Opal Security's Umaimah Khan on Security-First Identity
36:00 Share

Hey everyone and welcome to this week's episode of Grey Matter. I'm super excited to have Umema Khan here. Umema is the co-founder and CEO of Opal Security and I've had the pleasure of working with her at Opal since the company got started and super excited to have her on today to talk more about herself and what Opal is doing to redefine identity security. Umema, welcome. Hi, Sam. It's good to be here.

So we have a lot to talk about, but let's just start really high level. Like for our listeners who aren't aware, what is Opal security and what does Opal security do?

Yeah, we are an identity security platform and we're designed to cover all of identity and access management. So what that means is we ingest, normalize and calibrate identity and OTSI data across all systems. So not only can you see who has access to what at any point in time, but you also have the necessary context and workflows to calibrate and remediate.

So, why? The goal is to allow people to attain what we like to call real-world least privilege. So, flexible, scalable, adaptable, intelligent. I'll probably end up using some analogies over the course of this conversation, but one we really like to use internally is self-driving technology. So, if you think about driving a car, it's actually very, very environment-dependent.

the level of urban development, the relative experience of the driver, local rules and regulations, cultural etiquette. And then there's also some commonalities on what consistently good driving looks like that's largely driven by regulation. And so think about identity and authorization as the very primitive stages of this. There's no continuous sensor data, let alone infrastructure or algorithms to help make good automation decisions and update flexibly.

But eventually you get to a point where you can operate in that land and you have a human in the loop on the most critical decision systems and situations to learn from. And so interpretability, transparency, resiliency matters a lot. So, you know, from a product standpoint, what that means is not only do we build the underlying ETL and data layer, we also do a lot of classic ML and graph analysis so that we can actually start to get people sort of in the habit of thinking about access and identity as sort of scalable, continuously monitored security first system. Yeah. One thing I want to,

mentioned and ask you about, and then we'll jump into Opal and kind of where you were talking about there at the end. I often get asked as a venture capitalist, like, "Hey, what do you look for in a founder?" And actually often I think of you and in the specific way I think of you, and there's many things I admire about you, but the specific thing I think about is you're both highly technical, but you also understand the customer and how to get the customer to value.

And I find for many founders who have come from technical backgrounds, whether it's math, computer science, engineering, and companies, they might have the technical component, but then they don't have the other half of the equation. I want our listeners to learn a little bit more about you. So tell us a little bit more about yourself and Maima and how did you get to starting a company and now being the CEO of Opal? Oh, God. Yeah, that's a fun one, right? I think...

For me, this has been sort of both idiosyncratic and organic in a very unique way. I've mentioned this a couple of times. I was homeschooled, so that was probably a pretty defining moment in my life. I would describe my childhood as largely unsupervised or feral, depending on how you want to think about it.

But, you know, it's good training for startups. I used to be self-conscious about it, but it actually got me in the habit of like sort of thinking about goals and ambiguous environments. I fell in love with math as a kid. I did a bunch of pure math, both in high school and then in college at MIT and sort of initially was very, very set on being an academic. I thought, you know, I'm going to go be a math professor somewhere.

And, you know, it was a lot of fun. I would say I like very big ambiguous problems where you can kind of connect the pieces and think about unification and think creatively. But I also realized like I go absolutely insane when I don't see results like I, I like love the dopamine hit of like actually seeing like things get somewhere so

What I sort of fell into was cryptography and cryptography is like very unique in that number theory used to be considered largely totally useless and an incredibly beautiful field until World War II, where people realized there were security applications. And this is actually, I think one of the fun things about security, it has this, this, uh, this characteristic of taking these very abstract technologies and making them very real world. After that, I went to DC, I worked in the federal government. I worked on cryptography research.

And ended up over the course of my career, just getting like a ton of exposure. After that, I worked at an early stage startup. I worked at a mid-stage startup. I worked in open source. And I think just...

had this like rate of learning and exposure. And there was like kind of a couple of unique things in retrospect I noticed. One was I like working in enterprise. I think the constraint of pragmatism helps when you're naturally a very creative or product oriented person. It's a really aggressive combo if you can leverage it. And also you get to observe problems before, you know, the market sometimes realizes they're a thing. So in my case in particular, I

I constantly, I consistently noticed from like breaches of the government to like small startups that identity and access was basically an issue everywhere. Like all the way from my time in DC to super early stage companies,

And it was like kind of fascinating because people would almost treat it like a professional services problem. They wouldn't actually give it this gravity of being like a technically difficult and ambiguous problem. So they either ignore it entirely because they believe there were more hardcore security problems to solve or that there was one standard of technology that would emerge and solve everything.

