Okta, Inc. (OKTA) Earnings Call Transcript & Summary

All right. Good morning. Welcome to Oktane. Welcome to Investor Summit. This is going to be a 1-hour Q&A session with our top executives. We have Todd McKinnon, our CEO and Co-Founder; Brett Tighe, our CFO, and Eric Kelleher, our COO; and Jon Addison, our CRO. So this is for you. We're going to take questions in the room. We'll take them one at a time. And I'll start right away. So David, if you want to.

Maybe upfront, I could just summarize the [ absolute ]. Would that make sense?

Yes.

Hi, everyone. Thanks for joining us. I think this year at Oktane, we have a very, very relevant message to deliver. And just in terms of what's going on in the world and the challenges and the opportunities everyone is facing. And also, I think it's a message that people expect us to deliver. And that's, I think, a powerful combination. And that message is -- for those of you that saw the keynote this morning, it's -- I'll kind of summarize it for you. It's basically that the insight that everyone is having is that AI really means agents and how agents can automate work and how agents can improve productivity and impact in all these different layers of the stack and all these different industries. And when you break down what makes agent security real and valid and valuable is the fact that it's really identity security. These agents need access to different resources. They need their own identities that you have to have visibility, governance and control about what they access. And so it's -- in terms about being -- us being relevant, it's like exactly what people expect from us. And we've been working on this for many years. And today, we talked about 3 important innovations we're delivering to make this identity security foundation for Agentic -- the Agentic world real and relevant and powerful. And the first one is how we're bringing the -- we're really defining this new category, this new category called Identity Security Fabric, Identity Security Fabric. So the way this works is that it's just like saying you would say CRM. So there's a category called CRM, and that's the combination of sales and marketing and service and support or you would say ERP, that's a category that combines HR, financials, manufacturing. Identity Security Fabric is this category that combines governance, privileged access management, identity security, posture management, access management. And I think this is what customers want because if they want to have a solid foundation for security, AI, all the stuff they want to build on top of that, they have to get their identity security foundation in order. And it has to have comprehensive coverage. It has to leave no gaps. It has to provide automation, orchestration, all the things we've been talking about. But it has to be this new concept that people don't want to buy these individual products that maybe don't work great together. They don't want to buy separate vendors for all the stuff. They don't want to have to integrate vendors. They want an identity security fabric. And we talked about how the Okta platform delivers that. It's the best example of this today in the industry. It's the most complete product set. It's cloud native. It's the most integrated. It's preserves choice and independence and neutrality. And now we're bringing AI agents into this platform with native support across the product suite. So from identity security posture management, access management to governance, privileged access, they all support this new identity type called an AI agent, which is kind of like a combination of a system account or a nonhuman identity and a person. So it has attributes of both, and we've combined it across the entire product suite. That's the first set of announcements. The second set of announcements is how we're working with various efforts around standardization to help standardize how this concept of an identity security fabric interacts with this vast complex array of technology in all these customers' environments. And we talked about our progress on an open standard called IPSIE, and we talked about this new standard we're working on called Cross App Access. Again, it's just giving the Identity Security Fabric more control and more visibility into the entire technology landscape, enabling faster adoption and more control and better outcomes and again, all toward the goal of doing more with AI. And finally, how using our Auth0 platform, developers can build applications and agents and Agentic systems that are -- that comply with these standards out of the box and how they can -- if you build an application with Auth0, it connects into all these protocols like IPSIE, it does Cross App Access. And so it really helps people build fabric-ready things. And this is -- we were -- hopefully, you've got the sentiment if you talk to customers here at the show, but we've never seen interest from a new product area like we do about -- like we see about this one. Everyone wants to talk about this, biggest companies in the world have this problem of AI agents, and they want to do more with agents. So it's very exciting. Now it's talk at this point. So the question will be how fast that translates into both people buying more of our products just to build this fabric and then over time, actually buying more products for -- specifically for AI agents because all these capabilities I'm talking about are new. They're going to be new things that people pay for in addition to what they pay now for customer identities or employee identity. So it's super exciting times, and we're great to -- excited to be here to talk with you all about it to help you get a better understanding.

Eric Heath with KeyBanc Capital Markets. Thanks for doing this and having a great time. Todd, maybe I'll just say at the onset, like the amount of innovation that you're doing on AI agents and how forward leaning you're being is, I think, unmatched in the industry. So I appreciate that. So on a couple of the things you talked about, I guess, for me, talking to your partners and your customers out there, I'd still say there's a lot of -- it's hard to find 2 people that agree or have the same message on how we're going to secure AI agents. So I think you still just get a vast difference in people's approach, initial views on how it's going to be done. So where do you think we are -- or where do you think we are in terms of maturity standardization of how we're going to secure AI agents? And then second, to the point you were leaving with, look, we all want to see acceleration in growth. So when do you think this really could be a growth driver for the business?

