Arcade.dev has raised $60 million to enhance the security of enterprise AI agents.

      The issue with allowing an AI agent to operate freely within a company is not that it may lose its identity; rather, it lacks any reason to restrain itself. A human employee is held back by the fear of termination, but an agent, as one investor from Arcade.dev noted, “will thoroughly exploit every permission it has” to achieve its objectives. Arcade has secured $60 million to ensure that, by design, this is not the case.

      The Series A funding round was led by SYN Ventures, with strategic investments from Morgan Stanley and Wipro. This, combined with a $12 million seed raised last year, brings the total funding for the San Francisco startup to $72 million.

      Identifying an agent is straightforward, but authorizing actions is more challenging. Most companies can confirm that an agent is genuine, but as Arcade's CEO Alex Salazar points out, they struggle to demonstrate that a specific agent, on behalf of a particular user, is permitted to execute a specific action within a given system.

      “Agents don’t fail in production due to flaws in the model,” Salazar stated. “They fail because there’s no way to prove” who is authorized to do what. He suggests that this lack of clarity is the reason many corporate agents remain in pilot phases.

      Salazar, a former product leader at Okta who sold a startup to the identity firm, founded Arcade with CTO Sam Partee, who previously worked at Redis.

      The unintentional product

      Arcade didn't initially aim to create its current offering. The first product was an agent designed to diagnose malfunctioning servers and databases, which necessitated extensive super-user access. “No one in their right mind would actually allow that in reality,” Salazar remarked.

      Consequently, the team separated the model’s reasoning from the layer that interacts with tools, creating the component that determines which tools an agent can utilize. The diagnostic agent didn’t attract much interest, but there was significant excitement for the authorization layer from those familiar with AI. Arcade decided to abandon the agent and focus on the underlying infrastructure.

      Infrastructure for the agent era

      That infrastructure now supports Anthropic’s Model Context Protocol, which is emerging as the standard for connecting models to tools like email and internal APIs, to which Arcade claims to have contributed. Its runtime verifies each request against an organization’s actual permissions, can operate within a customer's own environment, and logs every action, allowing a company to distinguish between an agent’s actions and those of a human.

      Salazar argues that a control layer must remain separate from the agent, echoing an age-old principle in enterprise risk: the entity performing an action cannot authorize itself. Traders do not approve their own trades. He asserts that a more advanced model does not alter this principle, and since most companies operate multiple models simultaneously, the control mechanism should remain neutral rather than be tied to any single provider.

      This approach emerges in a landscape increasingly populated by startups offering ways to deploy AI agents and, more importantly, to regulate their actions. Arcade positions existing solutions as addressing the wrong issue, focusing on API gateways directing traffic and identity tools confirming identity, while the real question pertains to what an agent is allowed to do on a specific system at any moment. The company’s wager is that the unexciting foundational layer is where sustainable business will thrive.

      The caveat

      Currently, the company employs around 40 people and must expand and secure its position in a rapidly growing market. Many of its notable success indicators, such as production usage at leading global banks, a 25-fold increase in utilization, and thousands of prebuilt tools, are based on Arcade’s own data rather than independent verification.

      Nonetheless, the core argument is difficult to refute. As agents begin interacting with systems that no single individual fully comprehends, the issue of their permissions transitions from policy documentation to infrastructure. Arcade is contending that it controls that infrastructure.