All right, good morning. Welcome to Octane. Welcome to Investor Summit. This is going to be a one-hour Q&A session with our top executives. We have Todd McKinnon, our CEO and co-founder, Brett Tighe, our CFO, Eric Kelleher, our COO, and John Addison, our CRO. This is for you. We're going to take questions in the room. We'll take them one at a time, and we'll start right away. David, if you want to.
Maybe up front, I could just summarize the key points.
Absolutely.
Would that make sense?
Yep.
Yeah. Hi, everyone. Thanks for joining us. I think this year at Octane, we have a very, very relevant message to deliver. Just in terms of what's going on in the world and the challenges and the opportunities everyone's facing. I think it's a message that people expect us to deliver. That's a, I think, a powerful combination. That message is, you know, for those of you that saw the keynote this morning, I'll kind of summarize it for you. It's basically that the insight that everyone's having is that AI really means agents and how agents can automate work and how agents can improve productivity and impacting all these different layers of the stack and all these different industries. When you break down what makes agent security real and valid and valuable, it's the fact that it's really identity security. These agents need access to different resources.
They need their own identities. You have to have visibility, governance, and control about what they access. In terms of about us being relevant, it's like exactly what people expect from us. We've been working on this for many years. Today we talked about three important innovations we're delivering to make this identity security foundation for the agentic world real and relevant and powerful. The first one is how we're bringing the, we're really defining this new category, this new category called identity security fabric. Identity security fabric. The way this works is that it's just like saying, you would say CRM. There's a category called CRM, and that's the combination of sales and marketing and service and support, where you would say ERP. That's a category that combines HR, financials, manufacturing. Identity security fabric is this category that combines governance, privileged access management, identity security posture management, access management.
I think this is what customers want because if they want to have a solid foundation for security, AI, all the stuff they want to build on top of that, they have to get their identity security foundation in order. It has to have comprehensive coverage. It has to leave no gaps. It has to provide automation, orchestration, all the things, you know, we've been talking about. It has to be this new concept that people don't want to buy these individual products that, you know, maybe don't work great together. They don't want to buy separate vendors for all this stuff. They don't want to have to integrate vendors. They want an identity security fabric. We talked about how the Okta platform delivers that. It's the best example of this today in the industry. It's the most complete product set. It's cloud native. It's the most integrated.
It preserves choice and independence and neutrality. Now we're bringing AI agents into this platform with native support across the product suite. From identity security posture management, access management, to governance, privileged access, they all support this new identity type called an AI agent, which is kind of like a combination of a system account or a non-human identity and a person. It has attributes of both, and we've combined it across the entire product suite. That's the first set of announcements. The second set of announcements is how we're working with various efforts around standardization to help standardize how this concept of an identity security fabric interacts with this vast, complex array of technology in all these customers' environments. We talked about our progress on an open standard called IPSY. We talked about this new standard we're working on called cross-app access.
It's just giving the identity security fabric more control and more visibility into the entire technology landscape, enabling faster adoption and more control and better outcomes. All toward the goal of doing more with AI. Finally, using our Auth0 platform, developers can build applications and agents and agentic systems that comply with these standards out of the box. If you build an application with Auth0, it connects into all these protocols like IPSY. It does cross-app access. It really helps people build fabric-ready things. Hopefully, you've got this sentiment if you talk to customers here at the show, but we've never seen interest from a new product area like we do about this one. Everyone wants to talk about this. The biggest companies in the world have this problem of AI agents, and they want to do more with agents. It's very exciting. Now, it's talk at this point.
The question will be how fast that translates into both people buying more of our products just to build this fabric and then over time actually buying more products specifically for AI agents. All these capabilities that I'm talking about are new. They're going to be new things that people pay for in addition to what they pay now for customer identities or employee identities. It's super exciting times, and we're great to, I'm excited to be here to talk with you all about it to help you get a better understanding.
Hey, Eric Keith with KeyBank Capital Markets. Thanks for doing this and having a great time. Todd, maybe I'll just say at the onset, the amount of innovation that you're doing on AI agents and how forward-leaning you're being is, I think, unmatched in the industry. I appreciate that. On a couple of the things you talked about, for me, talking to your partners and your customers out there, I'd still say it's hard to find two people that agree or have the same message on how we're going to secure AI agents. I think you still just get a vast difference in people's approach, initial views on how it's going to be done. Where do you think we are, or where do you think we are in terms of maturity, standardization of how we're going to secure AI agents?
Second, to the point you were leading with, look, we all want to see acceleration and growth. When do you think this really could be a growth driver for the business? Thanks.
You're having those conversations before the keynote, right? They weren't, we weren't clearly explained to them about the vision of the future. I think it's a very important point and an important question. I see this, I think where we are as an industry is that in the last year, everyone agrees on the problem. I think it wasn't a hard case to make to the audience today that a big part of AI security is identity security. Agents are the way or what we have to fix, and that's an identity security problem. That was, we tried to clearly lay that out. I think, frankly, a lot of people understand that, or more people understand that than did a year ago.