Well, you're having those conversations before the keynote, right? So they weren't clearly explained to them about the vision of the future. Is it -- I think it's a very important point and an important question. I see this -- I think where we are as an industry is that in the last year, everyone agrees on the problem. I think it wasn't a hard case to make to the audience today that a big part of AI security is identity security. And agents are the -- what we have to fix, and that's an identity security problem. That was -- we tried to clearly lay that out. But I think, frankly, it's -- a lot of people understand that or more people understand that than did a year ago. Now I think that the solution had to go from all this energy around companies adopting and building these tools and adopting all this wave of innovation coming from all the technology providers and translating to actually how they do that, we're still figuring that out as an industry, and we're hoping to lead there. But the first necessary and present condition is the amount of interest and the amount of inbound really concrete exploration that customers are doing around our solutions. So I think the first wave is really going to be customers thinking about this concept of fabric and how they can normalize this complexity with one vendor and this one-stop shop for identity. That's the first thing that's going to help us grow faster, I think. And actually, the Agentic part of it will kick in later. But I think there's a lot of potential opportunities for growth here coming out of this.

Great. Meta Marshall from Morgan Stanley. Just a question on the Cross App Access. And just kind of how critical it is to get buy-in from kind of other partners in order to kind of fulfill the kind of vision of the identity security fabric.

Yes. So Brett is the expert on Cross App Access. It's very important. And the -- and it's not going to happen overnight. But one thing to understand, too, is that a lot of the benefits of managing AI agents in Okta and vaulting the credentials and having governance and ownership clearly outlined on who in the organization owns the agent, there's a lot of value there if Cross App Access never takes off. That's the first thing to understand. You're going to want to discover these AI agents, you're going to want to track them. You can do that all without Cross App Access. Now Cross App Access is a future-oriented way to make it all work even better. And so this is going to take time. It's -- you got to like propose the standard, get agreement on it, you got to build it into the product. You got to get technology providers to adopt it and then you got to get more demand for it. So more other technology companies build it. Standard is important because none of these technology companies, Box or Google or Amazon or Microsoft, they don't want to build something that's like only going to work for one environment. They want to have an open protocol. And so that's important. But it's going to take some time. The only way it has a chance, which makes me so excited about it is that it has to solve a need that these technology providers see. And the reason why we started working on this over 2 years ago was because we were talking to all these SaaS applications that were trying to roll out their applications in these environments and setting up all these cross-system grants between users was a mess. And they would try to roll out these awesome innovations they had. And it's like, yes, but it takes the company 6 weeks to set up all the -- allow this thing and grant this thing. And so that's why we started building it. Only later did we realize it's perfect built for this world of AI agents because AI agents are inherently cross app. They're inherently connections of multiple systems. And so it's a long-winded way of saying that the technology vendors want this. And that's why I think the reception has been so high, and that's what you need to get this stuff started. If you try to make up some standard that no one cares about the problem, you're really kind of like fighting against the wind, but we think we really have a tailwind on this one.

And you can see that in -- sorry, we might be saying the same thing. But you could see that we had an event about a month ago with 1,100 people from ISVs, who are interested in this and want to be able to implement. So that's just pure quant, but it's pretty nice to see that kind of level of interest. We had a bunch of good companies on the page today, but there's going to be more and more as the months and quarters move on.

I love that pure quant. So just to add to that, the keynote -- for those of you that have not yet seen this morning's keynote, it's worth -- please go back and watch it. It really does a nice job framing up our vision, Todd's vision, Okta's vision on these topics specifically. And Todd, at this time in the year, it's when we paint a vision for where the market is going and how Okta is skating to where the puck is going to be. And what's interesting this year about the message around securing AI agents is our customers are all in it with us. They're all right here. So this transformation is happening for the industry just so quickly that this conversation is a real conversation. In your briefing packet, you'll see some data. We just conducted a survey of a few hundred companies. 90 -- over 90% of them have agents in production. 10% of them say that they're confident they're actually governing the agents. That is a shocking split between people that are deploying the technology and saying, just go fast, innovate and solve what you can solve, and let's have confidence that these agents are appropriately governed and us in our stack and secured within the stack. So all of the work that we described today on the Identity Security Fabric is designed to help companies bridge that gap and allow them to continue to innovate with agents, but do it in a way where they're securing those agents properly and governing them with policies and rules that they choose. There was a demo in the keynote where we showed how security posture management will identify rogue agents that have been deployed and haven't been purposely cataloged and put in the directory and governed. And Cross App Access as a capability for people building agents will allow them to be deployed. So these 1,100 ISVs that attended our event last month that Brett mentioned, they all have the problem that they want to sell products and they want to sell agents. But their customers don't want rogue agents. Their customers are only going to deploy agents that they know that they can properly secure. And so we're very optimistic that Cross App Access has a lot of interest already because everyone needs to solve this problem. And it's not a problem they need to solve 3 years from now. It's a problem they need to solve today. They're already behind. So we feel very confident in how that's going to play out.

Junaid Siddiqui, Truist Securities. Todd, we're seeing this increasing convergence between identity and data security in this age of agentic AI. Could you talk about how you're positioned to bridge identity security with data governance so customers can enforce consistent policies across users and data? And is that an area that makes sense to expand to?

