The 2026 enterprise agent-identity procurement choice between Okta and specialized NHI vendors is not a binary; Okta covers three slices of the NHI surface natively (workforce and managed-service-account lifecycle, session anomaly via October 2024 ITDR, privileged human access via 2025 Okta Privileged Access expansion), is partial on two (OAuth third-party app token governance and workload identity for cloud-native runtimes), and does not cover at GA the agent-runtime credential issuance against ephemeral workloads with sub-hour lifetimes that the specialist tier (Astrix Security for OAuth-app sprawl, Apono for just-in-time cloud access, Britive for multi-cloud privileged orchestration, Aembit for workload-to-workload SPIFFE-style attestation, Andesite for NHI runtime detection on top of existing SIEM, P0 Security for temporary access management with audit-trail evidence) is purpose-built for; the architecture-grade procurement output is one comparison matrix per identity class in scope (typically three: human workforce, managed service accounts, agent-runtime), named federation seams at four specific surfaces (identity-source authority, provisioning protocol with SCIM 2.0 the default, federation protocol with OIDC or SPIFFE the choice, audit-event format aligned to the customer's SIEM), and the procurement-side contractual instruments (AM-167 NHI procurement clause work) that make the federation enforceable at the MSA layer.
Anchored on (a) Okta product documentation for ITDR (October 2024 launch) and Okta Privileged Access (2025 expansion); (b) CyberArk 2024 State of Non-Human Identity Security (45:1 median NHI-to-human ratio, 38% incident rate, 2026 projection at 80:1 for agent-heavy deployments); (c) specialist-vendor product documentation: Astrix Security (third-party OAuth-app risk + remediation), Apono (just-in-time dynamic access), Britive (multi-cloud privileged orchestration), Aembit (workload-to-workload SPIFFE attestation), Andesite (NHI runtime detection on SIEM/EDR), P0 Security (temporary access with audit-trail evidence). The slice-coverage characterisation is from vendor-product current GA documentation as of May 2026; future Okta product releases that close the partial slices (OAuth-app deep-tier or workload identity GA) would change the structural argument. 60-day review cadence (26 Jul 2026). Trigger conditions: (1) Okta announcing GA product that materially closes the OAuth-app or workload-identity gap moves toward Partial; (2) major acquisition in the specialist tier (hyperscaler acquiring one of Apono, Britive, Aembit, Andesite, P0, or Okta acquiring Astrix) redraws the comparison and likely warrants a new sibling piece; (3) OWASP NHI Top 10 or NIST CSF 2.0 publishing prescriptive Okta-vs-specialist architecture guidance influences the federation-seam framing; (4) a Storm-0558-class breach directly attributed in a 2026 vendor-issued NHI incident hardens the specialist competitive case. Sibling AM-167 covers the MSA-layer procurement clauses; AM-180 (planned) covers the TCO model for the IAM stack at 2,000-employee scale; OPS-074 covers the equivalent question at 5-15-person agency scale.
/holding/AM-176/Embed this claimiframe + oEmbed
The card auto-updates when the claim's status, last-reviewed date, or correction log changes. Embedders never need to refresh — the card is rendered live from the canonical record.
Email-me when AM-176's status, next review date, or correction log changes. One email per change. No newsletter subscription, no other mail.
The claim: The 2026 enterprise agent-identity procurement choice between Okta and specialized NHI vendors is not a binary; Okta covers three slices of the NHI surface natively (workforce and managed-service-account lifecycle, session anomaly via October 2024 ITDR, privileged human access via 2025 Okta Privileged Access expansion), is partial on two (OAuth third-party app token governance and workload identity for cloud-native runtimes), and does not cover at GA the agent-runtime credential issuance against ephemeral workloads with sub-hour lifetimes that the specialist tier (Astrix Security for OAuth-app sprawl, Apono for just-in-time cloud access, Britive for multi-cloud privileged orchestration, Aembit for workload-to-workload SPIFFE-style attestation, Andesite for NHI runtime detection on top of existing SIEM, P0 Security for temporary access management with audit-trail evidence) is purpose-built for; the architecture-grade procurement output is one comparison matrix per identity class in scope (typically three: human workforce, managed service accounts, agent-runtime), named federation seams at four specific surfaces (identity-source authority, provisioning protocol with SCIM 2.0 the default, federation protocol with OIDC or SPIFFE the choice, audit-event format aligned to the customer's SIEM), and the procurement-side contractual instruments (AM-167 NHI procurement clause work) that make the federation enforceable at the MSA layer.