I think that the solution, how to go from all this energy around companies adopting and building these tools and adopting all this wave of innovation coming from all the technology providers and translating to actually how they do that, we're still figuring that out as an industry, and we're hoping to lead there. The first necessary and present condition is the amount of interest and the amount of inbound really concrete exploration that customers are doing around our solutions. I think the first wave is really going to be customers thinking about this concept of fabric and how they can normalize this complexity with one vendor and this one stop shop for identity. That's the first thing that's going to help us grow faster, I think. Actually, the agentic part of it will kick in later.
I think there's a lot of potential opportunities for growth here coming out of this.
Great. Mita Marshall from Morgan Stanley. Just a question on the cross-app access and just how critical it is to get buy-in from other partners in order to fulfill the vision of the identity security fabric.
Yeah. Brett is the expert on cross-app access. It is very important, and it's not going to happen overnight. One thing to understand too is that a lot of the benefits of managing AI agents in Okta and vaulting the credentials and having governance and ownership clearly outlined on who in the organization owns the agent, there's a lot of value there if cross-app access never takes off. That's the first thing to understand. You're going to want to discover these AI agents. You're going to want to track them. You can do that all without cross-app access. Cross-app access is a future-oriented way to make it all work even better. This is going to take time.
You have to propose the standard, get agreement on it, build it into the products, get technology providers to adopt it, and then get more demand for it so more other technology companies build it. The standard is important because none of these technology companies, Box or Google or Amazon or Microsoft, want to build something that's only going to work for one environment. They want to have an open protocol, and that's important. It's going to take some time. The only way it has a chance, which makes me so excited about it, is that it has to solve a need that these technology providers see.
The reason why we started working on this over two years ago was because we were talking to all these SaaS applications that were trying to roll out their applications in these environments, and setting up all these cross-system grants between users was a mess. They would try to roll out these awesome innovations they had, and it's like, yeah, but it takes the company six weeks to set up all the allow this thing and grant this thing. That's why we started building it. Only later did we realize it's perfect built for this world of AI agents because AI agents are inherently cross-app. They're inherently connections of multiple systems. It's a long-winded way of saying that the technology vendors want this, and that's why I think the reception has been so high. That's what you need to get this stuff started.
If you try to make up some standard that no one cares about the problem, you're really kind of fighting against the wind. We think we really have a tailwind on this one.
You can see that we had an event about a month ago with 1,100 people from ISVs who are interested in this and want to be able to implement it. That's just, you know, just pure quant, but it's pretty nice to see that kind of level of interest. We had a bunch of good companies on the page today, but there's going to be more and more as the months and quarters move on. I love that pure quant. I think that's awesome.
Just to add to that, the keynote, for those of you that have not yet seen this morning's keynote, please go back and watch it. It really does a nice job framing up our vision, Todd's vision, Okta's vision on these topics specifically. At this time of the year, it's when we paint a vision for where the market is going and how Okta is skating to where the puck is going to be. What's interesting this year about the message around securing AI agents is our customers are all in it with us. They're all right here. This transformation is happening for the industry just so quickly that this conversation is a real conversation. In your briefing package, you'll see some data. We just conducted a survey of a few hundred companies. Over 90% of them have agents in production.
10% of them say that they're confident they're actually governing the agents. That is a shocking split between people that are deploying the technology and saying, just go fast, innovate, and solve what you can solve. Let's have confidence that these agents are appropriately governed and used in our stack and secured within the stack. All of the work that we described today on the identity security fabric is designed to help companies bridge that gap and allow them to continue to innovate with agents, but do it in a way where they're securing those agents properly and governing them with policies and rules that they choose. There was a demo in the keynote where we showed how security posture management will identify rogue agents that have been deployed and haven't been purposely cataloged and put in a directory and governed.
Cross-app access as a capability for people building agents will allow them to be deployed. These 1,100 ISVs that attended our event last month that Brett mentioned, they all have the problem that they want to sell products and they want to sell agents, but their customers don't want rogue agents. Their customers are only going to deploy agents that they know that they can properly secure. We're very optimistic that cross-app access has a lot of interest already because everyone needs to solve this problem. It's not a problem they need to solve three years from now. It's a problem they need to solve today. They're already behind. We feel very confident in how that's going to play out.
Janae Siddiqui, Truist Securities. Todd, we're seeing this increasing convergence between identity and data security in this age of agentic AI. Could you talk about how you're positioned to bridge identity security with data governance so customers can enforce consistent policies across users and data? Is that an area that makes sense to expand to?
It's inherently related, and we see that in all of our, we hear that in all of our customer conversations. There are different kinds of technology resources. There are the applications that have all the roles and the groups and the permissions that kind of implicitly define who can access the data or explicitly define who can access the data. Then there are things like data warehouse where it's like the whole thing is data, and it's just about specifying the rules on who can access what. It always links back to an identity. By the way, the really important thing in agents is getting them the data. That is why identity security is such an important part of the combination there.
One question I get often is, everyone says they are going to, everyone in the security world says they are going to secure AI agents, and who is really going to do it? Who is going to win? This is kind of like the same with identity and data governance and data security posture management and that whole category and network and endpoint. I think the reality is that they are all going to play a role. I think it is naive to think that there is going to be, saying there is going to be one single security solution to secure all of agents, and once everything is agents, all you are going to need is one security solution, I think it is pretty naive. We need a multi-layered approach, and I think all of the major pillars of zero trust are going to have an important role there.
