of the primary hurdles for implementing PAM for AI agents, where the rapid deployment of autonomous agents leads to unmanaged privileged identities and secrets across cloud environments,” he explains. "Enterprises need automated discovery tools to continuously find and inventory all agents and use PAM to enforce centralized secrets management for agents that access sensitive resources."
PAM's core controls are essential for controlling risk and gaining visibility into privileged accounts across a business's infrastructure, Fehrenbach adds, noting that least privilege access and Just-in-Time access (JIT) are essential to controlling risk and containing the blast radius of a successful attack.
JIT eliminates standing privileges, enabling organizations to impose time-constrained access as needed. In this way, PAM raises the bar that attackers have to clear to compromise sensitive data and applications by reducing the risk of privilege escalation and lateral movement.
It also serves as a solution to risks introduced by insecure coding practices. Unfortunately, in the name of speed, some developers still hardcode API keys, access tokens, and database passwords directly into an AI agent's source code or configuration files. If an agent with a hardcoded credential were compromised by an attacker, the threat actor potentially could use its standing privileges to access mission-critical data and maintain persistence.
"Developers should be required to decouple secrets from code and thus leverage a PAM solution's integration points — SDKs and APIs — to inject credentials dynamically at runtime," Fehrenbach advises. "Another tip is to try to keep up with rapidly emerging standards in this space, like Cross App Access (XAA). This is a standard that shifts the authority for agent-to-application connections from individual apps to the enterprise identity layer, providing centralized policy enforcement and auditing for every AI agent access request."
As AI adoption continues, PAM capabilities should play a central role in providing the governance, activity monitoring, and enforcement organizations need, says Fehrenbach.
“The attack surface today’s businesses need to protect is constantly growing, and every AI agent that gets deployed is a part of it,” he says. “What organizations need is a unified approach that secures all types of identities across their entire IT environment, providing them with the enforcement, auditability, and monitoring capabilities they need. PAM represents a critical piece of that identity security fabric.”
Learn more about how Okta secures the AI workforce here.
