Change-control plane that approves employee-built AI agents before they can act in Salesforce, Jira, GitHub, and Google Workspace.

1. A reported 65% AI-agent incident rate means enterprises already have enough failures to justify a dedicated control budget.
2. The risk surface is shifting toward how agents connect into internal systems, which creates a concrete security wedge around entitlements and actions.
3. Because agents are already embedded in employee workflows, governance has to work for decentralized business teams rather than only a central AI lab.
4. Seed financing for Willow shows investors believe the control layer is becoming its own category before incumbents fully absorb it.

Catalyst. Willow's financing and the cited rate of AI-agent incidents show enterprises already have agent-driven workflow risk, while agents connecting directly to internal systems make pre-deployment approval and rapid revocation newly urgent.

The product plugs into major agent builders, identity providers, and SaaS admin APIs to create a live registry of every internal AI agent, who created it, which tools it can touch, and what actions it can take. Before a new agent goes live, the platform generates an approval packet that shows its connected systems, requested scopes, risky write actions, and required human owner. It can block unapproved agents, set time-bound access, and trigger a kill switch if an incident, policy violation, or ownership gap appears. Security teams get a workflow-native control plane instead of scattered OAuth logs and manual app reviews, while business teams keep the speed of self-serve agent deployment. Over time, the registry becomes the authoritative inventory and policy engine for every agent acting inside the enterprise.

What's different. Existing IAM and SaaS-security tools can show permissions by user or app, but they are not designed around agents created by employees, tied to a workflow, and capable of chaining actions across multiple systems. AI observability tools focus on prompts, models, and outputs after the fact, while this product owns the approval, ownership, and revocation loop before and during deployment. Its moat comes from a growing graph of agent identities, action scopes, risky workflow patterns, and policy templates tuned specifically to employee-built agents rather than human users.

Jobs to be done

flowchart LR
  Buyer[CISO or Head of Enterprise AI] --> Pain[Unapproved agents acting in core SaaS systems]
  Pain --> Product[Employee agent change-control plane]
  Product --> Outcome[Safer self-serve agent rollout with instant revocation]

Executive takeaways

• The real wedge is not generic AI security but cross-platform change control for employee-built agents that can act inside business SaaS.
• Native platform governance is arriving fast, but it remains vendor-siloed; mixed-stack enterprises still lack one approval path, one owner record, and one rapid revocation workflow across agent builders.
• Buyer urgency is being pulled forward by actual incident rates, shadow-agent discovery, and governance immaturity rather than by abstract future regulation alone.
• The most defensible product layer combines entitlement simulation, ownership assignment, and rapid revocation with an inventory graph of agents, tools, and delegated actions.
• Go-to-market should start where business teams already ship agents without central review: support, revops, and internal IT inside Microsoft-, Google-, and Salesforce-heavy service firms.

Market definition

Cross-platform governance software for employee-built and business-deployed AI agents that can read, write, or trigger actions in enterprise SaaS systems.

Customer and buyer

Primary user is the enterprise AI platform or security team that must approve and trace agent access; economic buyer is typically the CISO, CIO, or head of enterprise AI platform.

Buying triggers

• A security incident, scope violation, or shadow-agent discovery creates immediate demand for one owner registry and one rapid revocation workflow. [17][18][19]
• A broader rollout of Copilot Studio, Agentforce, Gemini, or similar builders forces central teams to replace ticket reviews with explicit approval controls. [2][3][5][6][7]
• Compliance programs become urgent when enterprises realize governance maturity trails adoption and upcoming oversight expectations. [9][10][13][14][15]

Willingness to pay

Enterprises are already paying for agent capacity on usage and per-user models, while incident and visibility gaps create a separate security budget justification. A control layer can price against avoided review labor and faster incident containment, not just against raw model spend. [7][13][17][18][19]

Category dynamics

Growth signal 33% to 54% operational AI-agent adoption over roughly two years in KPMG’s panel

Validation signals

• Willow’s funding and Wix design-partner endorsement validate that enterprises already perceive agent governance as a distinct problem.
• CSA’s surveys show unknown agents, scope violations, and incidents are already common, which supports an urgent control-plane wedge.
• Gravitee’s report suggests security approval coverage is still far behind production deployment, leaving a clear operational gap.
• Major platforms are racing to add their own governance panes and policy surfaces, confirming buyer demand even if solutions remain siloed.