It's inherently related, and we see that in all of our -- we hear that in all of our customer conversations. There's different kinds of technology resources. There's the applications that have all the roles and the groups and the permissions that kind of implicitly define who can access the data or explicitly define who can access the data. Then there's things like a data warehouse where it's like the whole thing is data, and it's just about specifying the rules on who can access what. And it always links back to an identity. And by the way, the really important thing in agents is like getting them the data. So that's why identity security is such an important part of the combination there. One thing that -- one question I get often is, so everyone says they're going to -- everyone in the security world says they're going to secure AI agents and like who's really going to do it? Who's going to win? And it's kind of like the same with identity and data governance and data security posture management in that whole category and network and endpoint. I think the reality is that they're all going to play a role. I think it's naive to think that there's going to be -- saying there's going to be one single security solution to secure all of agents. And once everything is agents, all you're going to need is one security solution, I think it's pretty naive. We need a multilayered approach. And I think all of the major pillars of Zero Trust are going to have an important role there. I think the world underestimates how dependent it all is on identity, just like in Zero Trust. A lot of Zero Trust is dependent on identity. But it's not going to be the one -- that's why I think it's a mistake to think about, oh, there's going to be one company that does everything in security. I think trying to consolidate all of security is very challenging. I think consolidating identity is super valuable and I think doable. Taking a company from 50 vendors down to 1 vendor is very doable. I think it's pretty hard to take a company from all the security tools they have down to one. Simply put, it's because they need different types of security tools to be the most secure.

Patrick Colville from Scotiabank. Thank you guys for having us. So I've spoken to about 12 customers over the last 24 hours and asked all of them, are you here at Oktane to learn about Agentic AI security? And interestingly, not a single one said yes. They all said, no, we're here for kind of PAM, governance, et cetera. But I'm going to ask about Agentic AI security because that's the hot button issue. So when -- you're talking about cross access. Isn't that a protocol? So I guess, how do you monetize a protocol? And then the reason I started with that opening statement is because I want to bring Brett in, when will this monetization start hitting the financial model? If customers aren't here for that now, like is this a 2026 thing or maybe even like 2027?

I think a big -- I mean, I think this concept of an Identity Security Fabric and a one-stop shop for all of these formerly separate categories is a big growth driver for us. We're investing heavily in R&D to build out these products beyond access management, as we've talked about for many years. So the reason there -- it's good that the reason they're here is to buy all of our new products because we have a lot of great new products to sell. I think making sure the industry understands that this is where the category is going, and we're going to capture that category is a very important part of the messaging we're delivering to the market. And the outcomes are great for everyone. And I think the customers that you talk to know that. I think you don't monetize a protocol. I think Cross App Access is an open protocol that basically, strategically, the way we think about all these standards is they make identity more valuable. They make identity able to do more, able to drive better security outcomes, able to give customers less friction in adopting technology. So it's a little bit a benefit to the entire industry, but we benefit tremendously by the fact that identity tools are easier to implement, easier to upgrade. A big opportunity for us is just making the change cost easier. So when these companies want to consolidate vendors, making that incredibly easy. And we do that a lot of different ways. We do that in investing heavily with partnerships with systems integrators. We do that by building a lot of core technology, by evangelizing open standards. We want customers to get to this better world. And now by the way, by supporting this powerful new identity type, we're going to make it over time. And I think it will take time. I think -- like I said before, I think the near-term opportunities are a lot about the broad product portfolio and consolidating legacy and large enterprise. But the agentic thing is real. And next year, we'll be talking a little bit more about it. You'll see more tangible business drivers in the following years, it's going to be a big deal.

And I think -- go ahead. You go first.

One of the -- so the keynote and our vision and the narrative that we're really emphasizing this year is on this very timely urgency around the gap I talked about earlier between agents being in the wild and how they're being governed today. And you'll see throughout the demos and the platform keynotes that follow and the sessions that follow as well about how we're helping secure agents in this idea. But the core premise of all of this is that we've elevated Agentic identity as a first level identity. And so just like a human identity and nonhuman machine identity, we'll now have Agentic identity. And we have tons of product announcements coming out this week about all of the products in that Identity Security Fabric for all 3 of those use cases, the human, nonhuman and the Agentic. So our governance product, for example, earlier this year, we announced a connection for on-prem applications and also separation of duties. We're announcing this week that, that is now available for federal use cases as well. And so now available to new customers there. We have new announcements on our Privileged Access product as well as all of our access management categories. On the protocol, Cross App Access specifically, one of the things we'll be announcing in the Auth0 platform keynote is for anyone who's developing agents using Auth0, they will inherently support Cross App Access. It's a radio button you click to support the protocol when you publish your code. So there are opportunities for us to lean into the standards as they become more adopted in the industry. But to your point, the protocol itself is not what we monetize. It's the security that we can provide better with support for the protocol.

And I think I'd say as the person who leads the field team, the best thing about go-to-market with this new message is it just highlights Okta's strength. So our independence, our neutrality, our cloud-native position. And so when the field are learning about the relevance of our identity security fabric for human, nonhuman identity and agents, like it's a pretty easy leap for them to actually get how that works because underpinning it is the value of our platform. And so how we excel in access management, identity governance and privileged access management, secure posture management, that all relates to the management of agents as well as nonhuman and human identities. So we feel pretty good about how we can cross the chasm with our customers and help them understand that.

I was just going to add, Patrick, about your growth algorithm question was it will take time, like Todd was saying. But think of it as what we've done with governance, right? We've made that product really good. You've seen the impact to the financials, [indiscernible] coming along, device access, all these things we talk about, ISPM, -- it just takes time, and it's just another thing that we have in the toolkit for Jon and his team for them to sell. as the world changes over time as agentic AI becomes more and more embedded in the way the tech stack works.

