You don't start here. The CIO conversation is earned, not opened cold. It gets earned when something in a lower-level conversation can't be resolved at that level: a program officer who can't account for AI agent access across multiple systems, an IT director who's been handling AI tool deployments case by case and knows it's not scaling, a compliance team that's started flagging AI agent activity in audit prep without a policy framework to reference. Those are the signals that a conversation has moved to the right altitude.
When you do get here, the register shifts. CIOs are not interested in being qualified. They're interested in whether you understand the problem they're actually managing — which, right now, is often a governance architecture that was designed for human users and is being quietly outpaced by AI agent proliferation nobody formally authorized. The questions below are designed to bring that gap into the open without making the CIO feel like they're being led somewhere. The best ones would be worth asking even if your product didn't exist.
"When your agency deployed its first AI-assisted workflow, did identity governance for those agents get written into the policy framework at that point — or has it been handled case by case at the program level?"
Why it works: This question distinguishes between agencies that have a coherent governance posture and agencies that have accumulated a series of one-off decisions that look like a posture from a distance. Most are in the second category.
Hot answer: "We're actually trying to figure out how to standardize it right now." Ask what's driving the urgency — whether it's an upcoming audit, an IG finding, or an executive order deadline. The answer tells you where the real pressure is.
What it means when they defer: If the CIO redirects every governance question to a subordinate, pay attention to that pattern. Decision authority on AI governance may sit lower than the title suggests, or the CIO may not yet have claimed ownership of the problem. Either way, you now know where to focus.
"As you look at the identity infrastructure already in place across your agency, how are you thinking about whether that layer can extend to cover AI agents — versus standing up a separate governance tool for that?"
Why it works: This is the consolidation question, framed as a strategic planning inquiry rather than a vendor pitch. It brings build-versus-extend into the conversation, and whether existing investments are being considered as the foundation.
Hot answer: Any version of "we'd rather extend what we have than add another point solution." That's the conversation where Okta's existing footprint as a governance layer becomes directly relevant — name it in the follow-up, not in the question. (Companion context: if Okta is already deployed for human identity in this agency, the AE should know which specific modules — Okta Privileged Access, Workforce Identity Cloud — map to the AI agent governance gap before this meeting.)
What a cold answer sounds like: "We're evaluating options." Ask what criteria they're using to evaluate. If "integration with existing identity infrastructure" isn't on the list, put it there.
"How many AI tools are currently operating in your environment that weren't procured through a formal IT governance process?"
Why it works: This is the shadow AI question, asked at the altitude where the CIO has to own the answer. It's deliberately direct. Most CIOs have a number in their head that's higher than they'd like.
Hot answer: Any number above zero, delivered with visible discomfort. Follow up: "Is that registering as a governance risk at your level, or is it still being managed as individual program decisions?" The answer tells you whether the CIO has claimed the problem or is still hoping it resolves itself.
If they say they don't know: That's the most revealing answer of all. Ask what visibility they currently have into AI tool deployment at the program level. The gap in that answer is the gap in their governance posture.
"If your Inspector General asked you tomorrow to describe your agency's current posture on AI agent identity governance, what would you say?"
Why it works: The IG frame is specific to federal buyers and carries real weight. It converts an abstract governance question into a concrete accountability scenario. CIOs think about IG relationships constantly — this question meets them where they already are.
Hot answer: A pause, followed by a candid admission that the answer isn't as clean as they'd like. Don't fill the pause. Let them work through it.
What to do if they give a polished answer: Ask when that posture was last reviewed against current AI deployment activity. Polished answers to IG questions are often built on last year's inventory.
When a CIO starts asking which programs carry the highest AI agent exposure, that's the moment to reconnect with the Program Officers who own those workflows — they're the ones who can answer it.