About this register
The Reporting register tracks claims published from articles addressed to senior enterprise IT leaders — CIOs, IT directors, heads of platform. Claims are reviewed on a 30–90 day cadence; each review either reaffirms the claim, marks one substantive part as Partial, or marks it Not holding once the underlying evidence has been overtaken.
Recent corrections in Reporting
- AM-008 · Partial · 17 Jun 2026
Source-text figure re-review: Google's 2024 Environmental Report reports a 28% year-over-year increase to 8.1 billion gallons, not the 33% (from a 6.1 billion 2023 base) asserted at publish. The 8.1B 2024 figure and the Microsoft WUE 0.30 L/kWh / 39%-improvement figure are unchanged and verified. Article corrected to 28% and the unsupported 6.1B base removed; the claim text retains the original figure with this correction per the Holding-up protocol.
- AM-132 · Partial · 10 Jun 2026
One of four legs unanchored on re-review. The claim text attributes '12% of deployments clearing 300%+ ROI with 88% at or below break-even at 12-18 months' to the Stanford DEL 2026 Enterprise AI Playbook. Full-text verification on 10 Jun 2026 found no such figure in that source: the playbook (Pereira, Graylin, Brynjolfsson, Apr 2026) studies 51 successful deployments by design and contains no ROI distribution, no 300%-plus cohort, and no break-even measurement point (full finding at AM-029, correction of 10 Jun 2026). The only verified figure carrying the same 12/88 numerals is IDC research with Lenovo (via CIO.com, Mar 2025): roughly 88% of AI proof-of-concepts never reach production and roughly 12% graduate — a pilot-to-production graduation metric, not an ROI distribution. The Gartner 28%, McKinsey 23%/17%, and MIT NANDA 95% legs verify; they support a small high-performing tail and a large struggling body, but none documents the two-peak bimodal shape the claim asserts. Status Up -> Partial.
- AM-129 · Partial · 10 Jun 2026
One of three read-against anchors unanchored on re-review. The claim text cites 'Stanford Digital Economy Lab Enterprise AI Playbook (12/88 bimodal ROI distribution at 12-18 months)' and frames the realistic ROI band around 'the highest-discipline 12% cohort'. Full-text verification on 10 Jun 2026 found the playbook contains no 12/88 distribution, no bimodal ROI shape, and no 12-18-month ROI measurement point (full finding at AM-029, correction of 10 Jun 2026). The claim's core negative finding — no mid-market enterprise has produced a documented +240% ROI in 90 days under audited conditions — is unaffected; the McKinsey State of AI 2025 and MIT NANDA legs verify and continue to support it. The '12% cohort' framing has no verifiable referent. The only verified figure carrying the 12/88 numerals is IDC's pilot-graduation finding (roughly 88% of AI proof-of-concepts never reach production; via CIO.com, Mar 2025), a different metric. Status Up -> Partial.
Reviews coming up in Reporting
- AM-063 · Holding · next +9d (27 Jun 2026)
AI agents executing financial transactions need a four-control bundle (action-approval gates by blast radius, kill-swit…
- AM-061 · Holding · next +9d (27 Jun 2026)
Production agentic-AI costs at scale routinely run multiples of POC projections, and a layered optimisation programme c…
- AM-003 · Partial · next +9d (27 Jun 2026)
GPT-5 Pro's tiered-subscription model forces enterprises to classify problems by computational difficulty — $200/month…