The agentic era has reached a critical bottleneck. While enterprises are eager to automate, they won’t do so at the expense of security. In a study of 150 IT and security decision-makers commissioned by Okta and conducted by AlphaSights in January 2026, 86% of surveyed leaders stated that AI agent workflows are "very important" or "mission-critical" to their strategy.
Yet, the infrastructure to support them is failing: 57% of organizations characterize the effort to secure disparate agents, apps, and workflows as "high." Security is no longer just a feature — it is a deployment gate. Over two-thirds (69%) of respondents report that security concerns are slowing down adoption of AI agents. For B2B builders, the message is clear: Enterprises are ready to scale, but they are stalling production until ISVs provide the necessary governance controls.
Key takeaways:
The AI security paradox: 86% of IT leaders view AI agents as "mission-critical" or "very important," yet only 27% agree that their current identity systems are fully equipped to govern these non-human identities at scale.
AI agent controls drive renewal decisions: Nearly all SaaS decision-makers (98%) will factor AI agent controls into their renewals to some degree, with 17% indicating it will be a significant requirement.
Standardized protocols are the "green light" for enterprise adoption: 95% of organizations say a standardized protocol like Cross App Access (XAA) would improve their confidence in deploying AI.
Data leakage and over-privileged access are the top adoption barriers: Data privacy and security risks are the top-ranked barriers to AI agent adoption, with 83% of leaders citing data leakage and 80% citing over-privileged access.
Enterprises are prioritizing standardized security: Decision-makers are focused on securing critical software hubs, including AI platforms, core business apps, and their IT and dev stacks. Find out which individual apps were deemed most critical below.
Top security concerns: Data leakage and over-privileged access
The risks keeping CISOs up at night are consistent across all industries. The survey identifies data leakage/exfiltration as the top security concern regarding AI agents, followed closely by over-privileged access.
These two concerns not only received the highest average ranking (respondents were most concerned about them), they were also the most frequently cited. The vast majority of decision-makers (83%) identified data leakage/exfiltration as a concern, and 80% selected over-privileged access.
Beyond these primary fears, decision-makers are flagging unauthorized agent actions, shadow AI integrations that bypass oversight, credential sprawl, prompt injection, lateral movement, and lack of auditability.
Buyers are no longer satisfied with automation without transparency and granular oversight; they are demanding a standardized model that enforces least privilege, centralized approval, and end-to-end audit trails. When prompted to rank the potential benefits of a solution like XAA, respondents prioritized the following:
- Least privilege enforcement: Earned the highest average ranking among all prompted benefits, indicating respondents view it as the most beneficial.
- Centralized governance: The ability to centrally manage or revoke access to integrations was the most frequently cited benefit, signaling its popularity as a priority.
- Audit readiness: Improved audit trails ranked second among the most frequently cited benefits.
Data insight: Security standards drive deployment confidence
The survey data highlights a direct correlation between standardized protocols and deployment velocity. When asked specifically about Cross App Access (XAA), an open protocol that provides standardized, auditable connections that enable enterprises to approve, scope, and revoke non-human access, the response was overwhelmingly positive.
The vast majority (95%) of survey respondents indicated that the implementation of XAA would improve their confidence in deploying AI. Rather than relying on bespoke security patches for every new tool, leaders are signaling a preference for a central, enterprise-grade control plane that can scale alongside their AI ambitions.
Procurement reality: Security is now a renewal priority
The financial opportunity for ISVs is clear: 98% of decision-makers will factor agent controls into their upcoming renewals to some degree. According to the survey, supporting standardized security protocols, like XAA, is now a requirement for many enterprise customers:
• A Critical Mandate (17%): Nearly one-fifth of decision-makers now classify agent security controls as a "significant requirement" for their high-spend application renewals.
• A Strong Influence (59%): An additional 59% of leaders report that these features would have a "strong positive influence" on their decision to commit to a platform.
• A Moderate Positive Influence (22%): Nearly one-quarter of respondents indicate that agent controls would positively influence renewal decisions.
The XAA growth multiplier: Combined, the vast majority of the market is actively weighing agent security during the procurement process. What's more, over three-quarters (76%) of decision-makers see XAA as a critical or strong influence on their purchasing and renewal decisions.
Ecosystem priorities for agentic security
Enterprises have identified a broad ecosystem of critical applications where they want to see XAA implemented. Rather than focusing on a single tool, decision-makers are prioritizing security across the entire stack, from the models generating the intelligence to the productivity suites and development repositories where that intelligence is applied.
Securing these hubs is viewed as the foundational step toward a wider autonomous rollout, helping to ensure that agentic workflows can move securely across the core of the modern enterprise.
What product leaders should ship now
Based on survey priorities, the ISV’s AI roadmap should prioritize the adoption of interoperable standards, like the XAA protocol, to deliver:
Least privilege enforcement: Move beyond broad "all-or-nothing" API keys by allowing customers to enforce task- and resource-scoped permissions through their own identity provider. This addresses the second-highest security concern cited by respondents: over-privileged access scoping.
Centralized revocation and management: Enable IT admins to immediately view, manage, or kill an agent's access across all connected applications from a single, centralized pane of glass. This was the most frequently cited benefit of XAA, as it helps eliminate the "visibility gap" that currently creates friction for 69% of organizations.
Identity-bound auditability: Replace anonymous service accounts with event-level logs that bind every autonomous action to a specific agent identity and its initiating user. This provides the "who, what, and when" required to satisfy the audit trails that 49% of leaders say are critical for production readiness.
Building a trusted agentic future
The traditional boundaries of the enterprise network have dissolved. As autonomous agents become the primary drivers of cross-app workflows, the user is no longer the sole gatekeeper of access. To realize the full potential of AI, we must shift from a model based on implicit trust and long-lived tokens to one defined by identity-first governance. Success in this era requires an ecosystem-wide commitment to interoperable standards like XAA, verifying that as agents, apps, and systems begin talking to each other in new ways, they do so within a framework of visibility, control, and absolute trust.
Learn how Cross App Access helps ISVs and enterprises deliver the least-privilege, centrally governed connectivity required to move agentic workflows from pilot to production, or get started today.