I think the world underestimates how dependent it all is on identity, just like in zero trust. A lot of zero trust is dependent on identity. It is not going to be the one, that is why I think it is a mistake to think about, oh, there is going to be one company that does everything in security. I think trying to consolidate all of security is very challenging. I think consolidating in identity is super valuable and I think doable. You know, taking a company from 50 vendors down to one vendor is very doable. I think it is pretty hard to take a company from all the security tools they have down to one, simply put, just because they need different types of security tools to be the most secure.
Patrick Colville from Scotiabank. Thank you guys for having us. I've spoken to about 12 customers over the last 24 hours and asked all of them, you know, are you here at Octane to learn about agentic AI security? Interestingly, not a single one said yes. They all said, no, we're here for kind of, you know, PAM, governance, et cetera. I'm going to ask about agentic AI security because that's the hot button issue. When you're talking about cross-app access, isn't that a protocol? I guess how do you monetize a protocol? The reason I started with that opening statement is because I want to bring Brett in. When will this monetization start hitting the financial model? If customers aren't here for that now, is this a 2026 thing or maybe even like 2027?
I think this concept of an identity security fabric and a one-stop shop for all of these formerly separate categories is a big growth driver for us. We're investing heavily in R&D to build out these products beyond access management, as we've talked about for many years. The reason they're here is to buy all of our new products because we have a lot of great new products to sell. Making sure the industry understands that this is where the category is going and we're going to capture that category is a very important part of the messaging we're delivering to the market. The outcomes are great for everyone. I think the customers that you talk to know that. You don't monetize a protocol. Cross-app access is an open protocol that basically, strategically, the way we think about all these standards is they make identity more valuable.
They make identity able to do more, able to drive better security outcomes, able to give customers less friction in adopting technology. It's a little bit, you know, a benefit to the entire industry, but we benefit tremendously by the fact that identity tools are easier to implement, easier to upgrade, easier. A big opportunity for us is just making the change cost easier. When these companies want to consolidate vendors, making that incredibly easy. We do that in a lot of different ways. We do that in investing heavily with partnerships with systems integrators. We do that by building a lot of core technology, by evangelizing open standards. We want customers to get to this better world. By the way, by supporting this powerful new identity type, we're going to make it over time. I think it will take time.
Like I've said before, I think the near-term opportunities are a lot about the broad product portfolio and consolidating legacy and large enterprise. The agentic thing is real. Next year, we'll be talking a little bit more about it. You'll see more tangible business drivers in the following years. It's going to be a big deal.
I think that, go ahead, you go first. The keynote is, and our vision and the narrative that we're really emphasizing this year is on this very timely urgency around the gap I talked about earlier between agents being in the wild and how they're being governed today. You'll see throughout the demos and the platform keynotes that follow and the sessions that follow as well about how we're helping secure agents in this idea. The core premise of all of this is that we've elevated agentic identity as a first-level identity. Just like a human identity and non-human machine identity, we'll now have agentic identity. We have tons of product announcements coming out this week about all of the products in that identity security fabric for all three of those use cases, the human, non-human, and the agentic.
Our governance product, for example, earlier this year, we announced a connection for on-prem applications and also separation of duties. We're announcing this week that that is now available for federal use cases as well and now available to new customers there. We have new announcements on our privileged access product, as well as all of our access management categories. On the protocol of cross-app access specifically, one of the things we'll be announcing in the Auth0 platform keynote is for anyone who's developing agents using Auth0, they will inherently support cross-app access. It's a radio button you click to support the protocol when you publish your code. There are opportunities for us to lean into the standards as they become more adopted in the industry. To your point, the protocol itself is not what we monetize. It's the security that we can provide better with support for the protocol.
I think I'd say as the person who leads the field team, the best thing about going to market with this new message is it just highlights Okta's strengths. Our independence, our neutrality, our cloud-native position. When the field are learning about the relevance of our identity security fabric for human, non-human identity and agents, it's a pretty easy leap for them to actually get how that works because underpinning it is the value of our platform. How we excel in access management, identity governance, and privileged access management, secure posture management, that all relates to the management of agents as well as non-human and human identities. We feel pretty good about how we can cross the chasm with our customers and help them understand that.
I was just going to add, Patrick, about your growth algorithm question, it will take time, like Todd was saying. Think of it at what we've done with governance, right? We've made that product really good. You've seen the impact to the financials, hands coming along, Device Access, all these things we talk about. Identity Security Posture Management, it just takes time. It's just another thing that we have in the toolkit for John and his team for them to sell as the world changes over time, as agentic AI becomes more and more embedded in the way the tech stack works.
I asked you to check in with the partners. We spent a whole day with them yesterday. You know, they're having lots of meaningful conversations now about this. It's a real concern for our customers and prospects. It's not just in our install base's concern. It's real and it's happening now.
Rudy Kessinger, Diya Jolly, similar line of questioning. We've spoken to over a dozen customers as well. Opposite of Patrick, actually, most of them are interested in your AI security capabilities at the same time.
