Arcade raised $60M to fix the real wall blocking enterprise AI agents: what they’re allowed to do

The problem with letting an AI agent loose inside a company is not that it might forget who it is. It is that it has no reason to hold back.

A human employee is restrained by the fear of being fired. An agent, as one investor in Arcade.dev put it, “will exhaustively exploit every permission it inherits” to reach its goal. Arcade has raised $60mn to make sure that, by design, it cannot.

The Series A was led by SYN Ventures, with strategic cheques from Morgan Stanley and Wipro. Added to a $12mn seed last year, it brings the San Francisco startup to $72mn in total funding.

Most companies can already verify that an agent is what it claims to be. What they cannot do, according to Arcade chief executive Alex Salazar, is prove that a given agent, acting for a given user, is allowed to perform a given action on a given system.

“Agents don’t fail in production because the model is wrong,” Salazar said. “They fail because nobody can prove” who is authorised to do what. That gap, he argues, is why so many corporate agents never leave the pilot stage.

Salazar, a former Okta product leader who once sold a startup to the identity firm, built Arcade with chief technology officer Sam Partee, formerly of Redis.

Arcade did not set out to build this. Its first product was an agent that diagnosed misbehaving servers and databases, which required sweeping super-user access. “No one in their right mind was going to actually let us do that in the real world,” Salazar said.

So the team split the model’s reasoning from the layer that actually touches tools, and built the part that decides which tools the agent may use. Nobody was excited about the diagnostic agent. Everybody who understood AI was excited about the authorisation layer. Arcade dropped the agent and kept the plumbing.

That plumbing now hangs off Anthropic’s Model Context Protocol, the emerging standard for connecting models to tools like email and internal APIs, to which Arcade says it has contributed. Its runtime checks each request against an organisation’s real permissions, can run inside a customer’s own environment, and logs every action so a company can tell an agent’s move apart from a human’s.

Salazar’s argument for why a control layer has to sit outside the agent is the oldest one in enterprise risk: the thing taking an action never gets to authorise itself. Traders don’t approve their own trades. A smarter model, he says, doesn’t change that, and because most companies run several models at once, the control layer has to be neutral to all of them rather than owned by any one vendor.

It lands ami