BREAKING Credal.ai raises $4.8M seed led by Spark Capital Processing 1M+ LLM queries / month, every one permission-checked In production at MongoDB, Wise, Comcast & the US government Y Combinator W23 • Built by two ex-Palantir engineers Now: The Control Plane for Enterprise Agents BREAKING Credal.ai raises $4.8M seed led by Spark Capital Processing 1M+ LLM queries / month, every one permission-checked In production at MongoDB, Wise, Comcast & the US government Y Combinator W23 • Built by two ex-Palantir engineers Now: The Control Plane for Enterprise Agents
Company Dossier • Enterprise AI • New York

Credal.ai

The permission layer enterprise AI forgot. Credal connects your company's data to any model - and refuses to leak a thing.

AI Security AI Agents Governance RAG & MCP B2B SaaS
Credal.ai logo
The wordmark of a company whose whole product is a promise: your AI can see the data, but only the data this particular person was already allowed to see.
Share this dossier LinkedIn Twitter / X Facebook Instagram
$4.8M
Seed Round, 2023
1M+
LLM Queries / Month
50+
Connected Systems
~18
People, NYC
The Profile

The Company That Sells Enterprise AI a Seatbelt

Here is a fact about large language models that everyone in a boardroom loves and everyone in a security team dreads: they are extremely good at reading documents and telling you what is in them. This is wonderful when the document is a product FAQ. It is considerably less wonderful when the document is the compensation spreadsheet, and the person asking the AI a friendly question is an intern who was never supposed to see it. The model does not know the difference. The model just reads.

Credal.ai is a New York company that exists in the gap between those two sentences. Its pitch is not that AI is magic - everyone already believes that - but that AI is dangerous in a specific, boring, expensive way, and that the danger is a plumbing problem. Somebody has to sit between the model and the company's data and enforce, on every single request, the rule that already exists inside the organization: this person is allowed to see this, and not that. Credal is that somebody.

"Connect your company data to AI while automatically redacting, anonymizing, and warning when sensitive data is about to be sent off-network." - Credal's founding pitch, 2023

Two Palantir engineers walk into a compliance meeting

The company was founded in 2022 by Ravin Thambapillai and Jack Fischer, who met at Palantir - the sort of place where you learn, viscerally, that the hard part of putting software into a bank or a hospital is not the software. It is the seven months of security review, the permission model, the audit trail, the lawyer in the corner asking what happens if this leaks. Thambapillai spent roughly seven years there building AI-powered systems inside large financial institutions. Before that he was at Google, and before that he studied Philosophy, Politics and Economics at Oxford and taught himself to code. His LinkedIn vanity URL is, with a straight face, linkedin.com/in/ai-security.

The two of them bonded, by their own account, over a shared interest in security and compliance, which is either the least romantic origin story in startups or exactly the right one for this particular business. Their first product did not work. They pivoted toward AI security and governance, and the thing started to grow - by their telling, 20 to 30 percent a month. The lesson, which they have repeated in interviews, is the oldest one there is: they stopped building what they wanted and started building what regulated enterprises actually needed to say yes.

What it actually does

Strip away the vocabulary and Credal is a control plane - a single place where a company decides which AI agents exist, what data and tools each one can touch, and what gets logged when they act. The clever part is what Credal calls permission synchronization. Rather than asking a customer to rebuild its entire access-control scheme from scratch, Credal inherits the permissions that already live in Google Drive, Slack, Salesforce, SharePoint and 50-odd other systems, and mirrors them. When an employee asks a Credal-powered agent a question, the agent can only retrieve the documents that employee could already open by hand. The intern still cannot see the comp sheet. The model reads only what it is allowed to read.

On top of that sits the unglamorous, essential machinery: data-loss prevention that redacts and anonymizes personally identifiable information before it ever reaches an external model; human-in-the-loop approval gates for sensitive actions; and an audit log that records every prompt, every response, every action an agent takes. In a regulated industry, that log is not a feature. It is frequently the entire reason the deal closed.

The pattern here is familiar from every previous enterprise-software wave: the exciting part is the demo, and the durable business is the governance nobody wants to build themselves.

The economics of boring

Consider the money. Credal raised a $4.8 million seed round in October 2023, led by Spark Capital, with Alumni Ventures, Swell Partners and Adeline Arts and Science along for the ride - about $5 million in total funding. That is a modest number by the standards of a category where companies routinely raise nine figures to train models. But Credal is not trying to train a model. It is trying to be the thing every model has to pass through on its way into a regulated company, which is a very different sort of business with a very different balance sheet. You do not need a nine-figure round to build a permission-enforcement layer; you need a small, technical team and a lot of patience for security questionnaires.

An 18-person company processing more than a million governed queries a month is, in the arithmetic of enterprise software, a good ratio. The whole appeal of infrastructure that sits in the request path is that it scales with usage rather than headcount. Every new agent a customer builds, every new data source it connects, every new employee who starts asking the AI questions - all of it flows through the same control plane, and none of it requires Credal to hire proportionally. This is the quiet leverage that makes governance companies interesting to investors who have watched the model-training arms race set money on fire.