Regulatory & technical constraints

• Any product in this category has to map delegated agent authority to explicit least-privilege controls, approval evidence, and audit logs across connected tools.
• Prompt injection and tool-misuse risks mean approval-only products eventually need runtime hooks or fast revocation paths.
• Enterprises need traceable human ownership and documented oversight to align with evolving AI-governance expectations.
• Service-account reuse and shared credentials break attribution, so identity-layer integrations are a technical requirement, not just a nice-to-have.

The field is splitting into three camps: platform-native governance inside major clouds and SaaS suites, identity/NHI vendors extending into agents, and AI-security vendors focused on posture plus runtime detection. The whitespace is a workflow-native approval plane that works across all three.

Why incumbents do not win by default

• Cloud platforms. Microsoft, Google, and Salesforce can add strong controls inside their own stacks, but mixed-stack enterprises still need one inventory and one approval layer across builders, connectors, and external SaaS actions.
• Identity and NHI vendors. Identity-first players are strong at credentials, service accounts, and least privilege, but they do not automatically own the business workflow for pre-launch approval, owner assignment, and delegated-action signoff.
• SaaS security vendors. Discovery-heavy SaaS security tools can expose shadow AI and app sprawl, yet they are not the default place where security and business teams jointly simulate and approve agent reach before go-live.
• Generic AI security platforms. Runtime monitoring is important, but buyers still need pre-deployment guardrails and an ownership system of record before a risky agent ever reaches production data.

Employee Agent Change Control should start as a cross-platform approval plane for business-built agents inside 1,000-5,000 employee digital-product and services companies, not as another generic AI security dashboard, agent runtime, or single-vendor admin add-on. The first customer is a roughly 2,000-person services or software-heavy operator where support, revops, and internal IT teams already connect Copilot Studio, Agentforce, or Gemini-style agents into Salesforce, Zendesk, Jira, GitHub, and Google Workspace without a central review path. The buying trigger is an incident, audit finding, or enterprise rollout decision that forces the CISO or CIO to prove which employee-built agents can act in core systems and who owns them. Research supports a sizable market at an estimated $2.5B TAM, $360.0M SAM, and $6.0M modeled year-3 SOM if the company stays focused on mixed-stack enterprises rather than chasing single-platform deployments. The MVP should begin with agent inventory, entitlement simulation, owner assignment, approval packets, and a fast kill switch across the few builders and SaaS systems that dominate early deployments. The company can win if it becomes the workflow-native system of record for approved agent reach across Microsoft-, Google-, and Salesforce-heavy estates that native controls do not unify. The main risk is that platform, identity, and AI-security incumbents ship good-enough governance faster than the startup builds distribution. A second major gap is that direct standalone pricing evidence and discovery completeness behind shared service accounts are still unproven, so the first 12 months must test whether buyers will pay for a neutral approval overlay and whether inventory can be complete enough to earn trust.

Problem

• Security and enterprise AI platform teams cannot see, approve, and revoke employee-built agents consistently once business teams connect them into Salesforce, Jira, GitHub, Google Workspace, Zendesk, and similar core SaaS systems.
• Existing IAM, SaaS-admin, DLP, and AI-observability tools govern humans, apps, or runtime behavior in isolation, but they do not provide one cross-platform approval workflow with a named owner, scoped entitlements, and immediate revocation before go-live.

Solution

• Build a control plane that inventories every internal agent, maps creator and owner, simulates reachable systems and risky actions, and generates an approval packet before high-privilege connections go live.
• Start with read-mostly approval, time-bound access, and one-click revocation across the most common builders and SaaS systems, then add runtime drift and enforcement only after approval workflow adoption is proven.

Why we win

• The product solves a mixed-stack problem that Microsoft, Google, and Salesforce address only inside their own ecosystems.
• Approval packets, owner assignment, and fast revocation map directly to the buyer's blocked-rollout problem more tightly than broad AI-security posture or observability products do.
• A growing graph of agents, scopes, owners, downstream actions, and drift events can compound into a differentiated risk and policy dataset across customers.