And I initially kind of thought like this too. And then I sort of realized, wow, this is incredibly naive. Like we have so many great technologies. We've had this like very steep innovation curve and authentication and authorization and identity. We have the latest and greatest encryption standards and multi-factor, et cetera. And while they're all excellent, there was just sort of this key insight. I realized that they're all strategies. The problem is not building these like technologies. It's how you deploy them and in what combination and in what environment. So yeah,

The short answer is I effectively went crazy and talked to anybody who would listen for like a period of two years about this was the problem. And I met many skeptics and also many believers. And ultimately, it led to Opal. I like many of the things you just went through there. And a lot of it resonates, including the pace or I should say the lack of pace of progress in certain academic contexts, which I also remember from my past work.

So are there things you did kind of in your career prior to Opal that helped you build like that understanding of how does one actually interact with the customer? How does one connect what a customer is saying to a product? How does one then go deliver that product? I see that now every day at Opal, but like what gave you the understanding of that?

That's a great question. I mean, some of it is like, you know, I was just fortunate to work in those types of environments, you know, working in the defense industry, working in enterprise software, you sort of understand the ways that businesses scale and how to, and even if you're not the person leading those conversations or your front of house, it's exposure. That's kind of what I was saying. The second thing is, I think for me personally, I think it's a type of like

self-awareness, I feel very comfortable that I will always want to solve things technically or think creatively or think from like a technical standpoint. And so it's a learning opportunity to try to think about how would I solve this in another way? And I think like sort of there's this broader observation that like, you know, there used to be kind of this dimorphism where people used to think like B2C companies, product companies solve problems.

product problems with product or technology and enterprise companies solve things by just getting feedback from customers. And I don't think that it's that clear of a distinction. I think you actually need both. And so it's recognizing that it's not zero sum, it's not either or, and sort of just generally approaching it with curiosity, right? I think it's a little bit of like the humility over time of realizing like abstractions don't solve everything. Right. Listening does. Right.

Yeah, exactly. And it turns out it's really hard to listen and actually understand what a customer is asking for.

Yeah, and I think like one other piece I'll add to that specifically about security is that, you know, sometimes people talk about this concept in the security market of there's no silver bullet, right? And the idea is that you're often operating in a situation where you don't have a ton of very clear or crisp information or before and after until after a breach happens. And so when you think about security,

buying or selling a security product, it comes down to more than just saying, well, my product is good. It's like self-evident. You actually have to sit and understand how people process technology fit together. - Exactly. You talked about kind of the path to thinking about authentication, authorization, identity challenges.

And all of this is like even more important in today's world. I feel like every week I read the news to learn of another cyber attack that started with some sort of identity related issue. I love what you said around real world least privilege and this least privilege first approach to identity and access management.

We should talk more about it. Before we jump into more about what that means, tell us about the backdrop. What is changing in the world and why do we keep seeing all these cyber attacks around identity and what's resulting in this need for actionable least privilege as it relates to identity and access management?

Yeah, this is a great question. You know, I tend to sort of break these things down into a couple of variables. One is market timing. I think, you know, sometimes these just like shifts happen all of a sudden where people realize like, we really need to be solving this better. Oftentimes, it's coupled with a couple of other things. So for example, if

Regulation is a big one. When the SEC requires that public companies disclose breaches, it's a forcing function. People have to actually bring things into the sunlight and explain, okay, this is why this happened and this is why it's not going to happen again. It has material effect on the business and its risk.

Technological shifts are also a really big one, I believe, in security. Every major established player we've seen in security has sort of dovetailed really nicely with a technological shift, whether that's cloud, whether that's network, whether that's moving from data centers. And so right now we are in the middle of a technological shift.

shift, both still riding the explosion of cloud and also seeing like the AI shift. So I think there's sort of like an early rumbling of like something has to get better. And then to your point, just look at the news. There's like a major breach. It feels like almost every day, like AT&T was last week, almost every record they had leaked by a data source that was only secured by username and password. No time controls, probably little to no process putting in the necessary monitoring for what is their crown jewel.

