A graph for the question no one could answer
In 2020, executives kept getting stumped by a plain question: who can actually access our most sensitive data? Veza was built to answer it.
For most of the cloud era, security teams could tell you who logged in. They struggled to tell you what those people - and the machines acting on their behalf - could then do. Permissions live scattered across dozens of systems: a cloud console here, a data warehouse there, a SaaS app somewhere else, each with its own model of roles and entitlements. Veza's founders, watching enterprises pour sensitive data into the cloud, saw the gap and built a company around closing it.
The result is the Access Graph, a patented core that ingests authorization metadata from across the enterprise and maps the relationships between identities and the resources they can reach. Rather than asking an identity provider "who is this person," Veza asks the harder question: given every role, group, policy and nested permission in the way, who can take what action on what data. That nine-word phrase has survived from the company's stealth years through its acquisition, unchanged, because it is the whole product.
Least privilege, made visible
The security principle Veza serves is old and universally endorsed: least privilege - give each identity only the access it truly needs, and nothing more. The problem is that at enterprise scale, least privilege is nearly impossible to prove. A single large company can hold billions of individual permissions, most of them dormant, misconfigured, or inherited through layers of nested groups. Veza's approach is to stop guessing and instead render access as data you can query, review, and monitor.
Customers use the platform for a familiar set of hard jobs: cloud entitlements, data-system access, next-generation identity governance and administration (IGA), privileged-access monitoring, SaaS access security, and the fast-growing category of non-human identity management. The named customer roster skews toward regulated, high-stakes enterprises - Blackstone, Wynn Resorts, Expedia, Zoom, Workday, Snowflake, Choice Hotels, Barracuda and InComm Payments among them - the kind of organizations where an over-permissioned account is not a nuisance but a headline waiting to happen.
If we can democratize identity where a Snowflake owner, a Salesforce owner, an OpenAI ChatGPT owner can do least privilege, I think we have made a significant impact forward.Tarun Thakur, Co-Founder & CEO
What people can actually do with it is concrete. A security analyst can type a question in plain language and get back every identity that can read a sensitive table. A compliance team can run an access-certification campaign that surfaces risky access instead of rubber-stamping spreadsheets. An identity engineer can set access to expire automatically when someone changes roles or leaves. And increasingly, teams can point the same lens at the service accounts, API keys, and AI agents that now outnumber human users in most enterprises.
One platform, built on the graph
Everything Veza sells sits on top of the Access Graph. The modules turn that map into workflows a security or identity team actually runs.
Access Search
Query permission relationships across hundreds of systems by natural language or REST API.
Access Visibility
Surface who has access to what across cloud, SaaS, data, and infrastructure - eliminating blind spots.
Access Intelligence
Flag overprivileged and dormant access and recommend right-sizing toward least privilege.
Access Monitoring
Track not just who can access resources, but who actually has - so unused entitlements get trimmed.
Next-Gen IGA
Automated, risk-prioritized access reviews, certifications, and self-service access requests.
Lifecycle Management
Auto grant and revoke access on join/move/leave, with dry-run to catch policy violations first.
Access AI
A generative-AI assistant to investigate and remediate identity risk through a chat interface.
NHI Security
Discover and govern non-human identities: service accounts, secrets, keys, and workloads.
AI Agent Security
An identity control plane and native Access Agents to secure and govern AI agents at scale.
Not identity-provider-centric
The differentiator
Traditional identity governance tends to stay anchored to the identity provider - it knows who exists and which apps they were assigned. Veza instead reads permissions at the data and resource level, translating each system's native model into a common graph. That is why it can answer "who can delete this bucket" or "who can read this table," not just "who is in the finance group."
The business model
Veza is B2B SaaS, sold as a subscription to large enterprises through direct sales and cloud marketplaces including AWS and CrowdStrike. It runs a land-and-expand motion - start with one use case, grow across the estate - reflected in net revenue retention the company has reported near 150%.
