Audit-grade identity graph that proves which AI agents touched sensitive M365 and ServiceNow data before rollout stalls.

1. Enterprises now have a quantified attribution problem, not just a vague fear, because many cannot distinguish agent actions from human actions in production systems.
2. Governance is moving to the data and permission layer, so products that only watch network edges or model outputs will miss the real approval bottleneck.
3. Investors are already funding trusted AI data access like core infrastructure, which means enterprise buyers will expect a dedicated budget line instead of burying this inside generic security spend.
4. The market is converging DSPM, identity, DLP, and agentic security, creating an opening for a focused wedge that solves agent attribution first and expands into the broader stack later.

Catalyst. Cyera’s framing of data access as the new AI perimeter, combined with the 68% attribution blind spot, makes agent rollout approval an immediate governance bottleneck.

The product connects to Entra ID, Microsoft 365, SharePoint, OneDrive, Teams, ServiceNow, and existing SIEM or DSPM tools to build a live graph of users, service principals, agents, data stores, and inherited permissions. For each proposed or active agent workflow, it simulates reachable sensitive data, labels which access paths depend on user delegation versus standing machine identity, and records what the agent actually touched at runtime. Security teams get an approver-ready view that answers three questions in one place: what this agent can see, what it did see, and which permission chains should be cleaned up first. The first version wins by shortening rollout reviews from months of spreadsheet-driven access analysis to a few days of evidence-backed signoff.

What's different. Most AI-governance products start from model policy or generic data classification, while this company starts from the unresolved identity question at the moment an agent touches enterprise data. That makes it useful before and after rollout: first as an approval engine for new agents, then as a runtime evidence system for audits and incidents. The wedge is especially strong in Microsoft-heavy environments where group inheritance, delegated permissions, and collaboration sprawl create a hidden blast radius that generic IAM or DSPM products do not explain in agent-native terms.

Jobs to be done

flowchart LR
  Buyer[CISO / AI Security Team] --> Pain[Cannot separate human vs agent data access]
  Pain --> Product[Agent attribution graph]
  Product --> Outcome[Faster rollout approval and audit-ready evidence]

Executive takeaways

• The sharpest wedge is not generic AI governance; it is pre-approval evidence for agents touching messy Microsoft 365 and ServiceNow permission estates.
• Buyer urgency is real because Microsoft itself frames oversharing as the largest Copilot data risk while multiple surveys now show unknown agents, scope violations, and low approval coverage in production environments.
• Incumbents already own adjacent budgets across DSPM, Microsoft data governance, identity governance, and agent security, so the startup must win on cross-system attribution and approver-ready audit evidence rather than on raw discovery alone.
• Financial-services and pharma remain attractive because they already operate under stronger expectations for auditability, access governance, and controlled AI rollout.
• The startup is credible if it shortens rollout reviews from permission cleanup projects into evidence-backed signoff workflows tied to specific agent runs.

Market definition

This market sits at the overlap of Microsoft 365 data security, identity governance, and agent security: software that proves what an internal AI agent can reach across collaboration and workflow systems before production expansion, then records what it actually touched afterward.

Customer and buyer

The daily user is an AI security, data security, or identity-governance team managing Microsoft 365 Copilot, Copilot Studio, and ServiceNow agent rollouts. The economic buyer is typically the CISO or VP of Information Security; secondary champions include SharePoint, Entra, and ServiceNow platform owners.

Buying triggers

• A Copilot or internal-agent rollout expands beyond a pilot and security must prove oversharing and least-privilege issues are under control before wider employee access is granted. [5][7][38]
• Shadow agents, scope violations, or incomplete security approval create a visible gap between adoption speed and governance maturity. [15][16][17]
• Regulated enterprises adopting ServiceNow and Copilot agents need stronger identity, audit, and human-oversight controls than native logs alone provide. [10][9][32][34]

Willingness to pay

Willingness to pay should come from already-funded Microsoft security, data governance, and identity budgets. The pain is not speculative: security teams are already cleaning oversharing, reviewing agent approvals, and responding to agent incidents. A product that shortens those cycles and reduces rollout delay can justify a six-figure annual land without asking buyers to create a brand-new budget category. [5][7][14][15][17]

Category dynamics

Growth signal 34.27% CAGR

Validation signals

• Cyera’s recent funding and trust-layer framing show investor conviction that data-access governance for agentic AI is becoming infrastructure.
• Multiple surveys now show unknown agents, scope violations, incidents, and weak approval coverage in enterprise environments.
• Microsoft’s own rollout guidance treats oversharing remediation and governance guardrails as foundational prerequisites for broader Copilot deployment.

