Okta's AI Strategy: How the Identity Leader Approaches Customer Discovery in 2026

TL;DR#

Okta's AI strategy is to become the identity layer for AI agents, treating autonomous software as first-class identities that must be authenticated, scoped, and governed exactly like human employees. CEO Todd McKinnon has called AI agents "your next insider threat" and reframed the company's mission so that "AI security and identity security are one and the same." Okta now ships Auth for GenAI, Cross App Access (XAA) — a new OAuth extension submitted to the IETF — and an Identity Security Fabric to secure both human and non-human identities. The company posted $2.919 billion in fiscal 2026 revenue (up 12% year over year) and $4.827 billion in remaining performance obligations, serving thousands of enterprises through Okta Workforce Identity and the developer-focused Auth0 platform. Yet its deepest understanding of what admins and developers actually need still arrives through support tickets, CSAT scores, and feature-request forms — channels that capture the symptom but rarely the reasoning. For a security vendor, where trust is existential and a misread developer need can become a breach vector, the gap between "what customers ask for" and "why they ask for it" is the real risk. Conversational AI interviews close that gap by letting admins and developers explain their constraints in their own words, at Okta's scale.

What is Okta's AI strategy?#

Okta's AI strategy is to extend identity and access management from humans to AI agents, positioning Okta as the neutral identity control plane that authenticates, authorizes, and governs autonomous software across the enterprise. The strategy rests on a single thesis from CEO Todd McKinnon: as organizations deploy AI agents that act on their behalf, every agent becomes a new identity that needs the same lifecycle controls — creation, authentication, permission scoping, and deactivation — that Okta already provides for employees, contractors, and customers.

This is not a bolt-on. McKinnon has described agent and machine identity as a third pillar of the business alongside Workforce Identity and Customer Identity, and Okta's own newsroom frames the shift as "AI security and identity security are one and the same." For a company whose entire value proposition is trust, the bet is logical: if AI agents are going to touch sensitive systems, the vendor that already mediates who-can-access-what is positioned to mediate which-agent-can-access-what.

The harder question — and the one this article examines — is how Okta learns what admins and developers need as the ground shifts this fast. That learning still runs largely through forms.

Okta by the numbers: scale, revenue, and the customer base#

Okta is one of the largest independent identity providers in the world, and its scale is what makes its customer-discovery problem interesting. A few precise data points frame the company:

• $2.919 billion in fiscal 2026 total revenue, a 12% increase year over year, per Okta's FY2026 results. Subscription revenue was $2.855 billion, also up 12%.
• $2.610 billion in fiscal 2025 revenue, up 15% year over year — meaning Okta added roughly $309 million in annual revenue between the two fiscal years.
• $4.827 billion in remaining performance obligations (RPO) as of January 31, 2026, up 15% year over year — a subscription backlog that signals how much contracted demand sits ahead of recognized revenue.
• Two distinct buyer populations: enterprise IT and security admins who buy Okta Workforce Identity, and the developers who build on the Auth0 platform Okta acquired in 2021. These two audiences think differently, file tickets differently, and churn for different reasons.

That dual audience is the crux. An IT admin standardizing single sign-on across 200 SaaS apps and a developer wiring authentication into a GenAI app are not the same customer, and a feature-request form treats them as if they were. McKinnon himself has framed the business tension plainly: business teams want the productivity gains of AI agents, while security and IT teams "see a huge gap between deployment and security controls." Knowing exactly where that gap sits for each audience is a research problem, not a ticketing problem.

Where Okta uses AI today: Auth for GenAI, Cross App Access, and the Identity Security Fabric#

Okta's AI initiatives in 2025 and 2026 cluster around three concrete product moves, all aimed at securing the AI-driven enterprise rather than adding AI features for their own sake.

Auth for GenAI is purpose-built infrastructure for authenticating and authorizing AI agents. It handles what Okta calls the agent identity lifecycle: creating an agent identity, authenticating it, scoping its permissions, and eventually deactivating it. The pitch is that an agent calling APIs on a user's behalf should not inherit unlimited standing access — it should get verified, narrowly scoped, revocable credentials, the same discipline Okta applies to human accounts.

