The machine-first identity company teaching enterprises to see - and govern - the service accounts, API tokens and AI agents that quietly run the place.
It started with a small, uncomfortable discovery. A contractor had left. His service account had not - and it still had access across an entire organization.
That account is the reason Token Security exists. When co-founder Itamar Apelblat found the orphaned credential and talked it over with his friend Ido Shlomo - now the company's CTO - they landed on a question most enterprises had been avoiding: if one machine identity can hide in plain sight with full access, how many others are out there?
The answer, it turns out, is a lot. As companies moved to cloud and microservice architectures, the number of non-human identities - service accounts, API tokens, secrets, workloads and, more recently, autonomous AI agents - exploded. The typical enterprise now carries roughly 45 times more machine identities than human ones. By some estimates the ratio runs as high as 50-to-1. Almost none of these identities have a manager, an offboarding date, or a clear owner.
Token Security, founded in 2023 and split between New York and Tel Aviv, set out to govern that sprawl. Its platform continuously discovers non-human identities across cloud, SaaS, on-prem and AI environments, then maps each one's ownership, permissions and credential usage into a single identity graph. The point isn't just to count them. It's to answer the three questions security teams actually care about: what do we have, what can it do, and what breaks if it's compromised.
The approach is deliberately agentless. Rather than installing software on every workload, Token connects through more than 1,000 built-in integrations spanning cloud providers, identity providers, CI/CD tools, AI platforms and business systems. That lowers the friction of getting started - a practical concern for teams already drowning in tools and alerts.
Where the company has sharpened its focus most recently is agentic AI. As AI agents move from simple assistants to independent actors holding real credentials, they inherit the same problem service accounts always had: access without accountability. Token treats identity as the control plane for those agents, tying what an agent can touch to what it is actually supposed to do.
"Traditional IAM fails because it treats machines like people. We built Token machine-first and AI-native to secure the speed and scale of today's autonomous agents." Ido Shlomo, Co-Founder & CTO
Token Security sells to enterprise security, IAM and cloud teams - the people accountable for an attack surface that grew faster than the tools meant to watch it.
Named customers include GitLab, Bloomreach, HiBob, Dayforce and BetterHelp. What they share is scale: sprawling cloud estates where credentials multiply automatically and where a single over-privileged token can become the blast radius for a breach.
The urgency is new. Shadow IT took a decade to become a boardroom issue. Shadow AI - the agents, copilots, custom GPTs and MCP servers that teams wire up on their own - is arriving in months, already holding live credentials. Discovery is step one, and it is the step most companies skip.
Token's pitch to overwhelmed teams is not more alerts. It is knowing which non-human identity is the real risk, who owns it, and how to right-size or retire it - across its full lifecycle.
A rough picture of where an enterprise's identities live. Non-human identities dominate - and most are unmanaged.
Illustrative. Ratios based on Token Security and industry figures cited publicly (~45× machine-to-human; up to 50:1).
Token's platform runs on three pillars - and a growing set of AI-native tools built on top of them.
Continuous, agentless discovery of service accounts, tokens, secrets, workloads, AI agents and MCP servers across cloud, SaaS and custom frameworks - including shadow AI.
Correlates agents, humans, secrets, permissions and data into a unified identity graph with ownership attribution, behavioral analysis and multi-agent traceability.
Least-privilege enforcement, intent-based access, automated remediation, lifecycle control and compliance validation with audit trails and forensics.
Extends identity governance to autonomous AI, controlling agents from creation to decommissioning with intent-based, purpose-bound access.
A real-time, natural-language interface and built-in conversational agent that let teams query and act on their environment from chat.
An AI-native application builder that turns plain-English requests into identity-security apps, built on Token's live identity data.
Non-human identity is one of cybersecurity's fastest-forming categories, and Token Security is not alone in it. Rivals such as Astrix Security, Oasis Security, Clutch Security, Aembit, Natoma and Silverfort are chasing versions of the same problem, while incumbents like CyberArk - through its Venafi acquisition - approach machine identity from the certificate side.
Token's stated wedge is being machine-first and AI-native from day one rather than retrofitting human-centric IAM. Its agentless, integration-heavy deployment and its early lean into agentic AI - intent-based controls, agent lifecycle management, an identity graph that shows blast radius - are how it argues for daylight between itself and both legacy IAM and newer NHI peers.
The investors backing that thesis are telling. The $20M Series A was led by Notable Capital (formerly GGV Capital), with checks from executives at Palo Alto Networks, CrowdStrike, Check Point and Venafi - the people who built the last generation of security tools. Angels include Shlomo Kramer, co-founder of Check Point and Cato Networks, and Kevin Mahaffey, co-founder of Lookout.
Recognition has followed: a spot on The Information's "50 Most Promising Startups of 2025," a finalist nod at the 2024 Cyber Defense Awards, and a place on the 2026 MES Midmarket 100 list. The company reported triple-digit growth in 2025 as security, IAM and cloud teams raced to get visibility over agentic AI.
"2025 was the year non-human identity risk stopped being theoretical, with AI agents, service accounts and machine credentials outnumbering human users by orders of magnitude." Itamar Apelblat, Co-Founder & CEO
Itamar Apelblat and Ido Shlomo start Token Security to tackle the sprawl of unmanaged non-human accounts.
Launches a machine-first identity platform, introducing the "machine-first era in identity security."
Notable Capital leads a round to secure machine identities from legacy apps to AI agents; expands into agentic AI governance.
Reports triple-digit 2025 growth, ships intent-based AI agent controls, and launches Enzo, its AI-native app builder.
It secures non-human identities - service accounts, API tokens, workloads and AI agents - by discovering them across cloud, SaaS and AI environments, mapping their ownership and access, and enforcing least-privilege and lifecycle controls.
It was founded in 2023 by CEO Itamar Apelblat and CTO Ido Shlomo, both security veterans, with headquarters in New York and R&D in Tel Aviv.
Publicly, about $27M - a $7M seed round in 2024 and a $20M Series A led by Notable Capital in January 2025.
Enterprise security, IAM and cloud teams. Named customers include GitLab, Bloomreach, HiBob, Dayforce and BetterHelp.
It is built machine-first and AI-native rather than adapting human-centric IAM, and deploys agentlessly with 1,000+ integrations to discover and govern the machine identities that outnumber human users.