Regulatory & technical constraints

• Copilot honors existing user permissions, so oversharing and stale access in SharePoint or OneDrive become amplified rather than neutralized by the assistant itself.
• Agent identities and delegated authority are now first-class governance objects in Entra, which raises the bar for lifecycle management and ownership tracking.
• EU and UK guidance pushes enterprises toward accountable, auditable, human-supervised AI deployments when personal or sensitive data is involved.
• Healthcare and pharma buyers will care about stronger governance and documentation expectations even when the first use case is operational rather than clinical.

The landscape is converging fast. Microsoft owns the native control plane around Copilot, Entra, Purview, and Copilot Studio. Cyera and Varonis attack the data-permission problem from DSPM and M365 security. SailPoint approaches the problem through identity and file access governance. Zenity and adjacent AI-security startups focus on posture and runtime behavior. The open space is a cross-system attribution graph purpose-built for rollout approval packets and per-run evidence, especially when one agent spans M365 and ServiceNow.

Why incumbents do not win by default

• Microsoft platform stack. Microsoft can secure agents that stay inside Entra, Purview, Copilot, and Copilot Studio, but cross-system approval and independent runtime evidence remain harder when the workflow also spans ServiceNow and non-native tools.
• DSPM and data-security vendors. Cyera and Varonis are strong because they already map sensitive data, access, and exposure inside enterprise estates, but their default story is broader data security rather than agent-run-specific approval packets across M365 and ServiceNow.
• Identity-governance vendors. SailPoint fits the buyer and control model well, especially for agent identities and SharePoint file access, but it is not yet the obvious system of record for runtime attribution tied to a single agent execution.
• Agent-security startups. Zenity and similar startups are good at discovery, posture, and runtime guardrails, yet the proposed startup can differentiate if it becomes the artifact generator that turns graph data into faster signoff for regulated rollout committees.

This company sells an agent-attribution trust layer for regulated enterprises rolling out Microsoft 365 Copilot, Copilot Studio, and ServiceNow agents over messy permission estates. The first product is a read-only graph that shows what a given agent can reach across Entra ID, SharePoint, OneDrive, Teams, and ServiceNow before expansion, then records what it actually touched at runtime. The initial buyer is a CISO-led security team at a bank or pharma company with 15,000+ Microsoft 365 seats and a blocked rollout review, because that is where oversharing and attribution risk already has executive visibility. The wedge is narrower than generic AI governance: produce approval packets and remediation priorities that shorten rollout signoff from manual spreadsheet work to days. Research supports real urgency, with Microsoft emphasizing oversharing readiness and multiple surveys showing unknown agents, scope violations, and incomplete approval coverage; however, exact conversion rates and the minimum evidence package that buyers will pay for still need validation. TAM, SAM, and SOM are modeled estimates from installed-base and ACV assumptions, not booked demand. The company should deliberately avoid broad model-governance, customer-facing agent use cases, and inline enforcement until it proves a repeatable land motion around pre-production approval and audit evidence. If the team can win three paid design partners and convert pilots into $250k-$400k production lands, it can become the system of record for agent-specific evidence before incumbents flatten the category.

Problem

• Copilot and ServiceNow agent rollouts inherit stale Microsoft 365 permissions and overshared SharePoint or OneDrive content, so security teams cannot prove an agent's blast radius before broader deployment.
• Existing SIEM, DSPM, and identity tools show pieces of the problem but do not separate human, delegated, and agent activity into one approver-ready record.
• Manual access review and audit preparation stretch rollout approval into weeks or quarters, turning security into the gating function for otherwise funded AI programs.