Oh, this was after the keynote?
Oh, this was actually yesterday we were here, you know, all throughout. At the same time, most of them tell us we're not even close to rolling out AI agents broadly anytime soon. I think that's typical, yeah.
Right. If the product's going to be GA sometime next year, I'm going to go out on a limb and assume we're not going to see any material contribution till FY28. A lot of people in the room want to see improved growth sometime before then. How do you make sure you're not overallocating too much time, energy, resources into developing those solutions when you could be allocating that time, energy, and resources into more near-term opportunities that could drive growth? What was the last thing? Near-term opportunities, like what? Near-term, investing in other near-term opportunities.
Another near-term, yeah. It's really a good question. I think about it this way. We're getting a lot of, in building all the capabilities for AI agents, there's a lot of leverage in the foundational stuff we have to do all around. For example, there's a lot of leverage in what we've done for privileged access management and the vaulting and the rotation and what we've done in governance for the governance workflows around certifying that things still need access to things. We're getting a lot of leverage there.
When I talked to the team about as we were innovating and building all this stuff, I said it's very important in these things that we get real customer input because there's a lot of hype and a lot of excitement around AI, and I wanted to ground the team as we built this in real tangible customer input on what they actually needed. I think what we found is that there was a lot of overlap with the use cases around governance and privilege and having this end-to-end fabric and just taking that final mile to AI agents is something that's valuable, but doesn't put us down a path that could turn out to be fool's gold because it's some, you know, thing that no one turns out to really need.
Yeah, I think the core use cases of authentication and authorization apply to agentic identity the same way they do to a human identity, for example. When an agent takes an action, you need to be able to verify that it is who it says it is. You need to authenticate, and it's not being impersonated by a threat actor. When it takes that action, you need to verify that it has access to do the thing that it's trying to do and needs to be authorized. The tooling we provide around authentication for human identities, that infrastructure applies directly to authentication for agentic identities. Our fine-grained authorization with the Osero platform for building agents allows you to build in authorization controls as well. There's a lot of leverage and overlap in capabilities between the features we're deploying for human and machine use cases that apply to agentic as well.
It's one of the reasons why this isn't a, it's not a new launch of a new platform. It's an extension of our identity security fabric to also support agentic identity.
Yeah, one thing to clarify, in case people aren't aware of it, is that all of the agentic capabilities on our platform, those will be new offerings we sell. Just like if you add more users to Okta, we deliver more value and the customer pays us more. If you deploy agents with the Okta platform, you're going to deliver more value and we're going to capture that value. It's a nice combination of an extension of our current products in a way that's clearly delivering value and we'll be able to monetize.
Hi, this is Nasser Islam for Brad Zelnick at Deutsche Bank. The Okta AI Agents is a super interesting step forward, and I want to focus on pricing. There has been a lot of debate over how pricing models change in securing AI agents, and it feels like the traditional basis of per user or per agent pricing may not be the way forward. I'm just interested in hearing how you see this evolving.
I had a hard time hearing you. There's an echo. Maybe, did you guys hear him?
No.
Yeah, it's hard to understand.
Oh, sorry.
Yeah, the sound up here is kind of echoey.
I'm just wondering about how you see pricing models evolve when you're securing AI agents.
How pricing models evolve, yeah. I think the basic thing I just described is like there will be additional, we're going to deliver additional value from all this capability. There will be customers who will be charged for it. We're finalized, the base, there is a clear model around just a lot of agents act on behalf of the user. Think about companies rolling out their own version of internal ChatGPT, those agents are going to act on behalf of Brett or Eric or John. The identity and the number of agents they need to license is very tied to the set of users. That's an obvious extension. That's like, think of it as an extension of the per-seat license. I think what we're still modeling in some different scenarios is how it works when there's a one-to-many. There's an autonomous agent that does work on behalf of many users.
That will end up, as we work with customers and finalize this, that'll work up in some variant of a per-request or a per-backend resource model. It'll be monetized a different way because there's not the inherent number of agents there are in the case where an agent is acting just on behalf of one-to-one on behalf of users. As we get through the final steps of this toward availability next year, we'll be finalizing all that and communicating it clearly to everyone.
is fairly similar in unit of measure to what we do today, maybe with a little bit of tweaks, maybe a little bit of blending of the two concepts. We will definitely update you guys as we make more progress.
Okay, great. Yung Kim, Duke Capital. Obviously, you know, there's a lot of discussions about when the agentic AI adoption will happen and the timeframe around it. If you do look at one market, that's where there's a lot of development going on. That's within the technology companies like ISVs and business application vendors. What kind of go-to-market motions do you have targeting them today? Do you feel like you have to basically become a standard among those vendors to be relevant on the agentic AI rollout as it rolls out to the other enterprise markets?
Yeah, I think it's an important area of our strategy is serving, especially the companies that are building these agentic solutions and how we can partner with them and how we can work with them on this broader adoption of standards, like we've talked about. Our strategy here is that we want to be the best identity provider at securing identity and securing agentic AI. We want to do that by being embedded and being partnered with all of the people building agent technology and agent platforms and app vendors building agents. We want to be the constant across all of it. That takes the right product. It takes the right partnerships. We're very focused on that, making sure that's a reality.
