Policy simulator that lets enterprises approve AI agents to query governed data across Snowflake, Databricks, and SaaS.

1. Snowflake's acquisition shows MCP governance is strategic enough for a major data platform to buy rather than build slowly.
2. The buying center has shifted from abstract AI safety to concrete control over how agents connect to business data.
3. Centralized access control, audit logging, and permission scoping are already explicit requirements, creating a near-term product checklist instead of a fuzzy future market.
4. Most enterprises have too many data sources for manual connector-by-connector approvals to scale, which creates immediate operational pain.
5. Snowflake's move validates the category while still leaving multi-cloud and non-Snowflake environments open to an independent control-plane vendor.

Catalyst. Snowflake buying Natoma validates that agent data governance has become a board-level infrastructure purchase, while the cluster's emphasis on centralized controls, audit logging, and dozens of governed data sources makes pre-deployment access simulation newly urgent.

The product sits between enterprise agent runtimes and MCP connectors, ingesting existing IAM, warehouse permissions, data catalog metadata, and SaaS roles into one policy graph. Before a team launches an agent, it simulates the exact workflow and shows which tables, fields, files, and records the agent could reach across Snowflake, Databricks, Salesforce, ServiceNow, SharePoint, and similar systems. It then generates an approval packet for governance teams, including least- privilege recommendations, required redaction rules, and an auditable policy bundle that can be pushed back into the runtime. Once live, the same control plane continuously compares actual agent reach against the approved envelope and flags drift when connectors, schemas, or roles change. That wedge gives enterprises a concrete way to move valuable internal agents into production without accepting blind data-exfiltration risk.

What's different. Existing IAM, DSPM, and data catalog tools govern human users or static dashboards, not agents that traverse many systems in one workflow. Agent observability vendors can show what happened after an agent touched data, but they do not let a governance team simulate and approve cross-system reach before launch. The defensible wedge is a policy graph tuned for agent workflows, a growing corpus of approved-versus-rejected access patterns, and deep integrations into the specific data systems enterprises connect first.

Jobs to be done

flowchart LR
  Buyer[Data governance team] --> Pain[Cannot prove agent data blast radius]
  Pain --> Product[Agent data scope simulator]
  Product --> Outcome[Faster production approval for internal AI agents]

Executive takeaways

• Snowflake buying Natoma validates that MCP governance is becoming strategic infrastructure, but it does not close the neutral multi-system opportunity.
• The sharpest buyer pain is pre-deployment proof: governance teams need to know what an agent could read or trigger before it reaches production.
• Incumbents cover pieces of the problem—data policy, authorization, runtime security, or observability—but no default neutral product owns cross-system approval packets and blast-radius simulation.
• Regulated industries are the best beachhead because they already have governance committees, audit expectations, and high downside from uncontrolled data reach.
• The wedge is strongest when framed as launch-unblocking infrastructure rather than generic AI safety or another agent runtime.

Market definition

This market sits between data governance, authorization infrastructure, and agent security: software that models what internal AI agents can reach across warehouses and SaaS tools, turns that into an approval workflow, and then watches for drift after launch.

Customer and buyer

The first user is the data governance or enterprise AI platform team trying to move internal analyst, support, or operations agents from pilot to production. The economic buyer is usually a Chief Data Officer, VP of Data Platform, or CISO who owns both deployment velocity and audit risk.

Buying triggers

• A production-readiness review stalls because no one can demonstrate least-privilege data reach across multiple connected systems. [11][57][83]
• Regulated enterprises already run AI and ML in production, so the next bottleneck is governance quality rather than category awareness. [76][77][78]
• Security teams see prompt injection and tool misuse as approval blockers, making pre-deployment simulation more attractive than log-only monitoring. [65][70][71]

Willingness to pay

Budgets already exist around identity, governance, and AI risk controls; the commercial case strengthens when the startup is positioned as the layer that unblocks production AI launches and reduces audit exposure rather than as discretionary experimentation tooling. [28][81][83][85]

Category dynamics

Growth signal 34.3% to 45.3% CAGR

Validation signals

• Snowflake chose acquisition over slow internal build, which is strong evidence that enterprise MCP governance has independent strategic value.
• Senior IT leaders already prioritize GenAI but still cite security and trust as major blockers, which aligns directly with the proposed wedge.
• Banking regulators and central-bank researchers are treating AI governance as an operational and systemic issue, not a future concern.
• Commercial market models project rapid growth in AI governance spend, even before agentic AI becomes mainstream.
• CISA, NIST, and OWASP now all publish agentic- or GenAI-specific control frameworks, which makes a dedicated budget line easier to justify.

