Answer Brief
Okta's 'Businesses at Work 2026' report reveals a massive 1,140% surge in access requests over two years, driven primarily by autonomous AI agents. This shift is forcing global enterprises to move beyond traditional user-centric security, prioritizing non-human identity (NHI) governance and phishing-resistant multi-factor authentication to secure modern cloud and hybrid infrastructure environments.
Executive Summary: Okta's 'Businesses at Work 2026' report reveals a massive 1,140% surge in access requests over two years, driven primarily by autonomous AI agents. This shift is forcing global enterprises to move beyond traditional user-centric security, prioritizing non-human identity (NHI) governance and phishing-resistant multi-factor authentication to secure modern cloud and hybrid infrastructure environments.
Why It Matters
The 2026 identity landscape is defined by a paradox: while enterprises are aggressively pursuing AI-driven automation, they are simultaneously struggling to extend traditional security perimeters to cover these new digital actors. Okta's latest intelligence highlights that the volume of access requests has reached an inflection point, growing by 1,140% over a 24-month period. This is not merely a scaling issue; it represents a fundamental shift in the nature of identity from human users to autonomous processes and AI agents.
Technically, this signal indicates that the 'identity' is no longer synonymous with a 'person.' Non-human identities (NHIs) are now the dominant force in network traffic. However, the report warns that most organizations still only manage a small fraction of their service accounts—typically between one and five—leaving the vast majority of automated access points unmonitored. This governance gap is particularly acute in the technology and media sectors, where the density of service accounts per company is significantly higher than the global average.
Technical Signal
In Japan and the APAC region, the operational signal is one of cautious modernization. Unlike some Western markets that may fully abandon legacy systems, Japanese firms are seeing a 20% increase in authentication requests for hybrid and on-premises environments. This suggests that the security perimeter is being extended and reinforced rather than replaced. Operations teams are managing a dual-track environment where traditional VPNs coexist with sophisticated AI agents, complicating the visibility and control of the overall attack surface.
Security teams are responding to this complexity by consolidating privileged access management (PAM). The 650% growth in managed service accounts suggests that enterprises are finally recognizing that service accounts are the highest-risk identities in an AI-centric world. By bringing these into centralized management systems, teams can apply the same rigorous auditing and lifecycle management to bots that they historically applied to human administrators.
Operational Impact
Risk boundaries have shifted significantly due to AI-powered phishing and credential harvesting. The surge in adoption of phishing-resistant MFA—now used by nearly 60% of organizations—is a direct response to the decreasing effectiveness of traditional SMS or push-based authentication. The rapid 81% rise in passwordless adoption further emphasizes that credentials have become a liability that must be abstracted away through high-assurance hardware or biometric-backed tokens.
For global infrastructure and identity teams, the priority must move to 'Agent Discovery' and NHI inventory. As AI agents begin to perform complex workflows across multiple SaaS platforms, the potential for 'shadow AI' increases. Readers should watch for the emergence of tools that specifically target the lifecycle of AI identities, as the ability to prove 'who' or 'what' is accessing a resource will remain the primary defense against automated lateral movement in the cloud.
Event Type: security
Importance: high
Affected Companies
- CrowdStrike
- NinjaOne
- Okta
Affected Sectors
- Artificial Intelligence
- Cloud Infrastructure
- Cybersecurity
Key Numbers
- Increase in access requests over two years: 1,140%
- Growth in year-over-year access requests: 158%
- Growth in NinjaOne usage (top growing app): 240%
- Adoption of phishing-resistant MFA factors: 58%
- Growth in managed privileged access accounts: 650%
Timeline
- Start of the data collection period for the Businesses at Work 2026 report
- Conclusion of the Okta Integration Network data analysis period
- Okta Japan officially releases the Businesses at Work 2026 findings
Frequently Asked Questions
What is driving the massive increase in access requests?
The primary driver is the rapid proliferation of generative AI agents and automated processes. These non-human entities require frequent, automated access to various cloud services and data repositories, resulting in an 11-fold increase in request volume over the past two years compared to human-driven traffic.
What are Non-Human Identities (NHI) and why do they matter?
Non-Human Identities (NHIs) include service accounts, AI agents, and automated scripts used by software to communicate. They are critical because they often operate outside traditional governance frameworks. Failing to manage NHIs creates significant blind spots and security risks as organizations increasingly rely on automated cloud operations.
How is the shift to AI affecting security infrastructure in Japan?
In Japan and the broader APAC region, there is a distinct trend of maintaining legacy perimeter security like VPNs while simultaneously adopting new AI-driven tools. This hybrid approach has led to a 20% increase in authentication requests for on-premises and hybrid environments as firms bridge old and new systems.
What authentication methods are becoming the standard for 2026?
Organizations are rapidly migrating toward phishing-resistant multi-factor authentication (MFA). Adoption of high-assurance factors has risen to 58%, up from 41% two years ago. Passwordless solutions, such as Okta FastPass, are also seeing significant growth, increasing 81% year-over-year as traditional credentials become vulnerable to AI-enhanced attacks.