Hey, this is Laurence Vensko for John Difucci at Guggenheim. For the longest time, Okta and the identity players have primarily been tasked to secure human identities. It's clear that that's rapidly changing. Based on your presentation this morning and given your roots, it seems like the identity platform is coming together to secure both humans and non-humans. My question is, is one of those core components more relevant to secure NHIs? Is that the right way to think about it? Is it finally just coming together between access management, privileged access management, and identity governance for both?
Yeah, I think that we should stop thinking about them as separate things. I think that's why this concept of the fabric is so important. People don't want to have a bunch of different vendors. It's one of the things people don't like. There's a couple of really pretty misunderstood things about identity. The first one is that the amount of complexity at customer sites around the number of identity tools is quite staggering. Even a small company has 20, 30, 40, 50 different identity vendors. There's tremendous value in consolidating that and normalizing that. We think we have the right platform to do that, to implement this fabric. The second thing about identity technologies is it's a lot of effort and a lot of work traditionally to get them fully deployed.
We're doing a lot of things over the years, and even when we talk about standardization and all the technologies we're building to connect to cloud systems and on-prem system, we're trying to make that easier. We're trying to make it easier to deploy these identity management tools and let people consolidate and let people simplify. I think those two things coming together is one of the reasons why we're so well positioned. We can really remove complexity from customers' environments. We can help them have better security outcomes. We can meaningfully change their business. That's why we're so well positioned.
Yeah, I would just add it's fairly simple what Todd talked about earlier today, right? It's every identity type, every identity use case, and every type of resource, right? Each one of these things that he's been talking about today on the main stage in here today is about trying to go after those. There's a bunch of technology underneath that actually helps us accomplish that. If you just think about it from that simplistic viewpoint, that's really what the identity security fabric is. We have an online question.
Taz from Roth is asking, you have a platform for building AI agents, but at the same time, a lot of other companies like Salesforce and ServiceNow are providing the ability to create agents on their platform. How do those platforms collaborate or compete with Okta? Would they need to tie in with Okta to secure agents on their platform? NetNet question is, do customers build agents on the Okta platform or the platforms offered by the application and SaaS vendors to build agents?
I think the way to break it down is you need to, you're going to have agents from a lot of different platforms. There's going to be a lot of heterogeneity in this world. It's going to be rapidly changing. You try to manage what you know is going to be fundamental, and that's the governance, the visibility, and the control. That's what we're doing with the Okta platform. We want that to work seamlessly with every, whether it's Amazon's agent builder or Google's agent builder or Microsoft's agent builder or Salesforce or Atlassian or anyone. We want it to work everywhere. By the way, we want to standardize it so everyone can get the benefit of this identity security fabric, no matter, you know, what they choose. We want flexibility and openness.
Now, I think in that, on the vein of like, there's going to be a lot of different ways to build agents. With Auth0, we're trying to make sure that if you're building your own agent with your own development tools, you can use Auth0 to do the identity security part of that. Of course, that's going to work on different platforms. I'm sure there'll be in other platforms, there'll be competitive offerings to that because they're going to want their own identity stuff. Our commitment is that it's going to work great with this standardization to manage, govern, and control that we think should be adopted by the entire industry.
Hey guys, Tomer Zilberman, B of A. Wanted to ask about the competitive landscape. Last week, you had CrowdStrike at Falcon talking about expansion of identity, further expansion into identity versus being more identity adjacent before. You obviously have Palo Alto acquiring CyberArk, which they're also here as a partner. I wanted to ask, how do you view the competitive landscape changing with the entry of these bigger platform vendors? Is there enough room in the market for everyone here? Do you think that you'll continue to partner with them versus being more head to head?
Yeah, the way we think about this is, first of all, I think the goal is zero identity-based attacks. It would be awesome if identity-based attacks, we solved the problem and all of us went on to working on something else. That would be amazing. It's another way to say like there's tons of work and tons of opportunity. I think when you think about how to solve that problem, there's a school of thought that you should have all of the pieces of security working along with your identity security capabilities to solve all security challenges. That's when you see like Microsoft or CrowdStrike or Palo Alto, that's essentially their strategy, a one-stop shop for all security, which is I can see the appeal of it. There's lots of fragmentation there. There's lots of potential operations or ways to consolidate.
I think the challenge is that in the security market, you need two things. You need, there's constant innovation. There's constant change. It's an adversarial environment. People are trying to break into it. You need this ability to constantly adopt the best solution. That's always a tension, I think, against consolidation and security. That's an important concept. The other thing is that you, when you think about what we could do from an identity perspective, it's really about securing the environment and having these things like detection and posture management. It's also about how the environment could be built in a way to be more secure. I think that's what coming from a foundation of an identity provider brings us. We can both help secure the environment and actually build a more secure environment itself. That's a unique approach we have. There's definitely overlap, right?
