The problem with letting an AI agent loose inside a company is not that it might forget who it is. It is that it has no reason to hold back.

A human employee is restrained by the fear of being fired. An agent, as one investor in Arcade.dev put it, “will exhaustively exploit every permission it inherits” to reach its goal. Arcade has raised $60mn to make sure that, by design, it cannot.

The Series A was led by SYN Ventures, with strategic cheques from Morgan Stanley and Wipro. Added to a $12mn seed last year, it brings the San Francisco startup to $72mn in total funding.

Identity is easy. Authorisation is the wall

Most companies can already verify that an agent is what it claims to be. What they cannot do, according to Arcade chief executive Alex Salazar, is prove that a given agent, acting for a given user, is allowed to perform a given action on a given system.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

“Agents don’t fail in production because the model is wrong,” Salazar said. “They fail because nobody can prove” who is authorised to do what. That gap, he argues, is why so many corporate agents never leave the pilot stage.

Salazar, a former Okta product leader who once sold a startup to the identity firm, built Arcade with chief technology officer Sam Partee, formerly of Redis.

The accidental product

Arcade did not set out to build this. Its first product was an agent that diagnosed misbehaving servers and databases, which required sweeping super-user access. “No one in their right mind was going to actually let us do that in the real world,” Salazar said.

So the team split the model’s reasoning from the layer that actually touches tools, and built the part that decides which tools the agent may use. Nobody was excited about the diagnostic agent. Everybody who understood AI was excited about the authorisation layer. Arcade dropped the agent and kept the plumbing.

Plumbing for the agent era

That plumbing now hangs off Anthropic’s Model Context Protocol, the emerging standard for connecting models to tools like email and internal APIs, to which Arcade says it has contributed. Its runtime checks each request against an organisation’s real permissions, can run inside a customer’s own environment, and logs every action so a company can tell an agent’s move apart from a human’s.

Salazar’s argument for why a control layer has to sit outside the agent is the oldest one in enterprise risk: the thing taking an action never gets to authorise itself. Traders don’t approve their own trades. A smarter model, he says, doesn’t change that, and because most companies run several models at once, the control layer has to be neutral to all of them rather than owned by any one vendor.

It lands amid a rush of startups selling ways to put AI agents to work and, increasingly, to fence them in. Arcade frames the incumbents as solving the wrong problem, with API gateways routing traffic and identity tools proving who you are, when the question is what an agent may do, on which system, right now. Its bet is that the boring layer underneath is where the durable business sits.

The catch

For now this is a roughly 40-person company that still has to scale and defend its turf in a field filling up fast. Several of its headline proof points, production use at the world’s largest banks, a 25-fold jump in usage, thousands of prebuilt tools, are Arcade’s own figures rather than independently verified.

The underlying argument, though, is hard to dismiss. As agents start acting on systems no single person fully understands, the question of what they are permitted to touch stops being a policy document and becomes infrastructure. Arcade is betting it owns that infrastructure.