Launch Week: Okta’s latest product drops Register now
Free trial Contact us

Securing the agentic enterprise starts with identity

At RSAC 2026, security leaders agreed: You can't secure what you can't see

About the Author

Laurie Isola

Editor

Laurie Isola is a writer, editor, and content strategist with experience that spans newsrooms, nonprofits, and tech. Now in the identity and security space, she uses that experience to uncover stories that provide clarity and utility to readers, from senior decision-makers to everyday users.

02 April 2026 Time to read: ~

Vidyard video

Topics

AI Agents, Non-Human Identities, Access Control, AI

Table of Contents

AI agents are transforming how work gets done, but as deployments accelerate, a critical security gap is widening. At RSAC 2026 Conference, three security leaders sat down with Information Security Media Group (ISMG) to discuss what organizations need to get right before that gap becomes a crisis.

The panel featured Moriah Hara, CISO and founder of Next Gen CISO; Jim DuBois, former CIO and CISO of Microsoft; and Matt Immler, Regional CSO at Okta. Their message was consistent: The principles aren't new, but the pace is. That’s especially evident with the rise of shadow AI.

Panelists noted that employees are deploying agents on their own to get their jobs done, with or without their organization's approval. 

"We have to give them good tools or they'll use bad tools," DuBois said. Immler added that having an approved set of tools is a useful first step, but organizations also need visibility into what's already running in their environment, including agents they didn't sanction.

"We never got great at human identities," DuBois noted, "so we have to get that right because people are giving their permissions to agents, and where there are overprovisions, their agents now can get to that and will."

Hara, a three-time CISO at institutions including Wells Fargo and Bank of America, put it plainly: 

"If you don't know what you have, and you only secure 80% of your AI agents, then don't even bother." 

She urged security leaders to start with inventory and treat identity as the central control plane for managing agentic risk. 

Immler made a related point, saying an AI agent requires more specialized access management than a static service account. "It should be treated more in the way of a privileged access management system: It’s requesting what it needs at the time it needs it," he said.

For organizations wondering where to begin, the panel pointed to three priorities:

  • Take inventory of what agents exist and who created them

  • Apply least-privilege access rigorously

  • Assign human accountability to every agent in the directory

To hear the full conversation, watch the video above.

About the Author

Laurie Isola

Editor

Laurie Isola is a writer, editor, and content strategist with experience that spans newsrooms, nonprofits, and tech. Now in the identity and security space, she uses that experience to uncover stories that provide clarity and utility to readers, from senior decision-makers to everyday users.

Get our Identity newsletter

Let the headlines come straight to you with Access Granted — a monthly edition of Okta announcements, expert perspectives, analysis, and more.

Subscribe for free
Okta newsletter image