Solution

• Build a read-only attribution graph across Entra ID, Microsoft 365, SharePoint, OneDrive, Teams, and ServiceNow that simulates what each agent can reach before production expansion.
• Capture runtime evidence that labels whether sensitive access came through a human, delegated user context, or standing machine identity, then tie that evidence back to the approved workflow.
• Generate approval packets and ranked permission-cleanup actions so rollout committees can sign off faster without requiring a full least-privilege rebuild first.

Why we win

• The product is anchored to a concrete approval workflow, not a generic AI governance dashboard, which makes the first ROI metric shorter rollout review time rather than abstract compliance posture.
• The wedge spans Microsoft 365 and ServiceNow in one evidence model, where native controls and incumbent tools usually stop at a single stack or a broader data-security story.
• Early focus on regulated banks and pharma creates tighter feedback loops on audit evidence quality, remediation patterns, and partner requirements than a broader horizontal launch would.

Milestones

flowchart LR
  Wedge[Blocked Copilot expansion review] --> MVP[Read-only attribution graph]
  MVP --> Proof[Approval packets and runtime evidence]
  Proof --> Expansion[Multi-workflow expansion and recertification]

Founding team

Experiment roadmap

Risk assessment

What must be true

• At least half of target design partners currently delay rollout expansion because agent-specific data reach cannot be proven quickly.
• Buyers accept read-only evidence plus remediation ranking as a budget-worthy first product before they require inline blocking.
• Microsoft and ServiceNow expose enough identity and runtime telemetry to distinguish agent, delegated user, and service-principal actions in the initial workflows.
• A neutral approval packet converts pilots faster than incumbent tool combinations or manual review alone.
• The company can land at $250k+ ACV and expand through additional workflows without becoming a services-heavy business.

Open diligence questions

• Which exact approval artifacts make a rollout committee shorten signoff time?
• How often do early customers require runtime evidence at file or record level instead of workflow summary level?
• What parts of onboarding are repeatable software versus bespoke entitlement cleanup?
• How differentiated is the product if Microsoft improves native cross-app attribution in the next 12 months?
• Which incumbent is easiest for buyers to extend instead of adding a new vendor?

Model sanity

• Revenue engine. Base-case revenue is driven by 16 paying regulated-enterprise accounts by Q4Y3 at a $330K blended annual ARPU as paid pilots convert and existing customers add more governed workflows and retention.
• Must go right. The company must prove approval packets shorten rollout signoff enough that partner-sourced accounts keep adding at least one net new paid logo per quarter through Y2 without scaling sales too early.
• Model breaks if. If sales cycles stretch toward nine months or ARPU stalls near $280K, the downside case turns cash negative before the company establishes repeatable production lands.
• Next-round proof. The next financing is justified once the company exits Y2 with 9 paid accounts, 2+ partner-backed production wins, and clear evidence that the wedge supports $250K+ lands without becoming services-heavy.

Scenarios

Sensitivity

flowchart LR
  Leads --> PaidPilots
  PaidPilots --> ProductionAccounts
  ProductionAccounts --> WorkflowExpansion
  WorkflowExpansion --> Revenue
  Revenue --> GrossProfit
  GrossProfit --> Cash

Flags: The model assumes Microsoft- and ServiceNow-heavy rollout reviews create enough urgency to keep net new logo adds rising even before the category is fully established. · ARPU depends on converting paid proofs of value into $250K-$400K annual subscriptions and then attaching second-workflow or retention upsells; weaker expansion would cut Y3 revenue materially. · Cash is modeled as EBITDA with no working-capital timing, capex, or financing delay, so real-world collections or a later seed close would tighten runway versus the base case.

• Platform dependency. Microsoft or ServiceNow could improve native attribution and reduce the perceived need for a third-party layer. Mitigation: Start with cross-system evidence, permission-chain analysis, and remediation workflows that native logs do not unify, then build deep ecosystem partnerships.
• Incumbent compression. Cyera, Varonis, or other DSPM vendors could extend into agent attribution and crowd the category quickly. Mitigation: Win with a narrow rollout-approval wedge, ship faster in Microsoft-heavy environments, and become the system of record for agent-specific evidence before broadening.
• Weak urgency outside rollout gates. If a prospect is still experimenting with small pilots, the problem may not feel painful enough to buy now. Mitigation: Sell only into expansion, audit, or incident-review triggers where approval delays already have an executive owner and visible cost.