And this would have probably continued in perpetuity until it was inevitably popped because people rarely treat access as a security first issue when building a business. And I think that's changing.

Yeah, I totally agree. And one of the interesting things about access is, and getting it right, it's like there's two sides to the coin. And correct me if I'm wrong. One is like, I need to enhance the security posture of the organization. But then the second is like, I'm the front door to the employees and their productivity and developer productivity. And so it's like, how do I both harden the security posture while also making people more productive? Yeah.

Exactly. Yeah, there is this natural or historically, there's been kind of this natural tension, right? Like at the end of the day, when you're building a business, you want to unlock revenue, you want to keep your growth trajectory. And you reach these certain like inflection points of maturity, where all of a sudden the risk calculation changes, right? Once you're the size of AT&T, it's a much bigger deal at the bottom line of your revenue to have your records breached than to keep going quickly. I think, you know, again, going back to analogies,

The best solutions are actually product oriented in this regard. They recognize that you have to sort of align incentives through product work. So the example I like to give is GitHub. Ultimately, we like to joke internally that GitHub is a compliance tool. I like to sometimes ask people, who do you think buys GitHub in an organization? And what are you thinking? Like where it's used to check the box. But that's not how you think about it in an organization. You actually think about it as accelerating the rate of development and helping people get to context faster.

Yeah, totally. Totally. We talked about some of the attack stories. Let's shift to some of the customer stories because I think what's great for customers and enterprises who are using Opal is they can be rest assured that they're not going to face these types of identity attacks. And so maybe before we jump into the stories, like

How do customers articulate the problem that they're solving with Opal? How similar is it to what you just said versus different? Yeah. So, you know, I think of this as an early disruptive market. And what that means is a lot of times people are formulating their own theories of what good looks like and are sort of approaching these conversations differently.

from the perspective of sharing their learnings as well. But there are some common themes. So a big one is visibility, right? When you talk about like sort of just waiting to know when you're like, you know, a crown jewel is going to get popped. You're going to think about visibility all of the time. Orchestration is another really common one. How are we going to put workflows or infrastructure in place that will actually scale with how our business changes over time? And then resiliency. And I think this one is oftentimes sort of overlooked here.

And is really really important to your point like this is a very very trust based relationship you're trusting somebody to like basically show you what's going on in your organization, you need to be able to roll that back you need to be able to extend it. And so how do you build systems and infra that organizations can ultimately trust and build on top of and scale.

You know, the number one thing I would say folks come to us with is I call it two archetypes in the market. One is earlier enterprises that are on this growth trajectory. They're looking for revenue unlock, but they're also looking for someone to help them set good hygiene in place so that as they hit the next stage of maturity, whether that's IPO, selling to big enterprise or regulated environments, they're starting with good hygiene.

And for them, it's really about driving least privilege from a security first standpoint without slowing the business down. So an example here is like, you know, if we catch like an organization right before an IPO or something like that, they have generally a good idea of like,

how the business is managing access they just know something's going to come around the corner that's going to make it chaotic and they want to get infrastructure in place today to sort of solidify some of that and help it evolve um and this is like sort of like the the the innovators they're like the forefront of the industry they've often built systems like this at their old jobs um the second market i call it uh

established, entrenched, the chaos is in the house. And these folks are looking for somebody to come in with a machete and just show them where they need to clean access up. So specifically for Crown Jewels. So you have to think about it in a phased rollout. So the story we see the most here with customers is help us get AWS under control, help us get Snowflake under control, help us get Azure under control. So they have kind of this vague sense of like, oh my God, it's been 30 years.