Regulatory & technical constraints

• MCP authorization is optional at the protocol layer, so enterprises still need compensating controls for identity, policy, and auditability.
• Prompt injection and indirect instruction attacks remain practical in realistic agent workflows, which raises the bar for trust in autonomous access.
• Regulated deployments need documented oversight, privacy review, and clear accountability rather than opaque autonomous access.
• Non-human identity sprawl and secret handling become first-order engineering risks once agents span cloud platforms and SaaS systems.

The field is fragmented. Data platforms want governance to stay inside their stack, authorization vendors sell a reusable permissions substrate, and AI security vendors focus on runtime monitoring and policy enforcement. The whitespace is a neutral simulator and approval plane that spans Snowflake, Databricks, and SaaS systems in one workflow.

Why incumbents do not win by default

• Cloud data platforms. Snowflake and Databricks can govern agents that stay close to their own control planes, but multi-system estates still need a layer that reasons across non-native SaaS permissions and workflows.
• Authorization fabrics. Auth0 FGA and similar tools are powerful policy substrates, but customers still have to discover connectors, normalize entitlements, and package approval evidence for governance teams.
• AI security vendors. Zenity, Prompt Security, and Lakera emphasize runtime protection, shadow AI, or inspection, yet that does not automatically answer the pre-launch question of exactly what an agent could reach.
• Data governance vendors. Immuta-style policy engines govern data access well, but they are not purpose-built to simulate full agent workflows that traverse warehouse, file, and SaaS permissions in one approval motion.

Agent Data Scope Simulator should start as a neutral approval plane for Fortune 2000 financial-services and healthcare enterprises that are trying to move internal analyst or support agents from pilot to production across Snowflake or Databricks plus major SaaS systems. The first product should not begin as another agent runtime, generic AI security dashboard, or broad data governance suite; it should prove exactly what a named agent workflow could read before broad MCP connector access is approved. This beachhead is attractive because the user, buyer, trigger, pricing basis, and distribution channel line up around a blocked production-readiness review owned by data governance, platform, and security teams. Research-backed sizing supports an estimated $650.0M TAM, $156.0M SAM, and $12.0M year-3 SOM if the company stays focused on regulated multi-system deployments before expanding into broader enforcement and third-party agent onboarding. The core product should ingest native permissions and metadata from the first five common systems, simulate field- and record-level reach, and generate an approval packet with least-privilege recommendations and auditable evidence. The company can win if it becomes the neutral system of record for approved agent access envelopes that cloud data platforms, authorization fabrics, and runtime-security vendors do not naturally own across one workflow. The biggest disconfirming risks are platform bundling, deployment drag caused by messy entitlements, and the possibility that buyers demand runtime enforcement earlier than a read-only simulator can support. Two important evidence gaps remain in the inputs: independent proof of paid deployment depth outside Snowflake's ecosystem and direct pricing evidence for non-Snowflake buyers. The first 12 months therefore need to prove that regulated design partners will pay for approval and simulation first, that the first five connectors cover most blocked launches, and that pilots convert into production contracts without becoming consulting projects.

Problem

• Governance and platform teams cannot prove what an internal AI agent could read across Snowflake or Databricks plus SaaS systems before production, so launches stall in spreadsheet-based reviews.
• Existing IAM, warehouse permissions, and runtime-security tools each cover part of the control stack, but none gives one auditable cross-system approval motion for least-privilege access and post-launch drift.

Solution

• Build a read-first policy graph that ingests native permissions, catalog metadata, and SaaS scopes from Snowflake, Databricks, Salesforce, ServiceNow, and SharePoint, then simulates the exact data envelope a named agent workflow could reach.
• Generate an approval packet with least-privilege recommendations, redaction requirements, and auditor-ready evidence before launch, then add drift detection that flags when live reach diverges from the approved envelope.

