AI + ML
Okta research shows more than half of organizations faced an AI-related security incident or near-miss in the last year
More than half of enterprises have experienced an AI-related security incident or threat in the past year, according to a study commissioned by Okta, a leader in identity and access management. This is despite executives having overwhelming confidence in their ability to use AI tools to manage employee risks.
“For the purposes of this study, an AI security issue is defined as an actual incident – a breach, data leak, system disruption, or close call. This means the problem was identified before it caused harm to the organization,” said Harish Peri, senior vice president and general manager of AI Security at Okta. register.
Of the respondents who reported a security issue, 26.7 percent described an actual incident (breach, data leak, system disruption), and 31.2 percent said they caught a close call before harm occurred. But overall, 58% of executives report that their organizations experienced an AI-related security issue in the past 12 months, and data points to the use of “shadow AI” by employees as a contributing factor, Pelli said.
“The old adage in cybersecurity is that you can’t protect what you can’t see. Our research shows that 52 percent of knowledge workers admit to using unauthorized AI tools,” Peri said. “Security and compliance teams cannot control the use of AI tools they don’t know are being used. Organizations must implement an effective AI governance framework that prioritizes identity-centric controls, automated discovery, and secure sandboxes to safely test AI tools.”
The AI Agents at Work 2026 report was commissioned by Okta and conducted in March by Apprize360. The survey surveyed 292 executives and 492 knowledge workers from seven countries: the United States, United Kingdom, Australia, Canada, Japan, France, and Germany.
We also found a disconnect between what leaders believe AI is being used within their organizations and what employees are actually doing. Whether it’s a coding assistant, a browser extension, or an industry-specific utility, what ties all the tools together is the need for data, and often requires access to an organization’s internal systems, the study says.
Pelli said the investigation revealed risky employee behavior when it came to interacting with AI models. Knowledge workers actively used unauthorized AI tools, shared confidential company documents with them, passed HR information to AI, and provided login credentials in 16% of cases.
“These dangerous actions, whether intentional or not, increase the attack surface for the entire organization,” Peri said. register.
Despite this, 90% of executives were confident in their organization’s visibility into AI tools, even though more than half of knowledge workers admitted to using AI tools without authorization and 24% added that they use them regularly.
Apart from security concerns, the study also found that AI agents and tools are widespread.
92% of executives surveyed said autonomous AI agents are already widely or moderately used across their organizations, and nearly two-thirds of knowledge workers reported using AI tools at least daily.
Of these employees, 68% used AI agents and 62% regularly used LLMs and AI-infused chatbots.
Survey results also vary by region.
The United States topped all countries surveyed, with more than two-thirds of workers, or 67%, saying they were using unapproved AI tools. Australia came in second place, with 60% of workers saying they had been involved in unauthorized use of AI. In the UK, about 55% of workers are ignoring the rules, and in Canada, about 50% of workers report using unapproved AI tools.
Workers in France and Germany reported the lowest rates of AI fraud, at around 30% each.
The gap between executive confidence and employee reality is greatest in the UK, where 96% of executives express confidence in their company’s AI visibility, but more than half of employees are using unapproved tools.
Peri said there are no easy solutions.
“For most organizations, shadow AI emerges unintentionally and with no malicious intent,” he said. register. “Shadow AI is a headache for leaders primarily because they don’t have adequate visibility, governance, and security controls for tools that the organization doesn’t control.”
Okta research recommends that organizations assume shadow AI exists and prioritize discovery. Using AI securely is the easiest way to do it, and you need to define your AI governance strategy now.
Peri said a strict ban on AI could actually make the problem worse by increasing its underground use. He said a more effective approach involves talking to employees to understand what they need and making approved tools easier to use than non-approved alternatives. ®