Who knows where the skeletons are? We know roughly where the crown jewels are. Show us what's going on and help us remediate it immediately. So it's nice because as a product, we can sort of capture both that proactive and that reactive loop. I love the way you frame like the two cohorts of organizations out there and kind of maturity and pain points. How much overlap is there versus difference? And how do you build a product that can kind of appeal to both? Oh, I love this question. So I'm

I, you know, from a product standpoint, I actually break it out into certain themes. If I put sort of my technical product hat on, I think of that second established market as the one that's going to help you think about your products from an infrastructure level. Like, what do you need to do to scale? How do you need to think about the underlying infrastructure? How do you need to think about the storage layer? How do you need to think about

all of the edge cases. The first market is incredibly valuable in helping you build this kind of inside loop feedback for what the industry should look like in five to 10 years. And the biggest theme there, I would say, is usability, UI, UX, which is often a neglected point in enterprise products, but more and more we see that it's a non-negotiable. So these are the folks

whether by size of organization or just because they are used to using best in class products, will have very strong opinions on what usability should look like. And they help drive it for the ladder market. And you build for scale in the ladder market.

Yeah, totally. Getting that balance right is really hard, but when you get it right, it's really powerful. And as you said, typically these things converge over long time horizons. If you take those two segments of the market, maybe take one of each specific kind of customer or case study and how people are using Opal. Yeah, I think in the first bucket, you're going to see folks...

usually in early enterprise in verticals, like enterprise software, infrastructure, AI, machine learning, like anywhere where they're working with a ton of data and they're sort of mindful that they have to operate in a certain way. And so oftentimes these companies already have like really good DNA on like engineering security, IT, and they have like a sense of what good looks like.

So they're coming in saying like, this is how we want to break down how we grant access day one. This is how we want to break down how we do just-in-time access for like on-call critical infrastructure systems. This is the type of data we need to integrate this into our SIM tools and our ecosystem. It's, that's a very, like, I would almost describe it as an intuitive sale. And really what you're doing there is understanding if you both sort of have that same security background, that security DNA of understanding what the future needs to look like.

The second market, think of it as big banks, nation state actors, like media, you're really coming to the table, not necessarily with an opinion on what the product looks like, but a very, very clear idea of here are the crown jewels. Here are the 10 systems that no matter what happens, I cannot have popped. And what are you going to do to clean them up? And there, we

we talked a little bit about like how we built some strategies for remediation and Opal. There's like some very, you know, there's some very like straightforward things that are hard to apply at scale. So an example here is like with, with one of our big like fortune 500 customers applying two factor across all of their critical systems or applying just in time access across all of your like production AWS accounts.

and making this play nice with whatever already exists in the stack, but adding that extra layer of protection and giving that measurability. Because that's the other thing that I think is often forgotten in security. You're not just fixing these things for your teams. You actually have to communicate how you're getting better laterally to your sister teams, upwards, sometimes at the board level, right, to your management. So you have to actually show how things are consistently getting better in that second market as well.

Makes sense. Maybe moving to like how customers interact with Opal, you actually mentioned something there on playing nice with the stack. Like what is the common identity stack? And like, you know, if I use something like an Okta or on the identity governance side, a SailPoint or on the privilege access side, a cyber arc, like where do you interact? Where do you make existing solutions better? Where do you compete? What's the right way to think about that?

Yeah, this is a great question. And I think it's also one of the banes of our existence because

people have effectively treated the identity stack as sort of a, let's throw things at the wall and see if they stick. And so it means that there's a lot of resources and capital that are sunk into it without a ton of measurable results. But there are some commonalities to your point. Almost everyone has an identity provider. You need to have some concept of digital identities if you're a scaling workplace. So we connect with an identity provider such as Okta or

Microsoft Entra or groups, et cetera. And you want to like sort of use that as like your baseline to start feeding in identity data. The other major thing is like HR systems, which are notoriously hard to keep in sync after a certain size of an organization, but they have a ton of information on who a person is to help make some of those like longer term workflows and remediations.

Further down the stack, you have these very, very sensitive systems like your hyperscalers, internal tools, customer impersonation, sometimes sensitive SaaS applications or business critical systems like NetSuite or SAP. And all of these things are so sensitive that they've actually ended up building their own custom-built authorizations.

And so what we end up doing is sort of sitting right in the middle of these types of things and actually collating all of that and helping folks actually visualize, okay, where is this identity coming from? Where is it going down to? What are they doing in that? What are the policies that are set on this? How are they being used? Are they being used? Pulling in sort of the usage data on those things. And so what that allows us to do is really fill in this missing context area.

