Release firewall that lets enterprises give IT agents write access to SaaS systems without blind production risk.

1. Agentic-AI security is attracting dedicated startup funding, which is a strong signal that enterprise buyers are carving out budget for this problem now.
2. The most important failure mode has shifted from prompt quality to production runtime drift, making new infrastructure necessary.
3. Enterprises are starting to ask for a distinct security layer around agents, not just evaluation tooling, which creates room for a new control plane category.
4. Security urgency appears exactly when companies move agents into production workflows with real write permissions, creating a clear buying trigger.

Catalyst. Fresh funding and explicit source language around an enterprise security layer for agentic systems show that companies are moving from agent experiments to production deployments where runtime control becomes urgent.

The product sits between an enterprise agent and the systems it can act on, proxying every tool call, permission request, and state-changing action. It builds a baseline of expected action sequences from staging and early production, then flags simulation-versus-production drift such as unusual privilege escalations, cross-app hops, or out-of-policy data access. Teams can require step-up approval only for novel or sensitive actions instead of forcing a human into every workflow. Every decision is logged as an auditable trace for security review, compliance, and post-incident forensics.

What's different. Most AI safety products focus on prompts, model outputs, or offline evaluation. This company would focus on runtime authorization and sequence-level anomaly detection across real enterprise systems, where the highest-cost failures occur. Its moat can become a proprietary corpus of production agent action traces, policy templates, and workflow-specific risk models for sensitive enterprise apps.

Jobs to be done

flowchart LR
  Buyer[CISO or Identity Security Lead] --> Pain[Cannot trust write-enabled agents in production]
  Pain --> Product[Release firewall for agent tool calls]
  Product --> Outcome[Safe autonomous access changes with audit trails]

Executive takeaways

• The strongest evidence says demand appears when internal agents move from read-only copilots to production write actions; that is where identity, audit, and kill-switch gaps become budget-worthy.
• Enterprise AI use is scaling faster than governance maturity: Deloitte reports worker access to AI rose 50% in 2025 while only 34% of companies are truly reimagining the business around AI, and nearly 60% still cite integration as the main agentic-AI barrier.
• The proposed wedge is sharper than most horizontal AI-security vendors: sequence-level release control for high-risk SaaS actions, rather than generic prompt scanning, model posture, or broad red-teaming.
• Incumbents are moving fast—Okta, Workato, Tines, and Moveworks all now market agent, MCP, or identity-governance capabilities—so the startup must win on neutrality across systems and on staging-to-production drift detection.
• Technical friction is real and defensible: Okta, Google, Slack, Atlassian, and Microsoft all expose rate limits or throttling constraints, so reliable inline enforcement and unified logging are hard to build but valuable once solved.
• The category is investable but timing-sensitive: General Analysis raised $10M and Noma later raised $100M, yet standalone demand may lag if buyers keep agents read-only or accept bundled controls from identity and automation incumbents.

Market definition

Runtime security and governance software for internal, action-taking enterprise AI agents that can change state in SaaS systems such as Okta, Google Workspace, Slack, Jira, and adjacent ITSM / IAM tools. The core buyer is the CISO, identity-security lead, or AI-platform owner at North American and European mid-market and enterprise companies deploying internal IT or employee-support agents. This definition intentionally excludes generic model hosting, read-only chatbots, prompt-only guardrail SDKs, and broad AI posture tools that do not sit in the execution path of high-risk actions.

Customer and buyer

Initial ICP: software and internet companies with roughly 1,000-10,000 employees that already use enterprise identity and IT automation tooling and are piloting internal helpdesk or access-provisioning agents. The day-to-day user is the AI platform engineer, security engineer, or IAM admin; the economic buyer is usually the CISO, director of identity security, or enterprise IT/security leader. The urgent job is to let agents complete high-volume tasks without giving up least privilege, human escalation, or auditability. Budget most plausibly comes from identity security, ITSM automation, or AI governance programs rather than pure model spend.