And I ask you to check in with the partners. We spent a whole day with them yesterday, and they're having lots of meaningful conversations now about this. So it's a real concern for our customers and prospects. So it's not just in our installed base is concerned. It's real and it's happening now.

Rudy Kessinger, D.A. Davison. Similar line of questioning. We've spoken to over [indiscernible] customers as well. And opposite of Patrick, actually, most of them are interested in your AI security capabilities. At the same time.

Even after the keynote.

Oh, this was actually yesterday, we were here, but all throughout. And -- but at the same time, most of them tell us we're not even close to rolling out AI agents broadly anytime soon.

I think that's typical, yes.

Right. And so if the product is going to be GA sometime next year, I'm going to go out on a limb and assume we're not going to see any material contribution until FY '28. A lot of people in the room want to see improved growth sometime before then. And so how do you make sure you're not overallocating too much time, energy, resources into developing those solutions when you could be allocating that time, energy and resources into more near-term opportunities that could drive growth?

What was the last thing? -- near-term opportunities like what?

Near term, investing in other near-term opportunities.

In other near term, yes. It's really a good question. And I think about it this way. We're getting a lot of -- in the building all the capabilities for AI agents, there's a lot of leverage in the foundational stuff we have to do all around. Like for example, there's a lot of leverage in what we've done for privileged access management and the vaulting and the rotation and what we've done in governance for the governance workflows around certifying that things still need access to things. So we're getting a lot of leverage there. The way I -- what I -- when I talked to the team about as we were innovating and building all this stuff, I said it's very important in these things that we get real customer input because there's a lot of hype and a lot of excitement around AI. And I wanted to ground the team as we built this in real tangible customer input on what they actually needed. And I think what we found is that there was a lot of overlap with the use cases around governance and privilege and having this end-to-end fabric and just taking that final mile to AI agents is something that's valuable, but doesn't put us down a path that could turn out to be fools gold because it's some thing that no one turns out to really need.

I think the core use cases of authentication and authorization apply to Agentic identity the same way they do to human identity, for example. When an agent takes an action, you need to be able to verify that it is who it says it is, you need to authenticate and it's not being impersonated by a threat actor. And then when it takes that action, you need to verify that it has access to do the thing that it's trying to do and needs to be authorized. And so the tooling we provide around authentication for human identities that, that infrastructure applies directly to authentication for Agentic identities. And our fine-grained authorization with the Auth0 platform for building agents allows you to build in authorization controls as well. So there's a lot of leverage and overlapping capabilities between the features we're deploying for human and machine use cases that apply to Agentic as well. But one of the reasons why this isn't a -- it's not a new launch of a new platform. It's an extension of our Identity Security Fabric to also support Agentic identity.

Yes. One thing to clarify, in case people aren't aware of it that all of the Agentic capabilities on our platform, those will be new offerings we sell. So just like if you add more users to Okta, we deliver more value and customer pays us more. If you deploy agents with the Okta platform, you're going to deliver more value, and we're going to capture that value. So it's a nice combination of an extension of our current products in a way that's clearly delivering value, and we'll be able to monetize.

This is Nasr Islam for Brad Zelnick at Deutsche Bank. The Okta AI agents is a super interesting step forward, and I want to focus on pricing. So there's been a lot of debate over how pricing models change in securing AI agents. And it feels like the traditional basis of per user or per agent pricing may not be the way forward. But I'm just interested in hearing how you see this evolving.

I had a hard time hearing you. There's an echo. Maybe did you guys hear? No. Yes, it's hard to understand. Yes, the sound up here is kind of echoing.

I'm just wondering about how you see pricing models evolve securing AI.

How pricing models evolve. Yes. So I think the basic thing was I just described is like there will be additional -- we're going to deliver additional value from all this capability. So there will be -- customers will be charged for it. We're final -- the basic -- there is a clear model around just a lot of agents act on behalf of the user. So there's a -- think about companies are rolling out their own version of internal ChatGPT. That -- those agents are going to act on behalf of Brett or Eric or Jon. And so the identity and the number of agents they need to license is very tied to the set of users. So that's an obvious extension. And that's like think of it as an extension of the per seat license. I think what's -- we're still modeling some different scenarios is how it works when there's a one to many. So there's an autonomous agent that does work on behalf of many users. And so that will end up as we work with customers and finalize this, that will work up in some variant of a per request or a per back-end resource model. It will be monetized a different way because there's not the inherent number of agents there are in the case where an agent is acting just on behalf of 1:1 on behalf of users. But as we get through the final steps of this toward availability next year, we'll be finalizing all that and communicating it clearly to everyone.

So fairly similar in unit measure what we do today. Maybe a little bit of tweaks, maybe a little bit of kind of like blending of the 2 concepts, right? So we'll definitely update you guys as we make more progress.

Okay. Great. Yun Kim, Loop Capital. So obviously, there's a lot of discussions about when the Agentic AI adoption will happen and the time frame around it. But if you do look at one market that's where there's a lot of development going on, that's within the technology companies like ISVs and business application vendors. What kind of go-to-market motions do you have targeting them today? And do you feel like you have to basically become a standard among those vendors to be relevant on the Agentic AI rollout as you roll out to the other enterprise markets?

