Okta Pooled Security Audits: a One-Year Retrospective

Customer audit is evolving beyond the traditional one-to-one audit model. When Okta's Customer Audit team first published Paving the Path: Pooled Audits with Okta Security last year, we shared our vision for moving beyond the limitations of siloed assessments. Today, as successive SaaS supply chain attacks continue to ring alarm bells across the industry, that strategic vision is now a reality.

This year-in-review retrospective demonstrates how our pooled audit methodology has become a powerful mechanism for collaborative peer discussion - raising the bar for supply chain security for both Okta and our customers. 

The Rationale: Designed to be Different 

Traditional audit models create a heavy, linear burden: each customer audit request requires Okta's security team to provide a tailored evidence package in response. Our pooled audit program was designed to break the status quo. 

We measure success based on the program's ability to minimize redundant effort for our internal teams, while offering customers something a traditional audit cannot: context and community. By shifting to this model, we deliver assurance faster, but also provide a forum for peer-to-peer exchange that turns a compliance checkbox into a strategic value-add . 

Quantifying Success: The Metrics Validating the 1:Many Shift

Our results validate the success of the pooled audit program. We track several KPIs that demonstrate a consistent, positive shift in our compliance efficiency and translate to business impact for customers.

Most notably, participant feedback highlights the quality and effectiveness of the new model. In our post-audit survey, customers indicated:

• 94% reported feeling supported in achieving their organizational compliance and assurance goals, and

• 98% reported a high level of confidence in Okta as a security partner.

Our KPIs demonstrate program efficiency across the following strategic priorities;

Supply Chain Assurance

Beyond compliance, the validation of the pooled audit program is its role in educating customers about current threats, and Okta’s best practice guidance to defend identities. 

Audit sessions deep-dive into the controls that close the gaps exploited in the recent compromises of Salesloft and Gainsight, specifically validating our adherence to the five pillars of SaaS hygiene: 

1. Strong authentication,

2. Strong identity governance,

3. Interactive session security,

4. Non-interactive session security, and

5. Strong auditability.

By aligning these technical verifications against global regulatory expectations (e.g. for financial services: DORA, APRA or NYDFS), the program does more than prove compliance; it provides customers with high-assurance evidence that their critical identity vendor is built to withstand and recover from major supply chain disruptions.

Deep-Dive Assurance at Scale

The strategic value of the pooled audit program extends beyond efficiency; it redefines the depth of assurance. We move beyond static document exchanges, and instead host multiple industry-specific customers for multi-day, hands-on sessions to collectively assess our controls against their regulatory expectations. We encourage peer challenge, and this peer review makes us stronger. 

Our recent engagements with financial services customers prove out this model. These were detailed, collective assessments across nine critical domains key to operational resilience and security.

The result is genuine assurance in a peer setting, offering value exceeding a compliance checkmark. By delivering granular, domain-specific coverage for specific regulations, we reduce reliance on bespoke, time-consuming customer audits in favor of a better outcome. Okta’s pooled audit methodology is increasing the depth of scrutiny our controls receive. Good for customers, and good for Okta. 

Conclusion: A Call for a New Industry Norm

We have transitioned from "paving" to "practice". The pooled audit program is no longer just an efficiency initiative; it is the assurance mechanism that informs our customers’ supply chain security posture and offers Okta valuable customer insight in a peer-to-peer forum. 

However, this success shouldn't be unique to Okta. This is our call to action for the wider SaaS industry in making the Pooled Audit model the norm, and not the exception. 

We invite Okta customers to be part of this evolution: reach out to your account team today to join our next pooled audit cohort for your industry. By adopting this shared assurance approach, we can collectively reduce the compliance burden on customers, eliminate redundancy, and focus our resources on what truly matters — securing the ecosystem against evolving threats.