What a control plane actually promises

The phrase "control plane" is borrowed, deliberately, from networking, where it refers to the layer that decides how traffic moves rather than the layer that carries it. Applied to AI, the analogy is precise. Credal does not want to be the model, and it does not particularly want to be the application. It wants to be the layer that sits above both and answers the questions a nervous executive actually asks: Which agents exist inside my company? What can each of them touch? Who approved that? Show me everything this one did last Tuesday. Turn that one off.

Framed that way, Credal is selling something closer to accountability than intelligence. The deployment options underline the point - cloud, on-premise, or hybrid, with SOC 2 Type 2, GDPR and CCPA compliance, because a hospital or a bank cannot always let its data leave the building, and a control plane that only runs in someone else's cloud is a non-starter for exactly the customers Credal wants. The willingness to run inside the customer's own walls is itself a sales argument, and a reminder that this is a company organized around the word "no" as much as the word "yes."

Who is paying for this

The customer list is the argument. Credal says it is in production at MongoDB, Wise, Checkr, Lattice, incident.io, Comcast NBCUniversal, Flatiron Health, ButterflyMX, the IFRS Foundation - and the US Department of Health and Human Services. That last one matters more than it looks. A federal health agency does not adopt a two-year-old startup's AI infrastructure casually; it does so after a compliance review that would make most founders weep. Clearing that bar is, in a sense, the product working exactly as advertised.

Across those customers, Credal says it processes more than a million LLM queries a month, each one passing through its permission checks. Which points at the genuinely hard engineering problem underneath the compliance story: governance has to be fast. If checking who is allowed to see what adds a second to every answer, nobody uses the AI, and the whole thing collapses back into a slide deck. The trick is to be invisible - to enforce the rules in the request path without anyone noticing they were enforced.

The bet on agents

Credal has since repositioned itself, in the current argot, as "the control plane for enterprise agents." The shift tracks where the industry went. In 2023 the fear was that an AI might read the wrong document. In 2025 the fear is that an AI might do the wrong thing - post to the wrong Slack channel, update the wrong Salesforce record, email the wrong customer - because agents no longer just answer, they act. Credal added an agent registry (a dashboard to register, verify and revoke agents and the newly fashionable MCP servers), tool-level access controls, and governance for multi-agent workflows.

It is a crowded-ish field - Credo AI, OneTrust, TrueFoundry, MintMCP and enterprise-search incumbents like Glean all circle the same anxiety from different angles. Credal's wager is that the winning position is the one closest to the data and the permissions, rather than the one closest to the model or the policy PDF. Whether that is right is unknowable today. What is knowable is that the anxiety is real, the buyers are regulated, and the company that can honestly say "here is the log of everything the AI did, and here is proof it only saw what it was allowed to" has something worth paying for.

There is a version of the AI story where the winners are the companies with the biggest models and the flashiest demos. There is another version - quieter, less fun at parties - where the winners are the companies that made all that capability safe enough to actually turn on inside a place with real customers and real regulators and real consequences. Credal is a wager on the second version. It is a small team in New York selling the least glamorous thing in artificial intelligence, which is the assurance that nothing embarrassing is going to happen. So far the bet is holding.

What You Can Build

The Toolkit

01

Agent Control Plane

Build, govern and deploy AI agents and MCP servers powered by company data, all from one dashboard.

02

Permission Sync

Mirrors user access controls across 50+ systems automatically. AI only ever sees what the user already could.

03

Agent Registry

Register, verify and revoke every agent, tool and MCP server across the organization.

04

DLP & PII Redaction

Redacts, anonymizes and warns before sensitive data is ever sent to an external model.

05

Audit & Risk Monitoring

Complete logging of every prompt, response and action - with proactive flagging of risky behavior.

06

Human-in-the-Loop

Configurable manual approval gates so a person stays on the wheel for sensitive operations.

In Production At

Who Runs Their AI on Credal

MongoDB Wise Checkr Lattice incident.io Comcast NBCUniversal Flatiron Health ButterflyMX Informdata Guidewheel IFRS Foundation US Dept. of Health & Human Services

Customer names per Credal's public site & press coverage. Approximate, current as of 2026.

The Story So Far

Timeline

2022

Ravin Thambapillai and Jack Fischer, both ex-Palantir, found Credal in New York.

Winter 2023

Credal joins Y Combinator's W23 batch.

Oct 2023

Raises a $4.8M seed round led by Spark Capital. Covered by TechCrunch and SiliconAngle.

2024

Reports 20-30% monthly growth and 1M+ permission-checked LLM queries per month across enterprise customers.

2025

Repositions as "the control plane for enterprise agents," adding an agent registry, MCP server management and multi-agent governance.