Yes. I think it's an important area of our strategy, serving especially the companies that are building these Agentic solutions and how we can partner with them and how we can work with them to on this broader adoption of standards like we've talked about. These are -- our strategy here is that we want to be the best identity provider at securing identity and securing agentic AI. And we want to do that by being embedded and being partnered with all of the people building agent technology and agent platforms and app vendors building agents. We want to be the constant across all of it. And that takes the right product, it takes the right partnerships, and we're very focused on that, making sure that's a reality.

Hey, this is [indiscernible] for John DiFucci at Guggenheim. So for the longest time, Okta and the identity players have primarily been tasked to secure human identities, and it's clear that, that's rapidly changing. Based on your presentation this morning and given your roots, -- it seems like the identity platform is coming together to secure both humans and nonhumans. But my question is, is one of those core components more relevant to secure NHIs? Is that the right way to think about it? Or is it finally just coming together between access management, PAM and IGA for both?

Yes. I think that we should stop thinking about them as separate things. I think that's why this concept of fabric is so important. People don't want to have a bunch of different vendors. It's one of the -- people don't -- like -- it's one of the -- there's a couple of really pretty misunderstood things about identity. The first one is that the amount of complexity at customer sites around the number of identity tools, it's quite staggering. Even a small company has 20, 30, 40, 50 different identity vendors. There's tremendous value in consolidating that and normalizing that. And we think we have the right platform to do that to implement this fabric. The second thing about identity technologies is it's -- there they -- it's a lot of effort and a lot of work traditionally to get them fully deployed. And we're doing a lot of things over the years. And even when we talk about standardization and all the technologies we're building to connect to cloud systems and on-prem system, we're trying to make that easier. We're trying to make it easier to deploy these identity management tools and let people consolidate and let people simplify. And that's -- and I think those 2 things coming together is one of the reasons why we're so well positioned. We can really remove complexity from customers' environments. We can help them have better security outcomes. We can meaningfully change their business, and that's why we're so well positioned.

Yes. I would just add, it's fairly simple what Todd talked about earlier today, right? It's every identity type -- every identity use case and every type of resource, right? And each one of these things that you've been talking about today on the main stage and here today is about trying to go after those. There's a bunch of technology underneath that actually helps us accomplish that. But if you just think about it from that simplistic viewpoint, that's really what the Identity Security fabric is.

We have an online question. [ Taz ] as from ROTH is asking you have a platform for building AI agents, but at the same time, a lot of other companies like Salesforce and ServiceNow are providing the ability to create agents on their platform. How do those platforms collaborate or compete with Okta? Would they need to tie in with Okta to secure agents on their platform? So net-net, question is, do customers build agents on the Okta platform or the platforms offered by the application and SaaS vendors to build agents?

I think the way to break it down is you need to -- you're going to have agents from a lot of different platforms. There's going to be a lot of heterogeneity in this world. It's going to be rapidly changing. So you try to manage what you know is going to be fundamental, and that's the governance, the visibility and the control. And that's what we're doing with the Okta platform. And we want that to work seamlessly with every -- whether it's Amazon's agent builder or Google's agent builder or Microsoft's agent builder or Salesforce or Atlassian or anyone. We want to work everywhere. And by the way, we want to standardize it so everyone can get the benefit of this identity security fabric no matter what they choose. We want flexibility and openness. Now when you -- I think in that -- on the vein of like there's going to be a lot of different ways to build agents. With Auth0, we're trying to make sure that if you're building your own agent with your own development tools, you can use Auth0 to do the identity security part of that. And of course, that's going to work on different platforms. And I'm sure there'll be in other platforms, there'll be competitive offerings to that because they're going to want their own identity stuff. But our commitment is that it's going to work great with this standardization to manage, govern and control that we think should be adopted by the entire industry.

Tomer Zilberman, BofA. I wanted to ask about the competitive landscape. Last week, you had CrowdStrike at Falcon talking about expansion of identity -- further expansion into identity versus being more identity adjacent before, and you obviously have Palo Alto acquiring CyberArk, which they're also here as a partner. So I wanted to ask, how do you view the competitive landscape changing with the entry of these bigger platform vendors? Is there enough room in the market for everyone here? And do you think that you'll continue to partner with them versus being more head-to-head?

Yes. The way we think about this is, first of all, I think the goal is 0 identity-based attacks. And so it would be awesome if identity-based attacks, we solve the problem. And all of us went on to working on something else. That would be amazing. So it's another way to say like there's tons of work and tons of opportunity. So I think when you think about how to solve that problem, I think there are -- there's a school of thought that you should have all of the pieces of security working along with your identity security capabilities to solve all security challenges. And that's when you see like Microsoft or CrowdStrike or Palo Alto, that's essentially their strategy, a one-stop shop for all security, which is I can see the appeal of it. There's lots of fragmentation there. There's lots of potentially ways to consolidate. I think the challenge is that in the security market, you need 2 things. You need -- there's constant innovation, there's constant change. It's an adversarial environment. People are trying to break into it. And so you need this ability to constantly adopt the best solution. And that's always attention, I think, against consolidation and security. And so that's an important concept. And the other thing is that you -- when you think about what we could do from an identity perspective, it's really about securing the environment and having these things like detection and posture management, but it's also about how the environment could be built in a way to be more secure. And I think that's what coming from a foundation of an identity provider brings us. We can both help secure the environment and actually build a more secure environment itself. So that's a unique approach we have. But there's definitely overlap, right? I mean there's different -- everyone is trying to say they're going to secure AI agents. And there's -- clearly with CyberArk, there's some overlap with Okta. Some of the things that CrowdStrike is doing in security have overlap with what we're doing. That's for sure. But there's no -- I think it's the wrong way to think about it to be like, oh, there's going to be one size fits all. We're going to have layered defenses. We're going to have identity defenses. We're going to have network defenses. We're going to have cloud management defenses, and it's all about those things working together to really drive toward this goal of eliminating identity-based attacks. And if we did that, that's 80% of the security breaches. So I think there's a lot of work to do, and we're going to be working with them, and we're going to be overlapping with them in some places, but it's an important work we're doing, and we'll do it together.

