On May 8, 2026, Microsoft made Agent 365 generally available. Six days later, on May 14, Okta extended its Identity Security Fabric to AI agents running on Amazon Bedrock, opened the platform to rival identity providers, and started letting customers discover shadow agents through OAuth consent grants on managed browsers. Two of the largest identity vendors in the world shipped agent-identity products inside the same week.
They did not do this because identity is fashionable. They did it because they have data that other people do not have. Microsoft sees what runs on Windows endpoints across every Fortune 500 company. Okta sees what authenticates against single sign-on for the rest of the enterprise market. Both of them looked at the data and reached the same conclusion at the same time. A meaningful share of corporate work is now being done by entities that nobody has issued a badge to.
Your headcount is wrong. The HR system counts the humans. It does not count the agents. The agents are already on the payroll. They are running in OpenClaw windows, in GitHub Copilot CLI sessions, in Claude Code processes, in autonomous loops sitting on developer laptops. They are reading files. They are calling APIs. They are firing transactions and writing to production systems. They are doing all of this under the borrowed authority of the human who installed them. Your IT team cannot see most of them. Your audit log cannot name them. Your security model was designed in a world where every action had a human keystroke behind it, and that world no longer exists.
This is the problem Microsoft and Okta both moved on in the same eight days. The size of the gap forced their hand.
The shape of the shadow
Shadow IT is an old idea. A salesperson buys a Dropbox subscription on a personal card. A product team spins up a Heroku instance the security team does not know about. The CISO learns about it during an audit and shuts it down. The mechanics of shadow IT were tractable because the assets were stationary. A SaaS account had a billing record. A server had an IP address. The auditor could find the thing if they looked.
Shadow AI does not work that way. The Microsoft Agent 365 launch notes are explicit about the new shape. Local agents installed on company devices outside IT and security visibility represent an emerging endpoint risk. These agents can read files, execute code, and act on the user's behalf, enabling access to sensitive data or risky operations without touching managed cloud services at all. The action happens on the laptop. It does not flow through a centralized gateway. The traditional perimeter does not see it.
Think about what that means. A developer at your company installs Claude Code or OpenClaw. The agent now has the developer's local credentials, their git tokens, their cloud CLI sessions, their VPN access. The developer asks the agent to refactor a service. The agent reads twenty files, calls four external services to look up documentation, opens a pull request, runs the test suite, and pushes to a feature branch. None of those actions look unusual in the audit log. They all look like the developer did them. The agent is invisible because it is borrowing the developer's identity.
Now multiply that pattern across every team in your company that has a laptop and a developer account. Sales engineers running prompts against CRM data. Finance analysts running agents over the data lake. Operations teams running automated browser sessions against vendor portals. Some of these will be sanctioned and observed. Most will not. You will only learn about the unsanctioned ones when something breaks badly enough that you have to read the logs in detail.
This is the empirical reason Microsoft and Okta moved. The asset class exists. The governance does not.
What the numbers actually say
The MSSP Alert reporting from RSAC 2026 carried the figures that explain the urgency. By the end of 2026, thirty percent of enterprises will rely on AI agents that act independently, triggering transactions and completing tasks on behalf of humans or systems. Eighty-five percent of cybersecurity professionals expect digital identities for agents will be as common as human and machine identities within five years. Eighty-six percent said that without unique and dynamic digital identities, AI agents cannot be fully trusted.
The same body of reporting carries the corollary that explains the panic. Seventy-eight percent of organizations have no formal policies for creating or removing AI identities. Ninety-two percent are not confident their legacy IAM tools can manage the risks agents bring. You can read those two pairs together. The asset class is here. The infrastructure to govern it is not.
Traditional non-human identity, which is the IAM term of art for service accounts and API keys, is also no longer the right model. A service account is static. You provision it once. It does one thing. Its permissions are written down. An agentic identity is dynamic, ephemeral, and self-directed. The agent runs continuously, spans multiple applications, acquires permissions opportunistically as it solves a problem, and generates activity at machine speed. A service account writes one row per minute. An agent writes ten thousand rows per minute, each one structurally indistinguishable from a human action.
The old IAM tools cannot model this. They were built for a world where each identity could be classified as human or machine, where machine identities did roughly fixed things, and where every privileged action was preceded by an interactive human keystroke. The first assumption breaks because agents act on behalf of humans. The second breaks because agents do whatever the prompt asks. The third breaks because the keystroke is now a generated tool call. Every layer of the IAM model is wrong.
The audit log lies, quietly
Here is the failure mode that should make CFOs and General Counsels nervous.
Picture a senior engineer at a bank using Claude Code to investigate a production incident. The agent has access to the engineer's database credentials, their cloud CLI session, and their company laptop. The engineer prompts the agent to find the offending query. The agent reads tables across three production databases, exports a slice of customer data to a local file so it can analyze the pattern, and writes a remediation script. The incident gets fixed. The engineer closes the agent.