Cross App Access (XAA), introduced in June 2025, is a new protocol that extends OAuth so an enterprise identity provider can mediate AI-to-app and app-to-app connections. Rather than requiring a user to manually log in and consent to every integration, XAA lets the enterprise evaluate access requests against policy and issue tokens through Okta without additional user interaction. Okta submitted the underlying Identity Assertion Authorization Grant to the IETF's OAuth Working Group, and early collaborators include Box, Glean Technologies, Boomi, and Automation Anywhere. As Okta Chief Product Officer Arnab Bose put it, agents' "increased access to data and the explosion of app-to-app connections will create new identity security challenges."

The Identity Security Fabric is the umbrella framework: a single layer designed to provide visibility, control, and threat monitoring across millions of identities — "from customers to employees to partners to AI agents to non-human identities," in McKinnon's framing. At Oktane 2025, McKinnon delivered the line that became the conference's headline: AI agents are "your next insider threat."

These are serious, well-resourced bets. But notice what they have in common: they are answers to a question Okta has decided is the right one. The risk for any security vendor moving this fast is mis-defining the question — building agent governance for the threat model admins will face rather than the one they actually fear today. That is precisely the kind of "why" that forms cannot surface.

Why form- and ticket-based listening bottlenecks deep customer discovery#

Form- and ticket-based listening bottlenecks discovery because every one of those channels captures a symptom — a thumbs-down, a 6/10, a feature request — without the reasoning that makes it actionable. For most companies this is a quality-of-insight problem. For a security vendor like Okta, it is closer to a risk problem, because the gap between what an admin reports and why they reported it can hide the very edge cases that become breach vectors.

Consider the channels Okta relies on to hear from its two audiences, and what each one loses:

A concrete example: an enterprise admin files a ticket asking for more granular agent permission scopes in Auth for GenAI. Logged as a feature request, that ticket says "wants finer scopes." What it does not say is whether the admin is worried about a specific compliance auditor, has been burned by an over-permissioned service account before, or simply doesn't trust the default and wants a knob to feel safe. Each of those reasons points to a completely different product response — and a form has no mechanism to ask the follow-up question that distinguishes them.

This is the structural argument Perspective AI has made across the SaaS landscape, from the principle that AI-first research cannot start with a web form to the data showing why conversations beat surveys for real customer research. Forms front-load effort, flatten people into dropdowns, and fail exactly at the moments of uncertainty — "it depends," "I'm not sure," "it's complicated" — that hold the most signal. For an identity company defining a brand-new category like agentic identity, those uncertain moments are the roadmap.

The security-vendor stakes: when "what" without "why" becomes a breach vector#

For a security vendor, a misread customer need is not just a missed feature — it can be a vulnerability, because admins and developers configure security based on their understanding, and if Okta misunderstands their understanding, the resulting product gaps show up as misconfigurations in production. Trust is the entire product. When McKinnon compares deploying AI agents to "creating a lot of individual new insider threats," he is describing a world where the cost of misjudging a customer's mental model compounds.

The numbers around agentic AI make this urgent. Industry research cited at Oktane 2025 found that 91% of organizations were already deploying agentic AI in pursuit of productivity gains, while just 10% had any cyber governance in place to manage those agents. That 81-point gap is the market Okta is racing into — and it is a market defined almost entirely by what customers don't yet know they need. You cannot survey your way to a roadmap for a problem buyers can't fully articulate. You have to interview them, follow up, and reconstruct the reasoning.

This is the same insight that powers the strongest voice-of-customer programs in 2026 and the broader shift toward AI-powered customer experience from first touch to renewal. The teams winning here have moved past static feedback to continuous, conversational discovery — and that pattern shows up across the enterprise software companies racing to define their own AI strategies, from Datadog's observability-led customer research to Glean's enterprise-search discovery work and Databricks' forward-deployed approach to learning from customers.

How conversational AI interviews capture the reasoning Okta needs#

Conversational AI interviews capture reasoning by replacing the static form with an AI interviewer that asks an open question, listens to the answer, and then probes the vague or surprising parts in real time — at the scale of hundreds or thousands of admins and developers at once. Instead of forcing an Okta customer to translate a complex security concern into a dropdown, the interview lets them explain it the way they would to a colleague, and the AI follows the thread.