We have another online question.

It's Mark Cash James here for Adam Tindle. I just want to ask how much of the Agentic AI strategy revolves around customers buying into Okta's governance and privileged access on top of core IAM and SIEM to be able to monetize the way that you'replanning?

So I think it's -- we can monetize it if they're just in core access management, just agents in the directory, track the owner, make sure that the connections are secured, but it just gets more valuable if you want to do governance as well and you want to be privileged as well. So it's kind of similar to like a person, right? You can do core access management, but you can do privilege, you can do governance as well, and it gets more valuable as you expand the number of products in the platform you buy.

Matthew Handorf, Harber Asset Management. Obviously, the business has had a number of headwinds in the last 2, 3 years, but it seems like we're coming out on the other side right now with a more specialized go-to-market effort, increased pipeline, better rep tenure, much stronger product breadth, a normalizing macro. And obviously, demand for identity is probably at an all-time high. So my question is, what concerns do you have out there? Or what do you think would hold the business back from reaccelerating growth?

Jon, do you want to take that?

So our go-to-market strategy, like you said, is based on a number of things. Go-to-market specialization has been something that we've been working on for a period of time now. This year, we moved to a more specialized approach by platform that's particularly relevant to our biggest customers internationally and in our Tier 1 markets. And we've made pretty good progress. So we're pretty pleased with the results from those segments through the course of H1. Prior to that, we moved to a hunter farmer model in our commercial business in the U.S. And that again has been kind of really positive. So they had a great H1 and productivity is going really well from that standpoint, too. So we think those specialization bets are working. I think where we see real upside is on international expansion. And so we're super focused on a collection of Tier 1 countries outside of the U.S., where we're making some significant bets in our partner investments there, localizing our products and making sure we can deliver them with the right and necessary deployment options. So I think that's got a significant amount of upside moving forward and international expansion. When I also think about the area across the board where we see real upside to, it's in our biggest customer cohorts. So for some time now, we've been really pleased with the amount of growth we're getting out of that sort of $1 million ACV cohort. And I think it just makes sense when you understand our strategy and you're seeing what's really driving growth. It's in these bigger, more complex customers who've got the legacy of years of buying disparate identity tools. They've just got a lot of complexity. They've got a lot of sunken costs and they've got a lot of risk exposure. So these are the ones that are really leaning in with us, either they bought access management from Okta before or they're considering their estate and they're considering refresh. So I see very significant upside in our biggest customer cohort everywhere because of that. It's a trend around consolidation. Many of them want a single control plane for all identity use cases, and we're the market-leading independent version of that. And so that's something we're super excited about. And how we mobilize our partner ecosystem around that opportunity, how we align with them, make sure they have the right value propositions, the right expertise and the right service offerings to make customers successful with that. That's, I think, the biggest opportunity that we've got to get right. So that's where we're investing a lot of effort at the moment.

And just one example of that. I had an executive briefing yesterday with one of our -- the CISO for one of our larger customers, a top 10 customer for Okta. They have -- they're on a 3-year contract that renews next June. And the entire conversation yesterday was what is their plan and road map to deploy all the capabilities Okta has added since they first came on board. They haven't yet deployed governance. They're planning to deploy governance. And so the conversation yesterday was how to move from their current product-based agreement with us into an ELA. They want to buy -- they want to get on to the Identity Security Fabric and be able to deploy it everywhere for all those use cases. Todd talks about several examples of customers that are consolidating dozens and 50 to 100 different identity tools onto one identity security fabric. These conversations are becoming more and more common as our products become more capable and as our customers become better educated about the complexity that they need to solve for. So those conversations are happening all the time right now.

Do you have that in the forecast?

Yes. The other thing I'd say is that specialization for platform is also benefiting the Auth0 motion. And we're really seeing the continuation of customers investing in seamless digital experiences and how the Auth0 team can focus on that opportunity with real strong cognizance and discovery about how that shows up in particular industry verticals is really a big part of us continuing to grow the Auth0 business, especially in our biggest customer cohorts.

It's Tal Simons SoMa Equity Partners. Can I -- just a follow-up to that one. Can you talk about like in these examples of customers that have been with you and access and are kind of choosing to take the whole platform? Like what happens to their -- like how should we think about their spend with Okta? Like what's the rate of change of the spend on those customers? And also, I'm surprised that you're talking about the larger customers starting on this journey first. I would think that the small, midsized and maybe less mature IGA PAM programs are the ones that would be like the first target to go after here. So maybe you could give us kind of color on that motion as well.

