Okta CEO Todd McKinnon just made a striking admission - he's "paranoid" about the SaaSpocalypse. But instead of playing defense, the $14 billion identity management company is going all-in on what McKinnon calls the biggest market opportunity in cybersecurity: managing identities for AI agents. After 40 customer meetings where executives couldn't stop talking about agents, Okta flipped its entire strategy to become the identity layer for the agentic enterprise. It's a bet that the new AI agent market could eclipse identity management's current $28 billion slice of the $280 billion cyber industry.
Okta is making a massive strategic pivot, and CEO Todd McKinnon isn't sugarcoating the stakes. During the company's recent earnings call, he used a word that rarely escapes the lips of enterprise software CEOs: paranoid. "We are paranoid, and we're making sure that we're using all the latest technologies, LLMs, et cetera, to make sure that we have something that's resilient and secure," McKinnon told analysts, according to The Register.
The source of that paranoia? The so-called SaaSpocalypse - the idea that companies will simply vibe-code their own tools with AI rather than pay for enterprise software subscriptions. But McKinnon sees something bigger than the threat: an entirely new market in managing identities for AI agents that could dwarf Okta's current $3 billion business.
The moment of clarity came during a year of customer meetings. McKinnon set out to pitch Okta's unified identity platform to the company's 100 largest customers. He'd talk about customer identity, governance, and privilege management - the traditional Okta wheelhouse. Then he'd mention AI agents at the end. "Whenever I would get to that, the people in the meeting would just stop, and they'd be like, 'Wait, talk about that some more,'" McKinnon revealed on The Verge's Decoder podcast.
After 40 meetings, he flipped the script entirely. Now agents lead the conversation. "After that conference, I just said, 'Listen, we've got to flip this around. People want to hear about the agents, that's the direction they're going, and that's what we need to pivot to and totally focus on,'", McKinnon said.
The catalyst was OpenClaw, the AI agent that became "the ChatGPT moment for agents," as McKinnon puts it. When OpenClaw launched, users rushed to buy Mac Minis, air-gap them from production machines, and hand over all their credentials. The security implications were staggering, but so was the demand. "At my son's soccer game, the parents were talking about OpenClaw," McKinnon said. "And these aren't tech people."
Okta's response is a three-pillar blueprint for what it calls the "agentic enterprise." First, agent identity - creating a new identity type that sits between a person and a system. These hybrid identities can act on behalf of users, operate autonomously, or require human oversight. "Some of these things are very much, 'Hey, they're just one-to-one with people.' Some of them are a set of multiple agents that work with one person. Some of them are totally headless," McKinnon explained.
The second pillar addresses the connection chaos. As Salesforce rolls out Agentforce, ServiceNow deploys its agents, and Microsoft, Google, and Amazon push their platforms, enterprises need a central registry. "They need a list of the agents they have, and then they need a system of record and a list for the agents they could use," McKinnon said. Okta wants to be that system of record, tracking what agents exist and what they're allowed to access.
The third pillar might be the most critical: a kill switch. When an agent goes rogue - through prompt injection, misconfiguration, or malicious code - Okta can revoke all its access credentials. "It's almost like you would take a machine off the network," McKinnon explained. The challenge? Okta doesn't have a "magic solution" for detecting when an agent misbehaves. They're working on industry standards for raising alerts, but detection remains the agent owner's responsibility.
McKinnon's confidence stems from market dynamics reshaping enterprise IT. "Every organization is universally aware of the potential of agents," he said. "They want to make things more automated, and they want to enhance their workforce with digital employees." The opportunity is massive - McKinnon believes agent identity could become the largest category in cybersecurity, potentially exceeding the $28 billion traditional identity management market.
But Okta isn't immune to the SaaSpocalypse threat that's rattling SaaS companies. The difference, McKinnon argues, is that Okta's moat runs deeper than features. "You can build the features and functions, but the last thing is to connect it to everything. Thousands and thousands of different applications, services, and pieces of infrastructure have to be connected to the last mile," he said. "Getting the features to work is 10 percent of the battle. Making sure it works 100 percent of the time takes years and years and years."
There's also the trust factor. "What cyber company do you trust to be secure itself?" McKinnon asked. When breaches happen, CIOs need to explain their choices to boards. "Oh, we got breached. Well, what did you pick?" "Well, I wanted to save a little bit of money to vibe code it." That's a career-ending conversation.
The strategic shift required organizational change. McKinnon pushed teams to increase their "change quotient" from 20/80 (20% change, 80% stability) to at least 60/40. "Change is hard," he acknowledged. "But you really, as a leader, have to force it sometimes, top-down mandates." He's skeptical of CEO claims that "AI is writing 90 percent of our code right now," calling it salesmanship rather than reality.
Looking ahead, McKinnon sees a future where multi-silo agents - those that jump from Microsoft to Salesforce to custom systems - will test vendor lock-in strategies. He invoked IBM's historic unbundling, when customer pressure and government intervention forced Big Blue to separate hardware, operating systems, and applications. "Customers will have the leverage eventually," he predicted. "And if the customers in a market mechanism don't have leverage, the government will step in and do antitrust."
The technology challenges remain steep. No one has maintained an "agentically developed system for five years," McKinnon noted. The industry is still figuring out how agents will scale, how to audit their decisions, and how to prevent them from becoming security nightmares. Okta is betting it can provide the rails that make the agentic enterprise possible - and that the opportunity is worth the paranoia that comes with disruption.
For now, Okta is pushing industry standardization. "There are no good standards for how agents connect to a bunch of other systems where they need to get their data," McKinnon said. The company wants to establish protocols similar to those that govern single sign-on today. Whether Okta can define the standard - and capture the market - will determine if McKinnon's pivot pays off.
Okta's pivot to AI agent identity represents one of the boldest strategic bets in enterprise software's AI transformation. McKinnon is wagering that enterprises will pay handsomely for someone to manage the chaos as AI agents proliferate across corporate networks - and that brand trust, integration complexity, and mission-critical reliability create moats deep enough to survive the SaaSpocalypse. With customer meetings validating demand and OpenClaw proving the market's appetite for agentic systems, Okta is positioning itself as the nervous system for the hybrid human-agent workforce. Whether that vision materializes - and whether Okta's three-pillar blueprint becomes industry standard - will define both the company's future and the shape of enterprise AI security.