In practice, that changes what Okta could learn from each of its audiences:

• Admins, instead of ranking feature requests, could be asked "Walk me through the last time you weren't sure an agent had the right level of access — what did you do?" The follow-ups would surface whether the worry is compliance, past incidents, or simple distrust of defaults — the distinction a feature-request form erases.
• Developers building on Auth0 and Auth for GenAI could be interviewed about where their mental model of an authorization flow broke, rather than leaving a "Was this helpful? No" with no explanation. An AI interviewer agent can ask the clarifying question a docs-feedback widget never will.
• Onboarding and intake for new enterprise deployments could replace multi-step forms with an AI concierge agent that captures intent and constraints conversationally — the same form-replacement pattern Perspective documents in its work on intelligent intake.

The output is not a pile of transcripts. Perspective AI runs the interviews, auto-analyzes them, extracts representative quotes, and produces summary reports — so a product team learns the "why" without hiring an army of researchers. This is the methodology behind moving beyond surveys to conversations that actually win, and it is what the modern customer research stack that product and CX teams actually use is converging toward. For security and identity vendors specifically — where the buyer is technical, skeptical, and articulate — the depth of a conversation beats the breadth of a survey every time. Teams building a voice-of-customer program from scratch and product teams running discovery get the same leverage: continuous, scalable, qualitative depth.

Frequently Asked Questions#

What is Okta's Auth for GenAI?#

Auth for GenAI is Okta's purpose-built infrastructure for authenticating and authorizing AI agents. It manages the full agent identity lifecycle — creating an agent identity, authenticating it, scoping its permissions narrowly, and deactivating it when it is no longer needed — so that autonomous software receives verified, revocable, least-privilege access instead of inheriting broad standing credentials. It is a core pillar of Okta's broader strategy to treat AI agents as first-class identities.

How is Okta securing AI agents?#

Okta secures AI agents by treating them as identities that must be governed like human users, through three main mechanisms. Auth for GenAI handles agent authentication and permission scoping; Cross App Access (XAA), an OAuth extension submitted to the IETF, lets the enterprise identity provider mediate agent-to-app and app-to-app connections; and the Identity Security Fabric provides visibility and threat monitoring across human and non-human identities. CEO Todd McKinnon frames AI agents as "your next insider threat."

What is Okta's identity security strategy?#

Okta's identity security strategy is to be the neutral, independent control plane for every identity in the enterprise — employees, contractors, customers, partners, and now AI agents. The company argues that as software begins acting autonomously, securing those agents is inseparable from securing human access, summarized in McKinnon's claim that "AI security and identity security are one and the same." Okta's Identity Security Fabric is the framework meant to unify governance across all of them.

How does Okta do customer research?#

Okta primarily learns from customers today through support tickets, CSAT and NPS surveys, feature-request forms, and developer documentation feedback. These channels capture what customers report — a blocker, a score, an ask — but rarely the reasoning behind it. For a security vendor whose roadmap depends on understanding admin and developer mental models, the gap between the symptom and the "why" is significant, which is why conversational AI interviews are increasingly relevant to companies at Okta's scale.

Why are forms a problem for a security company's customer discovery?#

Forms are a problem for a security company because they capture a symptom without the reasoning, and for security products the reasoning is where the risk lives. When an admin requests a feature, a form records the request but not whether it stems from a compliance requirement, a past incident, or distrust of defaults — distinctions that point to entirely different and security-critical product responses. Conversational interviews close that gap by probing the "why" in the customer's own words.

Conclusion: identity leaders need conversational discovery, not more forms#

Okta's AI strategy is one of the clearest bets in enterprise software: secure the AI agent the way you secure the human, and own the identity layer for the agentic era. The product moves are real and well-funded — Auth for GenAI, Cross App Access, the Identity Security Fabric — backed by a $2.919 billion business growing 12% a year. But the same urgency that makes Okta's agentic-identity bet smart also raises the stakes on customer discovery: when 91% of organizations are deploying agents and only 10% can govern them, the roadmap depends on understanding needs that buyers can barely articulate yet. Support tickets, CSAT, and feature-request forms capture the symptom; they almost never capture the reasoning. For a vendor whose entire product is trust, that missing "why" is not a nice-to-have — it is a risk surface.

The fix is not another survey. It is conversation at scale. Perspective AI lets identity and security teams interview hundreds of admins and developers at once with an AI interviewer that follows up, probes the uncertain answers, and reconstructs the reasoning behind every request — then analyzes it automatically. If you are defining an AI strategy where understanding your customers' "why" is existential, start a study with Perspective AI or see how the AI interviewer works. The identity leaders who win the agentic era will be the ones who stopped guessing at the "why" and started asking.