The company that turned a messy engineering afterthought - who is allowed to access what - into a category of its own: Policy-Based Access Control.
PlainID's "iD" mark. The Tel Aviv-based authorization company sells to Fortune 500 enterprises across banking, healthcare, telecom, and government.
Every data breach has a quiet subplot: someone, or something, had access it should never have had. PlainID spent a decade building the layer that decides that question - and then answers it millions of times a second.
Most software makes access decisions the messy way. A permission gets hard-coded into an application, another into a database, a third into an API gateway. Multiply that across hundreds of systems and thousands of employees, partners, and machines, and you get what the industry politely calls "access sprawl" - and what security teams call a liability they cannot see.
PlainID, founded in Israel in 2014, was built to collapse that sprawl into one thing: policy. Instead of scattering access rules through code, the company's platform lets an organization define who can do what, under which conditions, in a central place - and then enforces those decisions dynamically, in real time, wherever an interaction happens.
The approach has a name PlainID helped popularize: Policy-Based Access Control, or PBAC. It builds on older standards like ABAC and XACML, but the pitch is plainer than the acronyms suggest. Take access logic out of the hands of individual developers, hand it to the security teams who are accountable for it, and make the decision context-aware rather than static.
That single design choice - decoupling the access decision from the application - is the through-line of everything PlainID has built since, from data and API authorization to its newest frontier: controlling what AI agents are allowed to touch.
Authentication asks "who are you?" Authorization asks the harder question: "now that I know who you are, what exactly can you do?" PlainID lives entirely in that second question.
The PlainID Authorization Platform sits between identities and the digital assets they want to reach - data stores, applications, APIs, microservices, SaaS tools, and now AI systems. When a request comes in, the platform evaluates it against centrally managed policies and returns a decision in real time: allow, deny, or mask. Because policies factor in identity, attributes, and context, the same user can be granted access in one situation and denied in another.
The platform is organized around a few clear jobs. Discover gives teams visibility into the access policies already buried across their systems. Manage standardizes how those policies are authored and maintained. Authorize enforces decisions at run time through a set of enforcement points and an Integration Hub that plugs into the existing stack. And Policy 360, launched in 2025, ties it together with a single view of every policy - its logic, metadata, dependencies, and history - so nothing hides in a corner.
The customers are large and, tellingly, regulated. PlainID concentrates on financial services, healthcare, insurance, telecommunications, pharmaceuticals, and government - industries where "who accessed what, and were they allowed to?" is not a philosophical question but an audit requirement. Public reporting and the company's own materials point to Fortune 500 organizations among its user base.
When access rules live inside application code, they are invisible, inconsistent, and slow to change. A developer bakes in a rule; years later, no one remembers why it exists or dares to remove it. Compliance teams cannot audit what they cannot see. And when a business rule changes, engineering has to touch dozens of systems to keep up.
PlainID's answer is to make policy a first-class, externalized asset. Change a policy once, and every enforcement point across the enterprise follows. That is also what makes Zero Trust architectures actually workable: you can verify an identity perfectly and still hand it the wrong data if your authorization is static. PlainID is the dynamic decision engine that keeps "never trust, always verify" from stopping at the front door.
The broader identity market is crowded with names that manage logins and lifecycles - Okta, Ping Identity, ForgeRock, SailPoint. PlainID deliberately plays a narrower, deeper game: the authorization decision itself. Its closest peers are specialists like Axiomatics, Styra and the Open Policy Agent community, Cerbos, Oso, and SGNL.
What sets PlainID apart within that field is breadth of enforcement paired with a business-oriented interface. It aims to cover data, APIs, microservices, SaaS, and AI from one policy plane, while keeping policy authoring accessible to security teams rather than only to engineers. Policy 360 and its AI-driven Policy Intelligence lean into that, using analysis of existing access data to surface patterns and recommend policies rather than making teams write everything from scratch.
The core PBAC engine that centralizes access decisions across data, apps, APIs, and services, enforcing them dynamically in real time.
A unified, 360-degree view of every access policy - logic, metadata, dependencies, and actions - so teams can discover, manage, and monitor in one place.
Run-time access control for AI agents, including a LangChain Authorizer plus RAG and MCP controls, so LLM-driven agents only access and expose permitted data.
Enforcement points and out-of-the-box integrations that connect the platform to identity providers and the existing tech stack.
AI-driven analysis of existing authorization data that discovers access patterns and recommends optimized policies.
B2B subscription software. PlainID typically lands with one use case - data, API, or workforce access - then expands across the enterprise via partners and integrators.
PlainID's origin is not a garage story. Its founders came out of banking security and Israel's military computing world - places where getting access wrong has real consequences. CEO Oren Ohayon Harel was previously Deputy CISO at one of Israel's largest banks. Co-founder and CTO Gal Helemski, now also Chief Innovation and Product Officer, spent six years in the IDF's elite Mamram computing unit and holds a physics and computer science degree from Bar-Ilan University.
PlainID has raised close to $99-100M across four rounds. The headline event was a $75M Series C in December 2021 led by Insight Partners, with participation from Viola Ventures and others. But an earlier, quieter signal mattered too: in 2019, enterprise-software giant SAP took a strategic stake - the kind of validation that opens doors with enterprise buyers.
| Round | Amount | Date | Lead / Investors |
|---|---|---|---|
| Series A | $11M | Jul 2018 | Viola Ventures, Capri, Springtide, iAngels |
| Strategic | Undisclosed | 2019 | SAP |
| Growth round | $11M | Nov 2020 | Existing investors |
| Series C | $75M | Dec 2021 | Insight Partners, Viola Ventures |
The identity and access market has spent years perfecting authentication. Authorization - the decision that comes after login - lagged behind, largely because it was hard and unglamorous. PlainID's bet is that this is exactly where the next wave of security spend lands, driven by two forces: regulation that demands granular, auditable access control, and AI that introduces a new kind of actor.
That second force is the interesting one. AI agents don't carry badges; they carry API keys and act on behalf of users at machine speed. Treating them like employees who need permissions - and enforcing those permissions in real time - is a problem most enterprises have not yet confronted. PlainID's move to authorize agentic AI is an attempt to be early to a market that barely exists, using the same policy engine it already sells for humans and services.
Whether PlainID becomes the default authorization layer for the AI era or one strong option among several, its role is clear: it is infrastructure. The kind of software you never see, making the decision that matters, over and over, quietly.
PlainID provides an enterprise authorization platform built on Policy-Based Access Control (PBAC). It centralizes decisions about who can access what across data, applications, APIs, microservices, and AI agents, and enforces them dynamically in real time.
PBAC decides access based on policies combining identity, attributes, and context, rather than static roles or permissions hard-coded into applications. PlainID is the recognized pioneer of the model, which builds on standards like ABAC and XACML.
PlainID was founded in 2014 in Israel by Oren Ohayon Harel (CEO), Gal Helemski (CTO and Chief Innovation & Product Officer), and Dmitry Tuchinsky.
PlainID has raised roughly $99-100M in total, including an $11M Series A (2018), a strategic investment from SAP (2019), and a $75M Series C led by Insight Partners (2021).
PlainID extends authorization to agentic AI, enforcing access policy on AI agents at run time. Its LangChain Authorizer and RAG/MCP controls ensure LLM-powered agents only access and expose data they are permitted to.