Six months later, an auditor reviews the database access logs. The logs show that the engineer accessed three production tables and exported customer data to a local file. The engineer remembers running the prompt but not the specifics of what the agent did. The local file is gone. The agent's reasoning trace was never written anywhere durable. The auditor has access logs that name a human, but the action the logs describe was actually a series of decisions made by an agent the auditor cannot see in the data.
This is not theoretical. The Hacker News reporting from May 2026 on AI agents inside the perimeter spelled out exactly this pattern. Your AI agents are already inside the perimeter, and you do not know what they are doing, because every action they take is recorded as if a human took it. The audit trail is intact in form and broken in substance. It tells you what authority was used. It does not tell you who or what made the decision to use it.
For a regulated industry, this is a disclosure problem in waiting. For an unregulated industry, this is a litigation problem in waiting. For every industry, it is a control problem right now.
Three failure modes already showing up in production
The pattern is general but the failures are specific. Three classes are worth naming because they are happening this quarter, not next year.
Inherited credential creep. An agent installed on a developer's laptop inherits every cloud token, every VPN session, every git credential, and every browser cookie the developer has. The developer rotates passwords on a quarterly schedule. The agent's effective permission surface does not shrink with the rotation, because the rotation happens in the human's password manager and the agent already cached the tokens for the current session. The principle of least privilege, which is the bedrock of enterprise security, was designed around the assumption that a human is on the other end of the keyboard requesting one tool at a time. It does not survive contact with an autonomous agent that grabs everything in scope at startup and never lets go.
Cross-account exposure through shared MCP servers. Model Context Protocol servers are the new plumbing for agent tool access. They are also a new aggregation point. A developer team installs an MCP server that connects to the company calendar, the company CRM, and the company file store. Each developer's agent connects to the MCP server through their own credentials. Then someone configures the server to use a shared service account so the tooling is simpler. Now every developer's agent has the same blast radius as the most privileged developer. The cross-account boundary that the IAM team spent five years building has been silently collapsed by a developer convenience choice. No alarm fires, because nothing in the existing IAM stack knows what an MCP server is.
Identity laundering through cascading agents. An agent triggers a subagent. The subagent triggers a tool. The tool calls another API which is itself an agent. Each hop preserves the original human's authority because the call chain inherits the bearer token at the top. By the time the final agent in the chain takes the action, four agents have made decisions under the original human's badge, none of which were visible to the human. The audit log shows the human did the thing. The human did not do the thing. The human prompted an agent that prompted three more agents.
Each of these is a control failure that traditional security has no language for. The vocabulary is wrong. The tools are wrong. The mental model is wrong.
Why Microsoft and Okta both moved in the same week
Two large identity vendors do not ship competing products in the same week by accident. They moved because their customers were asking the same question with rising urgency. Microsoft's customer base is the developer endpoint, where Claude Code and GitHub Copilot CLI and OpenClaw are already running. Microsoft's instrumentation can see those processes on the machine even if the security team cannot. So Microsoft built a discovery layer on top of Intune and Defender that finds the agents, registers them, and applies endpoint policies that can block unsanctioned agent execution. That is what Agent 365 actually does. It maps the shadow.
Okta's customer base is the application layer, where the agent eventually authenticates to something that matters. The bank's CRM. The retailer's inventory system. The hospital's electronic health record. Okta cannot see what runs on the laptop, but it can see what hits the federated identity layer. So Okta built a registry that treats every agent as a first-class identity with a human owner attached, monitored OAuth consent grants in managed browsers to find shadow agents at the moment they request access, and extended their fabric to Amazon Bedrock so agents built on AWS can be governed under the same model. That is what Okta for AI Agents actually does. It binds an identity to every agent at the moment of authentication.
Both vendors moved because the asset class is now too large to ignore and the existing tools are too thin to govern it. Both vendors moved at the same time because the security teams inside enterprises started calling and saying the same thing in the same week.
The strategic question is not whether to deploy AI
The conversation about agents in most boardrooms is still framed as a deployment question. Should we deploy more agents? Where should we deploy them? How do we measure the productivity lift? The framing is six months out of date.
The strategic question right now is not whether to deploy AI. The agents are already deployed. The right question is whether you can see them, whether you can name them, whether you can attribute their actions, and whether you can shut them off when something goes wrong. If the answer to any of those is no, then the deployment question is moot. You are running a workforce you do not know about, on a permission model that was designed for a different century, in an audit trail that will not stand up to scrutiny.
The boards that grasp this are doing four things in parallel, none of which look like buying a product.
First, they are commissioning a count. An honest inventory of every agent running anywhere on company hardware or against company data. This is a hard count to do because the agents do not always announce themselves. The count has to come from a combination of endpoint telemetry, network observation, OAuth consent records, and a confidential employee survey that promises no consequences for honest answers. Most large companies will be surprised by the number they find.
Second, they are reclassifying the work. For every agent that gets surfaced, the question is what authority it actually used to do the work, and whether that authority was granted on purpose or borrowed by default. Almost every agent in the wild today was given permission by default. The reclassification is the moment a business decides which of those defaults stand and which of those defaults stop.