Yes. I think on the piece about building out across the identity security fabric with us, I think with the customers, a lot of them have experienced kind of disappointing value from a lot of these legacy products. And they've not gone as fast as they wanted these deployments. They're expensive sometimes, and they create risk exposure for them. And so I mean, I think it's kind of everywhere that concern. And so yes, we're seeing customers leaning in when we acquire them across like a broad range of products from us now. But we've got a lot -- we've got 20,000 customers. And so we've got access management customers at every single segment level. And then they're all experiencing this challenge with the implementation effort, the administration effort and the risk exposure, having these disparate tools managing identity. So at every level, they're leaning in. I just think that we're seeing the most growth out of the bigger customers because when they lean in, they tend to spend more money with -- and they obviously have most legacy. So I think it's a growth opportunity in all segments. But we're experiencing the depth of the problem probably greatest in our biggest customers because they've got the biggest history of implementing these products and causing these problems.

And I think a lot of that, too, ties in the partner conversation because traditionally, Okta's products have been super easy to implement. And as we broaden the use cases that we cover to governance, posture management, threat detection, privilege, the set of services work gets quite rich, which obviously, there's a positive flywheel there with partners because there's more opportunity for them to add value, which makes them get more up to speed on Okta and what we can do, which means more customers use them and there's a virtuous cycle there.

Yes, that's right. I mean our partners are super excited about it because they -- oftentimes, they've been involved in some of these projects, and they deeply understand the business needs of our customers and how they've evolved. And so they can really add value when they look at all of the use cases across the identity security fabric. And it's not just at the initial point of implementation. It's like a long-term value orientation for them that really leverages the uniqueness of their relationships with our customers.

Yes. I'm spending a big percentage of my time personally with big prospects, big customers and big partners to try to really take advantage of all the momentum there across the business?

Yes. We shouldn't underestimate how good the products have gotten over the last couple of years, Tal. I think that the comment you said about, oh, governance may be being a little light, like that is an old tape. It's a pretty darn good product now. So we're seeing more and more of these customers land not just with access management, they're landing more with the full suite of things, right? Because they are looking at our products and saying, wow, they're actually quite good, we really should buy more from you guys. So still a small number of big customers that do that. But ultimately, the long-term goal here, which is what we've been sitting up here talking about is get all these people on the Identity Security Fabric, which is effectively the entire portfolio.

And what resonates with these big customers is just look at our R&D spend. It's bigger than all the other identity companies. And they know that these products are going to keep getting better and better and better relentlessly. And that's what they're making the bet on a lot of times. Not only have we proven that we can deliver them, but we've proven that we can make them better over time. And other companies are getting distracted. They're changing ownership. They're getting bought, they're getting sold. They're doing other things and their focus, and we're kind of consistent. We'll keep plugging away.

So Zach Schneider with Baird. And I wanted to ask about OIG and specifically, which capabilities within OIG, either entitlement management, certification, et cetera, are seeing the strongest traction today and maybe where there's some adoption frictions? And then in that sense, will OIG become more of a core module embedded across the identity stack? Or do you envision maintaining a more monetizable stand-alone SKU?

Well, I think we're really pleased with how OIG is going. That's the first thing. And it's a very, very clear cross-sell opportunity for us in our installed base, and the teams really cranking just on that. But it's also really nice, like Brett said, when we win new logos on Okta, and more often not now, we're landing them with OIG. So companies like see it as a highly relevant product to manage governance in their environment. And we're really just getting started with it. So irrespective of how broad you go elsewhere within the identity security fabric, it's like super obvious to us as companies look at the value of Okta, even if they've got existing governance investments, like a coexistence with them with OIG is incredibly valuable to them, but we're also seeing a lot of customers switch off existing legacy products that they've got quite embedded in their businesses, and they're switching on to OIG long term. So very, very exciting opportunity for us over the long term.

[indiscernible] from [indiscernible] global. Todd, I was just hoping to get an update from you on the latest thinking in terms of the internal architecture. Like obviously, it's been several years since Auth0. And until now, you've opted to keep it separate from a platform and now even this year, a go-to-market perspective. But I guess, is maintaining these various systems, Okta Workforce, Okta SIEM, Auth0 SIEM, like is that enabling the speed and innovation that seems to be increasingly required in a market where the time to market matters even more now and competitors are out there with other products today, obviously, some acquired, some repurposed, but still.

I think I'm always -- I always want more in terms of innovation. I'm never satisfied there. But I think we're doing a good job. And I think that we've proven that these products really have different value props to different buyers. And what a developer or a builder wants is pretty different than what an IT and security team want. And so I think you're seeing benefit from being in their respective lanes and what they've been able to innovate. So I'm pretty happy with it while always wanting more.

We have another online question. Joshua Tilton from Wolfe Research asks, lots of questions around how the identity market will evolve with CyberArk becoming part of Palo Alto. Neutrality and the integration network have always been competitive differentiators for Okta. Does the integration network have to evolve to support an agentic future? Does the value of the integration network increase or decrease as all of the apps you are reintegrated with launch their own agentic capabilities? And lastly, is there any reason from a tech perspective that identity should no longer be neutral from other areas of security in an agentic future?

