Skip to main content
EnforceAuth
Back to Blog
Industry Analysis

Onyx Security’s $40M Round Validates AI Agent Security — But Who’s Enforcing Authorization?

Onyx Security just raised $40M to build a behavioral control plane for AI agents. It’s a smart bet on a real problem. But behavioral oversight and authorization enforcement are two different questions, and the security stack needs both answers.

Mark Rogge, CEO7 min read

Written by Mark Rogge, CEO & Founder, EnforceAuth

Onyx Security just raised $40 million. Conviction Partners and Cyberstarts led the round, and they've already got Fortune 500 customers in production. That's a real accomplishment, and I want to be clear: congrats to the Onyx team. They earned it.

But the announcement got me thinking about a distinction that I don't think enough people are making yet.

Two Questions, Not One

Onyx Security built what they call a Guardian Agent, a supervisory AI that watches your other AI agents' reasoning in real time, blocks actions that look wrong, flags anomalies, and steers things back on course. That's a control plane. A control plane is the centralized layer that monitors and manages the behavior of distributed systems or agents, deciding what gets allowed and what gets blocked based on observed activity. And control planes matter.

Here's the thing, though. A control plane monitors whether your agents are behaving correctly. It still doesn't answer a more fundamental question: were they authorized to touch that in the first place?

Those are different problems. The security stack needs to solve both.

Behavioral oversight asks: "Is this agent doing something that seems wrong?" Authorization enforcement asks: "Was this agent allowed to do this, according to what policy, and where's the receipt?" One is probabilistic. The other is deterministic. And that gap between them is exactly where things break in production.

What the Authorization Gap Actually Looks Like

The Authorization Gap is the disconnect between authenticating an identity (proving who or what it is) and actually enforcing what that identity is permitted to do, across every resource it touches. Most enterprises have solved authentication. Authorization, especially for AI agents and non-human identities, remains largely ungoverned.

I'll make it concrete. Say your AI agent accesses a sensitive database. Was it authorized to? By what policy? Logged where? Those aren't hypothetical questions. They're the questions your auditor is going to ask, and "our Guardian Agent didn't flag it" is not an answer that satisfies a DORA examiner.

Go one level deeper. The human who deployed that agent and granted it permissions. Were they authorized to delegate that level of access? Most orgs don't even track delegation chains for human-to-agent privilege handoffs, let alone enforce policy around them.

And then there's the non-human identity problem, which is frankly the part that keeps me up at night. Your enterprise has 800-plus service accounts, API keys, and OAuth tokens that agents interact with on a daily basis. How many of those are over-privileged? How many were provisioned two years ago for a project that doesn't exist anymore? When your SOC 2 or HIPAA auditor asks for a full authorization trail across AI workloads, what exactly do you hand them?

Behavioral oversight can't answer any of these. Not because it's bad technology. Because it's solving a different problem.

Probabilistic vs. Deterministic: Why It Matters

Look, I respect what Onyx built. A supervisory AI that reasons about another AI's behavior is genuinely useful for catching weird stuff in real time. But it's probabilistic by nature. It can be manipulated. It can hallucinate. It can be adversarially bypassed by a sufficiently clever prompt injection.

Policy-as-code enforcement doesn't have those failure modes. It is deterministic. A Rego policy or a Cedar rule either allows an action or it doesn't. There's no ambiguity, no confidence score, no "well, it seemed fine." Every decision gets logged. Every decision is auditable. Every decision is explainable to a regulator in plain language.

You can't prompt-inject a policy engine. That sentence alone should tell you why both layers need to exist.

The Coverage Question Nobody's Asking

Side-by-side comparison showing Onyx Security covers only AI agents while EnforceAuth covers all four identity types: AI agents, human identities, service accounts and API keys, and OAuth tokens and CI/CD pipelines. Center callout notes that non-human identities outnumber humans 50 to 1 in enterprise environments.

Onyx focuses on AI agents. That makes sense for a startup picking its wedge. But AI agents are one identity type in an enterprise environment. They're not even the most common one.