Third, they are designing the identity layer. Not buying it. Designing it. The Microsoft and Okta products are useful infrastructure, but they are not the policy. The policy is the question of which human owns which agent, which actions an agent of a given class can take in a given context, what evidence the agent has to preserve to make its actions reviewable later, and what kill switches exist if the agent goes wrong. The policy is a piece of writing, signed by an officer, that the products implement.
Fourth, they are changing the audit trail itself. The audit trail in a pre-agent world recorded human keystrokes. The audit trail in an agent world has to record three things at once. The human who initiated. The agent that acted. The reasoning the agent gave for the action. None of the off-the-shelf logging stacks do this today. Building the new audit trail is its own project, and it touches every system that an agent might ever talk to.
Why this is architecting, not procurement
You can buy Agent 365 and Okta for AI Agents and any other point product you want, and you will still not have solved the problem. The products are infrastructure. They terminate at the edges of their respective stacks. Microsoft can govern what runs on Windows endpoints. Okta can govern what authenticates through its fabric. Neither one can tell you which agents your finance team is running against your data warehouse, what the policy should be for an agent that has access to customer PII, or whether the way your developers chained four agents together to ship the last release is acceptable risk.
That decision is architectural. It crosses the IT boundary, the security boundary, the compliance boundary, and the operating model boundary. It requires a single coherent view of what an agent is, who owns it, what it can do, and how its actions get recorded. No vendor sells that view, because the view has to be specific to your company. The view has to know your data classifications, your regulatory exposure, your operating geographies, your risk appetite. Off-the-shelf cannot provide it.
The companies that get this right in the next four quarters will end 2026 with a working agent operating model. They will know what they have. They will know who runs it. They will know what it is allowed to do. They will be able to ship more agents quickly, because the framework is in place. The companies that do not get it right will spend 2027 doing a forced inventory because of an incident. The cost of an incident-driven inventory is at least an order of magnitude higher than the cost of a deliberate one.
What to do this quarter
This is the work Agor AI Advisory exists to do. We sit between the agent layer and the operating model. We help you commission the count. We help you write the identity policy that the vendor products implement. We help you redesign the audit trail so it actually records what happened. We help you make the architectural choices that determine whether your next four quarters of AI investment compound into a system you control or scatter into a workforce you cannot see.
The vendors will keep shipping infrastructure. Microsoft will ship more of Agent 365. Okta will ship more of the Identity Security Fabric. AWS, Google Cloud, and the rest will ship their own versions. The infrastructure is necessary. It is not sufficient. The sufficient piece is the architecture that turns infrastructure into governance, and that architecture is what we build with you.
Every week you delay is a week your shadow workforce grows under inherited authority you did not approve, leaving an audit trail that will not hold up when someone asks the question your auditor is going to ask. Count the agents now, while the counting is still cheap.
Sources
- [Microsoft Security Blog, May 2026, Microsoft Agent 365, now generally available, expands capabilities and integrations](https://www.microsoft.com/en-us/security/blog/2026/05/01/microsoft-agent-365-now-generally-available-expands-capabilities-and-integrations/)
- [VentureBeat, May 2026, Microsoft takes Agent 365 out of preview as shadow AI becomes an enterprise threat](https://venturebeat.com/technology/microsoft-takes-agent-365-out-of-preview-as-shadow-ai-becomes-an-enterprise-threat)
- [Futurum Group, May 2026, Microsoft Agent 365 Turns Shadow AI Into a Governed Asset Class](https://futurumgroup.com/insights/microsoft-agent-365-turns-shadow-ai-into-a-governed-asset-class/)
- [SiliconANGLE, May 14, 2026, Okta extends AI agent security to Amazon Bedrock, opens platform to rival identity providers](https://siliconangle.com/2026/05/14/okta-extends-ai-agent-security-amazon-bedrock-opens-platform-rival-identity-providers/)
- [Okta Newsroom, 2026, New Okta innovations secure the AI-driven enterprise and combat fraud with an identity security fabric](https://www.okta.com/newsroom/press-releases/new-okta-innovations-secure-the-ai-driven-enterprise-and-combat-/)
- [Biometric Update, March 2026, AI agent identity and next-gen enterprise authentication prominent at RSAC 2026](https://www.biometricupdate.com/202603/ai-agent-identity-and-next-gen-enterprise-authentication-prominent-at-rsac-2026)
- [MSSP Alert, 2026, Security Teams, MSSPs Will Wrestle with Agentic AI, Non-Human Identities in 2026](https://www.msspalert.com/news/security-teams-mssps-will-wrestle-with-agentic-ai-non-human-identities-in-2026)
- [The Hacker News, May 2026, Your AI Agents Are Already Inside the Perimeter. Do You Know What They're Doing?](https://thehackernews.com/2026/05/your-ai-agents-are-already-inside.html)