And because everything is an API first by design, it means we can also start to make changes on those things if you want to take the step after visibility. You mentioned the sort of governance stack. So one thing we talk about at Opal is good compliance is an output of good security.

GRC, you know, they have a very critical job. They have to kind of show that we're checking the boxes, that things are running, that they were able to provide the evidence that people are actually implementing these processes well. But oftentimes they don't actually have a source of truth for those things. So they're sort of like building these like manual spreadsheets over the course of several quarters, trying to like ascertain what people actually have access to. And so there's like a natural like confluence there where we have the source of truth.

We're finally collating all of this. We're giving visibility. We're right-sizing policies. And what we can actually do is sort of even make the story as simple as saying, hey, actually, nobody has longstanding access to this database in AWS. So therefore, you're under this compliance requirement and go forth. And a lot of our customers have actually started doing this as they've started going for things like FedRAMP Medium or FedRAMP High, like actually make that part of their SSP. Yeah, that's really interesting. And I think it's...

From my perspective, you're taking a historically very fragmented space, which creates two challenges. One is I have to have this fragmented stack, which means I have a lot of tools I have to manage. And then two is things fall between the gaps. And so then both in terms of risk identification and remediation, I'm constrained by the siloed nature of my tools. And you're creating a converged architecture

that can interoperate and play nice with the things you have in the stack, but can kind of converge the space. And it seems like that's why customers love Opal.

Yeah. And I think this is a really critical point not to, not to harp on the AT&T like hack, but like, I mean, just think about it. The fact that there was like 110 million records that wasn't just sort of fell through the cracks in some sense that nobody recognized that this is like being used in this way that it's only being protected by a username and a password. Right. And it's a result of having this fragmented access stack, this fragmented identity stack. So you need that,

That overall convergence, as you said. The other element of like convergence, if you will, is on kind of people and personas, right? And I think kind of one of the interesting things, again, about identity, you touched on kind of security versus compliance, but there's so many dimensions of this. Yeah. And so like if you look at the enterprises you're serving today, like who are the people who are involved with OpenSource?

Yeah. I like to joke, I call it the holy trinity. So just as a baseline, obviously access impacts all users in a workforce at varying levels of depth, but the

The folks that we primarily interact with are security, IT, engineering, and then GRC. And it's really our job to align the various incentives of these stakeholders and also help them see that a security-first approach here is actually going to help them and not slow them down. So we primarily sell to security because our belief and conviction is that this is a security issue. What we see over and over in the industry is once a breach happens, an identity is

the the responsibility moves over to security but you have to serve the needs of the business as well right so what does that look like in terms of like efficiency in terms of usability in terms of helping people like establish the right cultural precedence and then like on the engineering side you know just because we are such a fundamentally like flexible product and we are built to be developed on as well there's just a natural relationship there as well yeah exactly i

I've always been struck by, I feel that Opal is one of the only tools in a security stack that the champion and the security persona loves, but actually maybe developers love it even more because it makes their jobs better, it makes them more productive. Yeah. I mean, I think that's part of going back into that early customer attraction, a little bit of our own DNA, right? And I didn't mention this, but I built an early version of Opal at my last startup. And

you know, a lot of some of our early customers, Sigma, Databricks, you know, Scale.ai, they came from teams where they had gone through that same trajectory that I had, where they got frustrated that there wasn't a good engineering system in place that was meant to serve the entire business. And I just sort of rolled up their sleeves and taken it on themselves. And I think that I, you know, we've talked a lot about like, sort of like,

the importance of like the customer and like building enterprise SaaS companies. But I think architectural decisions matter a lot too. And that's one of those things that actually really does shine when you have like an edge buyer in, in, in the room, like people will notice what a considered architecture looks like and they will be able to think through scale and trade-offs and things like that. And that's something that like, we've always been very good at because that's sort of our DNA at Opal as well. Exactly. Well, we're not talking about Opal topics. I think the other topic we're texting about is, uh,

is the one topic that's hard to steer clear of in technology right now, which is, which is AI. And there's a lot we could talk about as it relates to AI, but I want to talk about it in the context of Opal and in the context of security, right? So what, what's the role that AI plays at Opal? Yeah, I do love this question and you're right. We have talked about it at some length because I, you know, part of my job is like also just thinking about how the technological shift is, is going to impact us and how it's changing and evolving. So I think just to take a step back, I,

When I think about the broader AI space, I think at this point, non-trivial milestones and learning are largely going to come from big frontier shops or big research institutions.