Milestones

flowchart LR
  Wedge[Mixed-stack agent approval wedge] --> MVP[Inventory plus approval packet MVP]
  MVP --> Proof[Named owners, faster approvals, and rapid revocation]
  Proof --> Expansion[Drift monitoring and broader control plane]

Founding team

Experiment roadmap

Risk assessment

What must be true

• Mixed-stack enterprises must view cross-platform agent approval as a funded problem rather than a temporary extension of manual review.
• The initial builder and SaaS connector bundle must cover most risky business-led agent deployments in the beachhead.
• Discovery must be complete enough to expose shadow agents and support owner assignment without large manual cleanup projects.
• Buyers must adopt approval workflow and kill switch controls before demanding full runtime enforcement in the first contract.
• The first production deployment must support roughly $45k+ annual value while keeping onboarding productizable.

Open diligence questions

• How often does a mixed-stack customer actually cross a vendor boundary where native controls stop being sufficient?
• What percentage of risky agents in early pilots can the product discover when service accounts and generic OAuth apps are involved?
• Which specific approval artifact changes the buying decision: inventory, entitlement simulation, owner record, or kill switch?
• Who owns the first budget in practice once the problem moves from incident response to scaled rollout: security, identity, or enterprise AI platform?
• What pilot packaging and pricing produce the best conversion without turning onboarding into consulting?

Model sanity

• Revenue engine. Annual subscriptions at $50K ARPU scale through a 60% pilot-to-production conversion funnel, compounding from 4 customers in Y1 to 110 by end Y3 as AE and partner channels augment founder-led sales from Q1Y2 onward.
• Must go right. The first 3–5 paid pilots must sign by Month 8 and convert at 50%+ to sustain the Series A milestone of 18+ customers by Q3Y2; a single quarter of stalled pilot signings delays every subsequent funding and headcount milestone.
• Model breaks if. Microsoft, Google, or Salesforce ships credible cross-vendor agent governance within 18 months, compressing ARPU below $35K and reducing Y3 revenue by ~$990K per the ARPU sensitivity row, which makes the Series A milestone unreachable on the current cost structure.
• Next-round proof. Series A at Q3Y2 requires 18 production customers and an ARR run-rate above $850K demonstrated across both direct and at least one partner channel, consistent with the base-case cash low-point of $1,875.8K and the Y3 burn multiple of 0.29x.

Scenarios

Sensitivity

flowchart LR
  Leads --> Pilots
  Pilots --> Production
  Production --> ARR
  ARR --> GrossProfit
  GrossProfit --> EBITDA
  EBITDA --> Cash
  Partners --> Pilots
  Churn --> Production

Flags: Series A close in Q3Y2 is load-bearing: the $8M raise is reflected as a $9,875.8K cash jump in that quarter; without it the company exhausts seed before reaching Q2Y3 · Pilot-to-production conversion assumed at 60%; if it falls below 40% for two consecutive quarters the Series A milestone is missed and the model requires a bridge or immediate burn reduction · Discovery completeness is unproven — BP operating assumption requires 80%+ agents discoverable; incomplete inventory reduces pilot confidence and threatens the $50K ACV anchor · Platform-native governance risk is rated high-likelihood and high-impact in the BP risk register; ARPU compression from $50K to $35K reduces Y3 revenue by ~$990K per sensitivity analysis

• Incumbent bundling. Identity, SaaS-management, or agent-platform vendors may ship partial approval and inventory features before the startup gets distribution. Mitigation: Win on cross-platform depth, workflow-specific policy templates, and faster incident revocation across mixed agent stacks rather than single-vendor environments.
• Discovery blind spots. If many employee-built agents are created outside supported builders or hide behind generic service accounts, the inventory could feel incomplete. Mitigation: Start with the few builders and SaaS systems that account for most business-led deployments, then expand discovery through identity, OAuth, and admin-log integrations.
• Security friction backlash. Business teams may resist a product that feels like a new approval bottleneck and route around it with shadow automation. Mitigation: Lead with fast approvals, clear ownership, and one-click templates that let safe agents launch quickly while escalating only high-risk scopes.