Non-human identities outnumber human users roughly 50 to 1 in the average enterprise. Service accounts, API keys, OAuth tokens, CI/CD pipeline credentials. These are the identities that AI agents interact with and inherit permissions from. If you're only governing the agent's behavior without governing the permissions of everything the agent touches, you've got a gap big enough to drive a breach through.

EnforceAuth covers all four layers: AI agents, human identities, service accounts and API keys, OAuth tokens and CI/CD pipelines. Not because we wanted to build a bigger product, but because authorization doesn't respect identity type boundaries. A policy that governs an AI agent accessing a customer database needs to also account for the service account credentials it's using, the human who delegated those credentials, and the OAuth token that authenticated the API call. It is one decision chain. Governing only the top layer is like putting a lock on your front door and leaving the windows open.

Complementary, Not Competitive

Behavioral control planes and authorization enforcement layers solve different problems, and enterprises need both. I don't think Onyx is wrong. I think they're right about a piece of the puzzle that genuinely needed building. Behavioral monitoring of AI agents in real time? Yes, enterprises need that.

But the Authorization Gap sits beneath every control plane. Beneath Onyx's. Beneath whatever Google and Microsoft ship next. Beneath the internal tools that Fortune 500 security teams are cobbling together right now.

The control plane watches what agents do. The enforcement layer governs what they're allowed to do. You need both. And right now, most organizations have invested heavily in the first question while barely acknowledging the second one exists.

Common Questions About AI Agent Control Planes vs. Authorization

What is the difference between a control plane and an authorization enforcement layer?

A control plane monitors AI agent behavior in real time, flagging or blocking actions that look anomalous. An authorization enforcement layer is different. It evaluates every action against explicit, predefined policies and returns a deterministic allow or deny decision before the action executes. One watches what agents do; the other governs what they're permitted to do.

What is the Authorization Gap?

The Authorization Gap refers to the disconnect between authentication (verifying an identity) and authorization (enforcing what that identity can access). Most enterprises have invested heavily in authentication through SSO and MFA, but fine-grained authorization for AI agents, service accounts, and machine identities remains largely unaddressed. That's where breaches and audit failures tend to originate.

Can behavioral AI monitoring replace authorization policies?

No. Behavioral monitoring is probabilistic. It can be manipulated, it can hallucinate, and it can be bypassed by adversarial prompt injection. Policy-as-code enforcement is deterministic: a Rego or Cedar rule either allows an action or it doesn't. You need both layers, but one does not substitute for the other.

What identity types need authorization in an enterprise?

Enterprises have at least four identity types that require authorization governance: AI agents, human identities, service accounts and API keys, and OAuth tokens and CI/CD pipelines. Non-human identities outnumber humans roughly 50 to 1, and AI agents frequently inherit permissions from these other identity types. Governing only the agent layer leaves the majority of your identity surface unprotected.

What $40M Tells Us About the Market

Onyx's round is great news for everyone building in AI agent security. Not just for Onyx. A $40 million raise from Conviction and Cyberstarts, with Fortune 500 customers already live, means "AI agent security" is now a budget line item for CISOs. It is not a whiteboard conversation anymore. Security leaders are spending real money to solve this problem, and that rising tide matters.

But here's what I think happens next. Once you have a control plane watching agent behavior, the immediate follow-up question is: "How do we enforce who's authorized to access what?" Because monitoring without enforcement is just a really expensive way to watch things go wrong in high definition.

That's the question EnforceAuth exists to answer. We're the enforcement layer beneath the control plane. Policy-as-code, deterministic, auditable, covering every identity type in your environment. Sub-50ms decisions at enterprise scale.

If you're a CISO asking "what comes after a control plane?" I'd like to show you what we built.

About EnforceAuth

EnforceAuth is the AI Security Fabric for the agentic era. We provide decision-centric authorization across applications, infrastructure, data, and AI workloads. Write policy once. Enforce everywhere.

Follow us on LinkedIn

All posts