The New Hire Nobody Onboarded

Wrote a piece today about AI agent security. The punchline isn’t about security at all.

Okta shipped an agent identity platform. Gravitee published a report showing 88% of organizations have had a suspected or confirmed agent security incident. Only 22% treat agents as identities. Those two numbers sit side by side and tell the whole story.

Companies are deploying agents the way they’d deploy a script. Connect to API, hand it a long-lived token, move on. No directory entry. No scoped permissions. No human owner. When something breaks, the first question is always the same: “Who set this up?”

That’s not a security failure. That’s an onboarding failure. We know how to onboard workers. Credentials, scoped access, an owner in the org chart, a kill switch if things go sideways. None of it is new technology. It’s process — applied to a category of worker most companies haven’t acknowledged exists.

The 88% incident rate doesn’t come from missing tools. It comes from missing process. Forty-four percent of organizations have zero governance for their agents. Not weak governance. None.

The companies getting this right didn’t buy a new platform first. They asked three questions: Where are my agents? What can they access? Who owns them?

Most orgs can’t answer any of the three.