The competitive set is crowded. Veza lines up against established governance vendors like SailPoint, Saviynt, Okta Identity Governance and CyberArk, plus a wave of newer entrants such as ConductorOne and Lumos. Its wager is that the winning position is not another connector into the identity provider, but the authoritative map of effective permissions underneath every system - the layer that makes least privilege auditable rather than aspirational.
From stealth to a premium exit
Veza operated quietly for two years, then emerged in 2022 with a $110M round and a roster of cybersecurity luminaries as angels - including Kevin Mandia of Mandiant, Enrique Salem of Symantec, and Lane Bess of Palo Alto Networks. The 2025 Series D added an unusual signal: cloud vendors Snowflake, Workday, and Atlassian invested through their venture arms while also integrating Veza to help secure access to their own platforms.
The Series D was led by New Enterprise Associates and valued Veza at $808 million. Months later, in December 2025, ServiceNow - itself an early Veza investor - announced a definitive agreement to acquire the company in a reported deal north of $1 billion, aimed squarely at governing permissions for the coming wave of AI agents. The transaction was expected to close in the first half of 2026.
ServiceNow powers our horizontal business workflows, while Veza enforces least privilege and adds identity access intelligence at scale.John Stecher, CTO, Blackstone
Five years, one thesis
Founded in stealth
Tarun Thakur, Maohua Lu, and Rob Whitcher start Veza around the idea of an authorization graph for enterprise data.
Emerges from stealth with $110M
Veza reveals itself publicly and positions around the power of authorization.
Next-Gen IGA and CrowdStrike integration
Extends into identity governance and syncs risk scoring with CrowdStrike Falcon.
Introduces Access AI
Adds a generative-AI assistant to investigate and remediate identity risk in plain language.
$108M Series D and NHI Security
Raises at an $808M valuation and ships a dedicated non-human identity product.
ServiceNow agrees to acquire Veza
A definitive agreement in a reported ~$1B+ deal, expected to close in 2026.
Access Agents for the AI-driven enterprise
Native agents bring identity control to autonomous AI.
Guardians, by design
Veza's depth is in a genuinely unglamorous discipline: reading and normalizing permissions from more than 250 different systems, each with its own authorization model, into a single coherent graph. That plumbing is hard to build and harder to keep current - which is precisely why it became the company's moat. The founding team paired that engineering with deep security credibility, drawing early angel backing from some of the biggest names in the field.
The company is globally distributed and organized around a values acronym it calls MIGHT: Mindset, Integrity, Guardians, Humility, and Trust. "Guardians" is customer obsession by another name - fitting for a product whose entire job is to guard other organizations' data.
Recognition
- Fortune Cyber 60 - three years running
- Frost Radar NHI Solutions 2025 - Leader
- Rising in Cyber 2024 (CISO-voted)
- CRN 2024 Top Stellar Startups
- SOC 2 Type 2 certified
- 100% Willingness to Recommend, Gartner Peer Insights (IGA)
The short answers
What does Veza do?
Veza is an identity-security platform that maps who can take what action on what data across cloud, SaaS, data, and infrastructure systems, helping enterprises enforce least privilege and automate access governance.
Who founded Veza and when?
Veza was founded in 2020 by Tarun Thakur (CEO), Maohua Lu (CTO), and Rob Whitcher (Chief Product Officer). It operated in stealth until 2022.
How much funding has Veza raised?
Veza has raised roughly $248M in total, including a $110M Series C in 2022 and a $108M Series D in 2025 at an $808M valuation.
Is Veza being acquired?
Yes. In December 2025, ServiceNow announced a definitive agreement to acquire Veza in a reported ~$1B+ deal, expected to close in the first half of 2026.
Who are Veza's competitors?
Veza competes with identity-governance and access vendors such as SailPoint, Saviynt, Okta Identity Governance, and CyberArk, as well as newer players like ConductorOne and Lumos.
Watch, read, and follow
Profile compiled from public sources including veza.com, ServiceNow's newsroom, BusinessWire, CNBC, SiliconANGLE, SecurityWeek, Forbes, and Gartner. Funding and valuation figures are as reported; the ServiceNow acquisition price is approximate and reported. Some figures are approximate and reflect the most recent public disclosures.