I mean, there's different, everyone is trying to say where they're going to secure AI agents. There's clearly with CyberArk, there's some overlap with Okta. Some of the things that CrowdStrike is doing in security have overlap with what we're doing. That's for sure. There's no, I think it's the wrong way to think about it to be like, oh, there's going to be one size fits all. We're going to have layered defenses. We're going to have identity defenses. We're going to have network defenses. We're going to have cloud management defenses. It's all about those things working together to really drive toward this goal of eliminating identity-based attacks. If we did that, that's 80% of the security breaches. I think there's a lot of work to do. We're going to be working with them. We're going to be, you know, overlapping with them in some places.
It's an important work we're doing. We'll do it together.
Another online question?
It's Mark Tash with Raymond James here for Adam Tindall. I just want to ask, how much of the agentic AI strategy revolves around customers buying into Okta's governance and privileged access on top of Core IAM and SIAM to be able to monetize the way that you're planning?
I think we can monetize it if they're just in core access management. Just agents in the directory, track the owner, make sure that the connections are secured. It just gets more valuable if you want to do governance as well and you want to do privilege as well. It's kind of similar to like a person, right? You can do core access management, but you can do privilege. You can do governance as well. It gets more valuable as you expand the number of products in the platform you buy.
Obviously, the business has had a number of headwinds the last two, three years, but it seems like we're coming out on the other side right now with a more specialized go-to-market effort, increased pipeline, better rep tenure, a much stronger product breadth, a normalizing macro, and obviously demand for identities probably at an all-time high. My question is, what concerns do you have out there? What do you think would hold the business back from re-accelerating growth?
John, you want to take that? Our go-to-market strategy, like you said, is based on a number of things. Go-to-market specialization has been something that we've been working on for a period of time now. This year, we moved to a more specialized approach by platform that's particularly relevant to our biggest customers internationally in our tier-one markets. We've made pretty good progress. We're pretty pleased with the results from those segments through the course of H1. Prior to that, we moved to a Hunter Farmer model in our commercial business in the U.S. That, again, has been really positive. They had a great H1, and productivity is going really well from that standpoint too. We think those specialization bets are working. Where we see real upside is on international expansion. We're super focused on a collection of tier-one countries outside of the U.S.
where we're making some significant bets in our partner investments there, localizing our products and making sure we can deliver them with the right and necessary deployment options. That's got a significant amount of upside moving forward, our international expansion. When I also think about the area across the board where we see real upside too, it's in our biggest customer cohorts. For some time now, we've been really pleased with the amount of growth we're getting out of our sort of million-dollar ACV cohort. It just makes sense when you understand our strategy and you're seeing what's really driving growth. It's in these bigger, more complex customers. They've got the legacy of years of buying disparate identity tools. They've just got a lot of complexity. They've got a lot of sunken costs, and they've got a lot of risk exposure.
These are the ones that are really leaning in with us, either they bought access management from Okta before, or they're considering their estate, and they're considering refresh. I see very significant upside in our biggest customer cohort everywhere because of that. It's a trend around consolidation. Many of them want a single control plane for all identity use cases. We're the market-leading independent version of that. That's something we're super excited about and how we mobilize our partner ecosystem around that opportunity, how we align with them, make sure they have the right value propositions, the right expertise, and the right service offerings to make customers successful with that. That's the biggest opportunity that we've got to get right. That's where we're investing a lot of effort at the moment.
For example, I had an executive briefing yesterday with the CISO for one of our larger customers, a top 10 customer for Okta. They are on a three-year contract that renews next June. The entire conversation yesterday was what is their plan and roadmap to deploy all the capabilities Okta has added since they first came on board. They haven't yet deployed governance. They're planning to deploy governance. The conversation yesterday was how to move from their current product-based agreement with us into an ELA. They want to buy, they want to get onto the identity security fabric and be able to deploy it everywhere for all those use cases. Todd talks about several examples of customers that are consolidating dozens and 50 to 100 different identity tools onto one identity security fabric.
These conversations are becoming more and more common as our products become more capable and as our customers become better educated about the complexity that they need to solve for. Those conversations are happening all the time right now.
Do you have that in the forecast?
Yeah. The other thing I'd say is that specialization per platform is also benefiting the AllSero motion. We're really seeing the continuation of customers investing in seamless digital experiences, and how the AllSero team can focus on that opportunity with real, strong cognizance and discovery about how that shows up in particular industry verticals is a really big part of us continuing to grow the AllSero business, especially in our biggest customer cohorts.
Hi, it's Todd Simon, Soma Equity Partners. Can I just ask a follow-up to that one? Can you talk about, in these examples of customers that have been with you in access and are kind of choosing to take the whole platform, what happens to their, how should we think about their spend with Okta? What's the rate of change of the spend on those customers? I'm surprised that you're talking about the larger customers starting on this journey first. I would think that the small, mid-size, then maybe less mature IGA PAM programs are the ones that would be the first target to go after here. Maybe you could give us kind of color on that motion as well.
Yeah, I think on the piece about building out across the identity security fabric with us, I think with these customers, a lot of them have experienced kind of disappointing value from a lot of these legacy products. They've not gone as fast as they wanted these deployments. They're expensive sometimes, and they create risk exposure for them. I think it's kind of everywhere, that concern. We're seeing customers leaning in when we acquire them across a broad range of products from us now. We've got a lot, we've got 20,000 customers. We've got, you know, access management customers at every single segment level. They're all experiencing this challenge with the implementation effort, the administration effort, and the risk exposure of having these disparate tools managing identity. At every level, they're leaning in.