I think that with -- CyberArk is very interesting. I think that the -- I'm not sure about this, but I think they had a similar idea that they wanted to build this identity security fabric, which you have to have all the products in the categories. You have to have great access management. You have to have posture management, threat detection, governance. You have to have privileged access management. I think there's a big question now like will they change the approach? Will they really lean into privileged use cases, security use cases, parts of Agentic? I think that's yet to be seen. I think the pull there is definitely going to be, I think, favor Palo Alto more, integrate tightly with that. And I think the independence neutrality is a huge advantage. I think there's not -- you have to consolidate something. You can't have everything from everyone. It's a question of which consolidation points do you choose. I feel strongly that it's dangerous to consolidate on security because of the adversarial nature because of the lock-in you get from consolidating from one vendor. I think identity is a good place to consolidate because you can get simplification and cost efficiencies from the control, while at the same time, you can have the business outcomes you need because identity companies focus on connecting to everything, not just Palo Alto, not just CrowdStrike, everything. So I think that's the winning position, and that's the strategy we're executing on. And I think this is a big change for CyberArk. And I don't know what it means for their old strategy, but I think it's a big change.

And it will be a while before that becomes tangible so that whole deal needs to complete first for them to be able to understand exactly what they're going to do, where the road map will take them.

Maybe kind of slightly off topic, but you mentioned a lot of that this is going to take time with all these Agentic solutions. You also mentioned kind of in your keynote, a lot of F of customers. I guess just from a perspective of like your guys' own AI journey and kind of adopting AI internally, just kind of where you guys are, where you guys are finding usage?

Yes. We have -- so we use AI throughout Okta. I think in our -- from a productization standpoint, probably the most prominent use case we've talked about publicly is identity threat protection with Okta AI, uses the AI capabilities across our volume of transactions that we manage. So as a company, we process over 45 billion authentication events per month. And that volume of data helps us use AI to identify threat signals, things that look anomalous and could be suspicious and to help us protect our customers from activity that shouldn't happen. That's the productized use case we talk about most frequently, and that product has been in market for quite some time. Internally, within Okta, and I oversee our operations, including our IT organization that provides tools to the company. We have today over 60 -- AI tools internally that we use for various use cases that it spans everything from work with our developers using developer tools like AWS, Bedrock, GitHub Copilot, et cetera. Two, from a creative standpoint, our marketing teams use Adobe Studio and Clay and a number of other tools. And really across the company, and Todd talked about this on stage, we're driving our people to lean in with these technologies and find out where they can make us more productive, where they can make us more efficient, where they can make us more competitive, where they can make us grow faster. So we have -- we feel we have a responsibility to be thought leaders and to be progressive in exploring the capabilities of these technologies and how they can help us go faster. And also, we have a responsibility to make sure, just as we talk about here, we're not deploying these technologies in a case where they could cause a security deficit. And so our North Star commitment on the Okta Secure Identity commitment still guides. We're very thoughtful about our data governance for these tools as we bring them in. We're very thoughtful about the production use cases as we bring them in. and we're very intentional to make sure that if there's an opportunity to explore how a capability could help us go faster, we're going to make sure that we explore that, even if that requires a proof of concept where we gate it and ensure that we're not causing difficulty for us. But we're very pleased with our uptake. And we think we're -- we have found the right balance between making sure that we stay true to our goal of being one of the most secure companies in the world and also accelerating our pace of innovation to make sure we can be thought leaders in the space.

Yes. Navigating all this change is -- it's a tremendous challenge. And it's -- but it fires us up. We love doing hard things. We love succeeding in the face of adversity and taking on this challenge, whether it's internal transformation, whether it's product, whether it's industry landscape, it's very motivating, very exciting for all of us. And I think you're seeing that come through in what we're delivering and how we're performing as well.

It makes all of our conversations with customers just highly timely and relevant because all of them are navigating the exact context I just described. They're all in the same position right now. And so there's intense interest in all of us understanding how to chart a path to navigate this to benefit from the capabilities of this new wave of technology and do it in a way that keeps your company secure. And I think that's what you saw in the main stage keynote, which you referenced, and that's what you hear throughout the week, this week at the show.

I have time for one last question coming in online.

Last question comes from Adam Borg at Stifel. Big picture, so fast forwarding 5 years, do you expect that the TAM for securing NHI in general and Agentic AI, in particular, to be smaller, the same size or larger than human identity?

I think it's on the order of the same size. That's how I think it will play out. I think both are going to grow, and both are very important. Probably I should have had a longer question.

We take one more. Any shorter questions.

Someone in the room.

Anybody? Upfront.

In the past, I know the team has said that OIG constitutes about 30% of a workforce deal TCV. Can we get a sense of how that compares to OPA and ISPM and the ITR please?

Yes. I think all of those categories, governance, it can be a 30% to 50% increasing value from a basic access management. Privilege can be a 30% to 50% increase over that. And then the other bucket is, call it, ISPM, Identity Security Posture Management, Identity Threat Protection, that can be another 30% to 50%. So really, you can go from a basic access management deal to a full all-product Okta deal that can be the summation of all those, which is 3 to 4x larger, if I did my math right. What do you -- we're seeing it bear out in the data. So it's positive.

Okay. I think we're out of time. Thank you, everyone, for coming out. Thank you, gentlemen, for your time today. Please go enjoy the rest of Oktane, go to the keynotes, walk the halls, talk to customers, talk to partners. Have a great time. Thank you. Thanks, everybody.