Buying triggers

• The immediate trigger is production approval for a write-enabled helpdesk or IAM workflow, when existing read-only evaluation or human-in-the-loop approaches begin to bottleneck ROI. [12][14][16][17]
• A second trigger is audit or certification pressure: once agents touch provisioning, access reviews, or employee data, buyers need searchable evidence of what the agent did and why. [12][15][17][18]
• Rising incident pressure matters too: IBM links AI-related incidents to missing access controls and governance, which makes preventive runtime controls easier to justify. [5][12]

Willingness to pay

Adjacent identity and automation budgets are already real. Okta publicly prices workforce identity from $6-$17 per user/month and highlights $26K process savings from provisioning plus roughly $1M of access-certification and audit-prep savings, while Moveworks and helpdesk automation pages show 88%+ autonomous resolution and major deflection gains. That suggests buyers can fund a dedicated control layer if it protects or unlocks materially larger automation ROI. [14][15][16][31]

Category dynamics

Growth signal 50% increase in worker access to AI in 2025

Validation signals

• General Analysis raised a $10M seed to build an enterprise security layer for agentic systems.
• Noma Security later announced a $100M round centered on AI agent security, showing follow-on capital is entering the category.
• Okta now markets agent identity governance and Cross App Access for AI agent interactions, validating incumbent product attention.
• Workato markets Enterprise MCP and Agent Studio with verified user access, role-based controls, and audit trails for production agents.
• Moveworks publishes high automation outcomes for IT helpdesk and IAM-adjacent workflows, showing the operational use case is already real.

Regulatory & technical constraints

• Enterprise buyers will expect least privilege, human override, and auditability because AI governance frameworks increasingly emphasize these controls for deployed systems.
• Inline policy enforcement has to survive SaaS API rate limits and throttling across Okta, Google, Slack, Jira, and Microsoft Graph.
• A useful product needs normalized logging across heterogeneous systems; otherwise post-incident forensics and compliance evidence remain fragmented.
• Tool use and computer use expand the blast radius of a single model error because the system can chain actions across multiple resources in production.

Direct competitors cluster into horizontal AI-security vendors (Zenity, Noma Security, Prompt Security, Lakera) and identity-led incumbents (Okta). Zenity and Noma push broad visibility, posture, and runtime protection; Prompt emphasizes MCP and gateway control; Lakera emphasizes runtime visibility and outcome control; Okta brings native identity, provisioning, and emerging agent-governance primitives. Substitutes include Workato, Tines, and Moveworks, which let enterprises build and govern workflows or agents inside their own platforms, plus developer-led alternatives such as Permit.io, Pangea, LangChain/LangGraph, manual approvals, SIEM correlation, and in-house proxy scripts. The startup only deserves space if it is meaningfully better at cross-system release gating for sensitive actions than these broader platforms are.

Why incumbents do not win by default

• Cloud and identity platforms. Okta and similar identity vendors can authenticate, register, and revoke agents, but they do not automatically become the best cross-system runtime firewall for heterogeneous SaaS action chains; the wedge is neutral sequence control across apps, not just identity issuance.
• Workflow and orchestration platforms. Workato, Tines, and Moveworks help customers build or automate workflows, but buyers may still want an independent security layer because the builder is not always the most trusted judge of novel high-risk actions in production.
• Horizontal AI-security suites. Zenity, Noma, Prompt, and Lakera all cover broad AI risk, but their positioning is wider than the proposed beachhead; a focused release-firewall product can still win if it is visibly better on IAM/helpdesk action graphs, staging baselines, and approval-aware escalation.
• Open-source and developer tooling. Permit, Pangea, LangChain, and similar building blocks can help engineering teams assemble controls, but stitching together authorization, connectors, approvals, audit logs, and always-on operations across enterprise SaaS is still non-trivial and usually slower than buying a product.

Enterprises hit a specific budget-worthy control gap when internal agents move from read-only copilots to write-enabled actions in systems such as Okta, Google Workspace, Jira, and Slack. This company should start with a narrow release-firewall product that proxies state-changing tool calls, compares live action graphs to approved staging baselines, and blocks or escalates novel high-risk paths before execution. The first customer is a 1,000-10,000 employee software or internet company launching an internal IT helpdesk or access-provisioning agent, and the buying trigger is the security review that approves production write access. Research suggests adjacent identity, automation, and AI-governance budgets are already real, with an estimated $76.5M SAM in the initial beachhead and a $3.2M reachable SOM by year 3. The go-to-market should therefore be a paid pilot on one Okta plus Google Workspace workflow that converts to an annual production contract at go-live. The plan deliberately avoids broad AI-security positioning until the company proves lower false positives, faster audit evidence, and better cross-system controls than Okta, Workato, Tines, or internal scripts. The biggest disconfirming risks are that enterprises keep agents read-only longer than expected or accept bundled incumbent controls as good enough. Public research does not yet show exact production novelty rates or a clearly separate budget line, so the first 6 months must focus on shadow-mode traces, pricing tests, and architecture-review wins rather than feature sprawl.