I just think that we're seeing the most growth out of the bigger customers because when they lean in, they tend to spend more money with us. They obviously have most, you know, most legacy. I think it's a growth opportunity in all segments. We're experiencing the depth of the problem probably greatest in our biggest customers because they've got the biggest history of implementing these products and it causing these problems.
I think a lot of that too ties into the partner conversation because traditionally Okta's products have been super easy to implement. As we've broadened the use cases that we cover to governance, posture management, threat detection, privilege, the set of services work gets quite rich, which obviously bears a positive flywheel there with partners because there's more opportunity for them to add value, which makes them get more up to speed on Okta and what we can do, which means more customers use them. There's a virtuous cycle there.
Yeah, that's right. I mean, our partners are super excited about it because they oftentimes have been involved in some of these projects and they deeply understand the business needs of our customers and how they've evolved. They can really add value when they look at all of the use cases across the identity security fabric. It's not just at the initial point of implementation. It's like a long-term value orientation for them that really leverages the uniqueness of their relationships with our customers.
Yeah, I'm spending a big percentage of my time personally with big prospects, big customers, and big partners to try to really take advantage of all the momentum there across the business.
Yeah, we shouldn't underestimate how good the products have gotten over the last couple of years, Todd. I think that the comment you said about, oh, governance maybe being a little light, like that is an old tape. It's a pretty darn good product now. We're seeing more and more of these customers land not just with access management. They're landing more with the full suite of things, right? Because they are looking at our products and saying, wow, they're actually quite good. We really, we really should buy more from you guys. It's still a small number of big customers that do that. Ultimately, the long-term goal here, which is what we've been sitting up here talking about, is get all these people on the identity security fabric, which is effectively the entire portfolio.
What resonates with these big customers is just look at our R&D spend. It's bigger than all the other identity companies. They know that these products are going to keep getting better and better and better relentlessly. That's what they're making the bet on a lot of times. Not only have we proven that we can deliver them, but we've proven that we can make them better over time. Other companies are getting distracted. They're changing ownership. They're getting bought. They're getting sold. They're doing other things in their focus. We're kind of consistent. We'll keep plugging away.
Zach Schneider with Baird. I wanted to ask about Okta Identity Governance and specifically which capabilities within Okta Identity Governance, either entitlement management, certification, et cetera, are seeing the strongest traction today and maybe where there's some adoption frictions. In that sense, will Okta Identity Governance become more of a core module embedded across the identity stack? Or do you envision it maintaining a more monetizable standalone SKU?
I think we're really pleased with how Okta Identity Governance is going. That's the first thing. It's a very, very clear cross-sell opportunity for us in our install base, and the team is really cranking just on that. It's also really nice, like Brett said, when we win new logos on Okta, more often than not now, we're landing them with Okta Identity Governance. Companies see it as a highly relevant product to manage governance in their environments, and we're really just getting started with it. Irrespective of how broad you go elsewhere within the identity security fabric, it's super obvious to us as companies look at the value of Okta. Even if they've got existing governance investments, a coexistence with them with Okta Identity Governance is incredibly valuable to them.
We're also seeing a lot of customers switch off existing legacy products that they've got quite embedded in their businesses, and they're switching onto Okta Identity Governance long term. Very, very exciting opportunity for us over the long term, Okta Identity Governance.
Hi, Krishal Jivheari from Salarana Global. Thanks for taking the question. Todd, I was just hoping to get an update from you on the latest thinking in terms of the internal architecture. Obviously, it's been several years since Auth0. You know, till now, you've opted to keep it separate from a platform. Now, even this year, a go-to-market perspective. I guess is maintaining these various systems, you know, Okta Workforce, Okta SIEM, Auth0 SIEM, like, is that enabling the speed and innovation that, you know, seems to be increasingly required in a market where the time to market matters even more now? You know, competitors are out there with other products today. Obviously, some acquired, some repurposed, but still.
I think I always want more in terms of innovation. I'm never satisfied there. I think we're doing a good job, and I think that we've proven that these products really have different value props to different buyers. What a developer, a builder wants is pretty different than what an IT and a security team want. I think you're seeing benefit from being in their respective lanes and what they've been able to innovate. I'm pretty happy with it while I was wanting more. We have another online question.
Joshua Tilton from Wolfe Research asks, lots of questions around how the identity market will evolve with CyberArk becoming part of Palo Alto. Neutrality and the integration network have always been competitive differentiators for Okta. Does the integration network have to evolve to support an agentic future? Does the value of the integration network increase or decrease as all of the apps you are reintegrated with launch their own agentic capabilities? Lastly, is there any reason from a tech perspective that identity should no longer be neutral from other areas of security in an agentic future?
