Okta's Todd McKinnon: AI agent identity will become the company's biggest bet

CEO Okta Todd McKinnon has unveiled the company's strategy in the age of AI: while the entire industry debates SaaSpocalypse, Okta is placing its main bet on managing the identity of AI agents within corporations — a market that could become the largest in all of cybersecurity. Okta — a platform with a market capitalization of $14 billion and annual revenue of $3 billion — manages corporate access to thousands of applications. In short, it's the thing that forces you to enter your password again right before a meeting.

In his latest quarterly earnings call, McKinnon admitted that the company is "paranoid" about the threat of SaaSpocalypse: the scenario where businesses start building their own tools through low-code development instead of paying for ready-made SaaS solutions. But paranoia is a tool, not a paralyzing fear. McKinnon is convinced: Okta is well-protected enough against direct replacement.

Security requires scale, reputation, and thousands of live integrations — all the things that can't be put together over a weekend. When a data breach happens at a company, you need a vendor with a name you can hold accountable and one that is feared enough to actually monitor threats. Low-code development doesn't provide that.

The real opportunity that McKinnon sees lies in a different direction. The rise of agentic systems has posed a question that few have managed to articulate: who manages the identity of the agents themselves? When a corporate AI agent enters your CRM, accesses databases, or sends emails on your behalf, it should have a clear identity, limited permissions, and the ability to be instantly disabled.

Today, nothing like this exists in the corporate world. According to McKinnon, an agent is a new type of identity: something between a human and a system. Like a human, it gains access to applications with roles and a profile.

Like a system, it can work completely autonomously or act on behalf of a specific employee. Okta is building a centralized agent registry: a single place where companies can see all their agents — from Microsoft and Amazon platforms to custom-built solutions. A key element is standardized connection points: clear rules for what data an agent can access and under what conditions.

The third component is a "kill switch": the ability to instantly revoke all access for an agent that behaves unpredictably. Like disabling an employee from the corporate network on the first day after termination. McKinnon values the market for agent identity management as potentially the largest category in cybersecurity, with an annual volume of around $280 billion.

Human identity management accounts for roughly 10% of this market. The agent layer, according to Okta's forecast, could exceed it in scale. In parallel, the company is thinking about another threat — AI fraud.

Forty percent of Okta's business is tied to verifying real users on consumer websites. McKinnon sees the solution in digitizing government IDs: mobile driver's licenses and passports offer a chance to reliably distinguish people from bots — through biometrics directly on the smartphone. McKinnon's main thesis: the technology pie is becoming significantly larger.

Agentic systems won't destroy the SaaS market — they will create new categories that don't exist today. For Okta, this means not defending against low-code development, but racing for a new market that the company intends to define and lead.