Problem

• Enterprises can test agents in staging, but they lose confidence when those agents get write access to identity, ticketing, and admin systems in production.
• Manual approvals, SIEM reconstruction, and generic guardrail SDKs slow automation and still do not provide sequence-level runtime control or audit-ready evidence.

Solution

• Deploy a neutral release firewall between the agent and enterprise SaaS systems to inspect every state-changing tool call, permission request, and cross-app action path.
• Learn approved action graphs from staging and early production, then block, rate-limit, or step-up novel high-risk sequences while logging a complete decision trace for security review and compliance.

Why we win

• The wedge is narrower than horizontal AI-security suites and maps directly to the production go-live moment when budget, urgency, and measurable risk are highest.
• Cross-system runtime control for heterogeneous SaaS workflows is a harder and more defensible problem than model-side prompt filtering because it requires connectors, normalized logs, and policy enforcement under real API constraints.
• A corpus of approved, denied, and escalated action paths in IAM and IT helpdesk workflows can compound into better policy templates, lower false positives, and stronger audit evidence over time.

Milestones

flowchart LR
  Wedge[Okta and Google Workspace access-provisioning wedge] --> MVP[Shadow mode and release gating MVP]
  MVP --> Proof[Low false positives plus audit-ready traces]
  Proof --> Expansion[More workflows, connectors, and partner channels]

Founding team

Experiment roadmap

Risk assessment

What must be true

• At least half of target buyers must treat production write approval for agents as a funded security review, not just an engineering checklist.
• Shadow-mode traces must show enough novel or risky production action paths to justify release gating over static allowlists.
• The product must keep routine false positives low enough that buyers prefer selective escalation over universal human approval.
• Security buyers must prefer a neutral cross-system layer over relying only on Okta, Workato, Tines, or internal scripts in at least several competitive evaluations.
• A first production workflow must support initial ACV in the $75k-$120k range without requiring services-heavy custom work.

Open diligence questions

• How often do staging-approved IAM action graphs diverge from real production behavior in early customer pilots?
• Who owns budget for this purchase in practice: identity security, IT operations, or AI governance?
• How many connectors are required to win the first five deals beyond Okta and Google Workspace?
• In a live bake-off, why would a buyer not accept native Okta or workflow-platform controls as good enough?
• What false-positive threshold causes operators to abandon inline enforcement?

Model sanity

• Revenue engine. Base-case revenue comes from growing from 6 to 32 paying protected workflows/accounts while blended ARPU steps from pilot-heavy $72K to $96K as production contracts and usage expansion take over.
• Must go right. The model depends on security-review pilots converting above 60% and within roughly 90 days so founder-led CAC stays in the mid-five figures.
• Model breaks if. If buyers keep agents read-only or deployments become services-heavy, the downside case drives cash below zero before the next round.
• Next-round proof. A credible Series A story is 10+ production customers, multi-connector coverage, and false positives low enough to show the product can expand from one workflow to account-wide control.

Scenarios

Sensitivity

flowchart LR
  Leads[Security review leads] --> Pilots[Paid pilots]
  Pilots --> Customers[Production workflows under protection]
  Customers --> Revenue[Platform + usage revenue]
  Revenue --> GrossProfit[70% gross profit]
  GrossProfit --> Cash[Runway and buffer]
  Customers --> TraceData[Action-trace data moat]
  TraceData --> Expansion[Higher ARPU via more workflows and modules]

Flags: Base case reaches 32 paying customers by Q4Y3, which leaves limited headroom versus the 35-account year-3 SOM in research without multi-workflow expansion. · Gross margin is held at the 70% target; if connector work and customer onboarding stay services-heavy, both burn and valuation quality worsen quickly. · Cash stays positive because the model starts post-seed close and assumes EBITDA is a fair proxy for cash, so deferred revenue timing and capex are not modeled explicitly.

• Platform vendors add native controls. Identity providers or agent-platform vendors could ship basic policy checks and narrow the wedge. Mitigation: Focus on cross-system action graphs, simulation-to-production drift detection, and audit evidence across heterogeneous tools where native controls are weakest.
• Customers delay write-enabled agents. If enterprises keep agents read-only for longer than expected, adoption could lag despite strong interest. Mitigation: Sell first into teams with approved helpdesk automation programs and support read-only observability that expands into enforcement at go-live.
• Long enterprise security sales cycles. Security infrastructure deals can take multiple quarters and require heavy validation. Mitigation: Offer a lightweight pilot on one high-risk workflow such as Okta access provisioning with clear ROI and compliance deliverables in 30 days.