Umaimah Khan
A homeschooled math kid walked into MIT at 16, fell for cryptography, and decided the most boring-sounding job in tech was actually the most interesting one.
She decides who gets the keys
Every company is a pile of doors. Databases, repos, cloud consoles, admin panels, the one dashboard that can wire money or wipe a customer. Most of those doors are guarded by a username, a password, and a shrug. Umaimah Khan builds the lock that asks better questions.
She is the co-founder and CEO of Opal Security, a San Francisco company that does something deceptively dull: it figures out who has access to what, right now, with the context to know whether they should. Opal ingests identity data from every system a company runs, normalizes it, and gives security teams the workflows to grant access just in time and claw it back the second it stops being needed. The customer list is the tell - Cloudflare, Figma, Databricks, Scale AI, Grammarly, Perplexity. The companies that take access most seriously bought from her first.
Khan's whole argument is that authorization has been mislabeled. For years it was treated as a "professional services problem," a thing you solved with a consultant and a spreadsheet. She thinks that's wrong, and a little insulting to the math. "Identity authorization is the hardest problem in security, period," she says. The fix is not more paperwork. It is "building something that can reason, that can be dynamic, that can scale."
That belief is now colliding with the most chaotic moment her field has ever seen: AI agents, each one a new identity, each one able to do damage at machine speed. She calls it the Wild West, and she isn't being cute. "30 minutes is game over for most agents," she warns - the window between a compromised credential and a catastrophe is closing fast.
Largely unsupervised, entirely curious
Khan was homeschooled, and she describes that childhood with a phrase most parents would panic at: "largely unsupervised." It turns out unsupervised is a fine condition for a kid who wants to chase hard math problems all day. She did pure mathematics in high school, then kept doing it at MIT, which she entered at 16.
The plan was academia. Pure math, the real thing, a life of proofs. Then cryptography reached out and grabbed her - the place where abstract math turns into secrets that hold or break. That pull toward problems that are ambiguous and consequential at the same time would become the through-line of everything after.
From MIT she went into federal research, embedded with government agencies including DARPA, the part of the Pentagon that funds the future before it exists. Defense work gave her a taste for stakes. Then she moved into startups, leading infrastructure and security engineering at two companies that became unicorns, in analytics and in health.
Defense, early-stage chaos, mid-stage scale, open source - she collected the whole map. And the same theme kept surfacing in every job: access was a mess, and nobody treated it like the engineering problem it was. So she built an early version of Opal inside one of those startups, then spent roughly two years talking to people before she was convinced enough to leave and build it for real.
From proofs to permissions
Security only wins when it speeds you up
Here is the contrarian core of how Khan thinks. Most security tools work by saying no. They slow you down, gate you, make the safe path the annoying one - so people route around them, and the tool quietly fails. Her favorite counterexample is GitHub. It won not because it nagged developers about compliance, but because it made them faster. Safety came along for the ride.
"You have to sort of align incentives through product work," she says. Opal's pitch is secure-by-default that doesn't tax productivity: access that appears the moment you need it and vanishes when you don't, visualized clearly enough that a human can actually reason about it. She keeps her engineers sharp with paper-reading groups - the classroom habit from a homeschooled math kid never really closed.
And in the AI era, her framing sharpens to a point: "Only identity and data are fundamentally standing the test." Perimeters dissolve, agents multiply, but the questions of who is this and what can they touch only get bigger.
Five lines that explain her
"Identity authorization is the hardest problem in security, period."
"This requires building something that can reason, that can be dynamic, that can scale."
"30 minutes is game over for most agents."
"Only identity and data are fundamentally standing the test."
Things that don't fit the resume
- She entered MIT at 16, after a homeschooled childhood she calls "largely unsupervised."
- The original plan was academia - a quiet life of pure mathematics.
- Cryptography was the gateway drug from abstract math into security.
- She built an early version of Opal inside a previous startup before spinning it out.
- She runs paper-reading groups so her engineers stay current with research.
Recent dispatches
2025
Spoke at the Official Cybersecurity Summit (Silicon Valley) and appeared on the NYSE floor, making the case that AI-era access is "the Wild West" - and that identity is the law.
Dec 2023
Announced Opal's $22M Series B, pushing total raised to roughly $32M and accelerating the build toward agentic and non-human identity security.