I think that with CyberArk is very interesting. I think that I'm not sure about this, but I think they had a similar idea that they wanted to build this identity security fabric, which you have to have all the products in the categories. You have to have great access management. You have to have posture management, threat detection, governance. You have to have privileged access management. I think there's a big question now, like, will they change the approach? Will they really lean into privileged use cases, security use cases, parts of agentic? I think that's yet to be seen. I think that the pull there is definitely going to be, I think, favor Palo Alto more, integrate tightly with that. I think the independence and neutrality is a huge advantage. I think there's not, you have to consolidate something. You can't have everything from everyone.
It's a question of which consolidation points do you choose? I feel strongly that it's dangerous to consolidate on security because of the adversarial nature, because of the lock-in you get from consolidating from one vendor. I think identity is a good place to consolidate because you can get simplification and cost efficiencies from the control. While at the same time, you can have the business outcomes you need because identity companies focus on connecting to everything, not just Palo Alto, not just CrowdStrike, everything. I think that's the winning position and that's the strategy we're executing on. I think this is a big change for CyberArk. I don't know what it means for their old strategy, but I think it's a big change.
Yeah, it'll be a while before that becomes tangible because that whole deal needs to complete first for them to be able to understand exactly what they're going to do, where the roadmap will take them.
Maybe kind of slightly off topic, but you know, you mentioned a lot of that this is going to take time with all of these agentic solutions. You also mentioned in your keynote a lot of FOMO of customers. I guess just from a perspective of like your guys' own AI journey and kind of adopting AI internally, just where you guys are, where you guys are finding usage.
Yeah, we have, so we use AI throughout Okta. I think in our, from a productization standpoint, probably the most prominent use case we've talked about publicly is Identity Threat Protection with Okta AI. It uses the AI capabilities across our volume of transactions that we manage. As a company, we process over 45 billion authentication events per month. That volume of data helps us use AI to identify threat signals, things that look anomalous and could be suspicious, and to help us protect our customers from activity that shouldn't happen. That's the productized use case we talk about most frequently, and our product's been in market for quite some time. Internally within Okta, and I oversee our operations, including our IT organization that provides tools to the company. We have today over 60 AI tools internally that we use for various use cases.
It spans everything from work with our developers using developer tools like AWS Bedrock, GitHub Copilot, et cetera, to, from a creative standpoint, our marketing teams use Adobe Studio and Clay and a number of other tools. Really across the company, and Todd talked about this on stage, we're driving our people to lean in with these technologies and find out where they can make us more productive, where they can make us more efficient, where they can make us more competitive, where they can make us grow faster. We feel we have a responsibility to be thought leaders and to be progressive in exploring the capabilities of these technologies and how they can help us go faster. We also have a responsibility to make sure, just as we talk about here, we're not deploying these technologies in a case where they could cause a security deficit.
Our North Star commitment on the Okta secure identity commitment still guides. We're very thoughtful about our data governance for these tools as we bring them in. We're very thoughtful about the production use cases as we bring them in. We're very intentional to make sure that if there's an opportunity to explore how a capability could help us go faster, we're going to make sure that we explore that, even if that requires a proof of concept where we gate it and ensure that we're not causing difficulty for us. We're very pleased with our uptake. We think we have found the right balance between making sure that we stay true to our goal of being one of the most secure companies in the world and also accelerating our pace of innovation to make sure we can be thought leaders in the space.
Yeah, navigating all this change is a tremendous challenge. It fires us up. We love doing hard things. We love succeeding in the face of adversity and taking on this challenge, whether it's internal transformation, whether it's product, whether it's industry landscape. It's very motivating and very exciting for all of us. I think you're seeing that come through in what we're delivering and how we're performing as well.
It makes all of our conversations with customers just highly timely and relevant because all of them are navigating the exact context I just described. They're all in the same position right now. There is intense interest in all of us understanding how to chart a path to navigate this to benefit from the capabilities of this new wave of technology and do it in a way that keeps your company secure. I think that's what you saw in the main stage keynote, which you referenced. That's what you hear throughout the week this week at the show.
I have time for one last question coming in online.
Last question comes from Adam Borg at Stifel. Big picture, fast forwarding five years, do you expect that the total addressable market for securing NHI in general and agentic AI in particular to be smaller, the same size, or larger than human identity?
I think it's on the order of the same size. That's how I think it'll play out. I think both are going to grow and both are very important. Probably I should have had a longer question. Why don't we take one more? Any shorter questions? Someone in the room.
Anybody up front.
Hi. In the past, I know the team has said that Okta Identity Governance constitutes about 30% of a workforce deal TCV. Can we get a sense of how that compares to Okta Privileged Access and Identity Security Posture Management and the ITDR products as well, please?
Yeah, I think all of those categories, governance can be a 30% to 50% increase in value from a basic access management. Privileged can be a 30% to 50% increase over that. The other bucket is, call it identity security posture management, identity threat protection. That can be another 30% to 50%. You can go from a basic access management deal to a full all-product Okta deal that can be the summation of all those, which is, you know, three to four times larger if I did my math right. What are you?
Close enough.
We're seeing it bear out in the data, so it's positive.
Okay, I think we're at time. Thank you, everyone, for coming out. Thank you, gentlemen, for your time today. Please go enjoy the rest of Octane, go to the keynotes, walk the halls, talk to customers, talk to partners. Have a great time. Thank you. Thanks, everybody.