Why we win

• The company sells launch-unblocking proof across multiple systems, not another single-stack governance add-on or runtime-only security layer.
• Regulated enterprises already have risk committees, audit expectations, and blocked internal-agent programs, which makes approval workflow a near-term purchase rather than speculative future tooling.
• Approved-versus-rejected access envelopes, normalized entitlement graphs, and drift histories can compound into a proprietary control dataset that is expensive for incumbents to recreate across customer estates.

Milestones

flowchart LR
  Wedge[Regulated internal-agent approval wedge] --> MVP[Cross-system simulation MVP]
  MVP --> Proof[Approved launches with auditable least-privilege evidence]
  Proof --> Expansion[Drift detection and broader control plane]

Founding team

Experiment roadmap

Risk assessment

What must be true

• At least half of qualified beachhead accounts must agree that pre-deployment cross-system proof is the primary blocker to production rather than a secondary concern.
• The first five supported connectors must cover the majority of real blocked-launch use cases in early design partners.
• A read-only simulator and approval packet must clear security review fast enough to close paid pilots without owning the runtime path.
• The first production workflow must support six-figure ARR with onboarding that stays inside a 30-day deployment window for most early customers.
• Neutral multi-system positioning must beat platform-native or manual alternatives often enough to maintain at least 50% pilot-to-production conversion.

Open diligence questions

• Which exact artifact unlocks the buying decision today: the blast-radius simulation, the approval packet, the audit trail, or drift monitoring?
• How often is the real blocker unclear entitlements versus adjacent problems such as poor metadata, missing tags, or prompt-injection concerns?
• Will buyers sign for simulation-only scope, or do most serious opportunities immediately require runtime enforcement and incident-response hooks?
• Which connector combinations appear most often in blocked launches, and how much value is lost if one major system is missing?
• Who owns the first budget in practice: CDO, platform engineering, security, or a broader AI program office?

Model sanity

• Revenue engine. Base-case revenue is driven by growing from 13 customers at Q4Y2 to 40 at Q4Y3 while recognized ACV rises from roughly $150K to $220K as accounts add drift and more governed workflows.
• Must go right. The company must keep pilot-to-production conversion near the plan and turn at least one partner channel into real Y3 pipeline rather than relying only on founders.
• Model breaks if. If buyers treat the simulator as consulting-heavy deployment work or insist on runtime enforcement before purchase, cash falls toward the downside case and the seed round stops short of breakeven.
• Next-round proof. Reaching 10-13 production customers with sub-30-day implementations and active drift monitoring by Q4Y2 is the milestone that should justify the next financing.

Scenarios

Sensitivity

flowchart LR
  QualifiedPipeline --> PaidPilots
  PaidPilots --> ProductionCustomers
  ProductionCustomers --> Revenue
  Revenue --> GrossProfit
  GrossProfit --> Cash

Flags: The model still depends on jumping from 13 customers at Q4Y2 to 40 at Q4Y3, so partner-channel execution and referenceability are the largest forecast risks. · Pricing evidence outside Snowflake-adjacent accounts is still thin in the source material, so the $220K realized Y3 exit ACV needs validation in the first production renewals. · Revenue per FTE reaches the high end of SaaS benchmarks by Y3, which means any miss on deployment speed or expansion will push profitability out materially.

• Platform bundling. Snowflake, Databricks, or major security vendors could bundle enough governance features to compress the independent wedge. Mitigation: Start in multi-system environments those platforms do not own, and win on cross-vendor simulation, approvals, and audit coverage instead of single-stack enforcement.
• Integration drag. Customers may have messy permissions, custom schemas, and legacy systems that make accurate reachability modeling hard. Mitigation: Begin with the five to seven systems that appear most often in regulated agent pilots and use a phased rollout that proves value before covering every edge case.
• Budget ambiguity. Some enterprises may treat agent governance as part of a broader AI program and delay buying a standalone product. Mitigation: Sell against blocked production launches and audit readiness, with pricing tied to specific agent workflows that are already waiting on approval.