But there's a lot of work to be done in the surrounding ecosystem. We're kind of at the point where we're starting to see applications in smaller and more specialized use cases. And while it's not a moat per se, you're starting to see strong traction in infrastructure deployment and regulation. So I believe, we believe that enterprises will likely continue to use increasingly customized, smaller open source models that are going to adopt these tools into their dev stacks, right? And...

they're also going to be concerned with privacy and safety and they don't want to like, you know, sort of flood all of this to providers who, and risk leaking their data. So,

What that means for us is we have to account for how that environment in our customers is changing and how they deploy. So how is the attack surface different? So for example, how are non-human entities operating with respect to access? How are the crown jewels evolving? Like one sort of obvious example is PII just becomes like this like massive, like, you know, sort of training set, which, you know, I worked in health tech briefly, you know, PII was like locked

down to operations and only data engineering teams. Now everyone's like, no, no, no, we have to train. So like crown jewels are evolving and the business case for accessing those crown jewels is evolving as well. So you have to kind of take into account these attack surfaces. You have to take into account the ways in which businesses themselves are evolving.

From a technical innovation perspective, I would say I think about kind of two lenses here. One is we operate in a very data rich environment, right? Like we not just the policies and the identity primitives that we've talked about adjusting, but also like how folks are using requesting, making access, holding on to access, right? How they're making those judgment calls.

If we provide transparency and explainability for decision-making for access changes, we actually have a very unique opportunity to introduce new forms of automation and incorporate like different types of reinforcement learning and constitutional models. If you've ever seen, like there was an anthropic paper a couple of years ago, there's, there's like a lot of automation. And this is going back to the theme of like efficiency. You know, when it's two in the morning or 9.00 PM and you know,

you've scaled as much as you could, but you're the eng manager and you're like, what is this ticket? Like, what am I doing? And now I have to write the justification. And this person requesting is writing the justification. There's so much that can be done if you have like that baseline of interpretability and transparency that can just be automated there.

The other area that we think about is cogeneration. So as cogeneration gets better, we operate in a relatively defined language with tons of human input and review and repair. So things like IAM policy creation and adaptation get markedly more prolific and proficient than they were even two years ago. And this is an interesting area. You know, I did some research in this back in the day, and I used to be a bit of a skeptic. Like I was like, great, now we're just going to make AWS IAM policies on policies.

But the technology has on verifying and correcting and generating like decent policies has actually gotten good. So that's another area I think like we're going to see authorization really take off in.

Yeah, I think those are great examples of how you all are leveraging AI. I'm curious, like, somewhat orthogonal question, which is, you know, you're a CEO of a fast growing company. A lot of this AI stuff is relatively new and also evolving very quickly. As a leader internally, like, are there any best practices for other founders listening on how you encourage your engineering team to kind of

on the one hand, not distract themselves, which one easily could do given how fast the pace of change is. But on the other hand, stay aware of what's happening and in particular in the context of how it can be applied to strengthen Opal's product and bring new features to your customers. Yeah, I love this question. And I think it's very, it's always like every founder sets their culture and it's very company specific.

But even as an engineering leader in past jobs, one thing I always loved to do was I'd run paper reading groups. So I've always built very like curious engineering teams that are also pragmatists. But, you know, staying abreast of literature is actually like important. And it's not even like AI specific. Like I think in the last 10 years, there was like this like complete like, like, you know, explosion of database technologies. And I remember like there was like this need to like kind of like be like, what's happening? What's the latest? What's the greatest? How can we incorporate this?

And then the second piece is on distractions. I think that really comes from being very, very clear about what the problems you're solving and having a culture of actually debating the pros and cons. So I mentioned earlier that we do a lot of classic ML at Opal, and that's like not necessarily a contrarian stance. A lot of our engineering team, you know,

does come from places like DeepMind and Meta. They've worked on actually varying levels of the AI stack. But we think about what do we need to do today and what do we need to stay aware of so that we can continue to innovate in a reasonable manner. And we tie that back to the needs of the business.

we work in a very critical part of the stack. We need to always establish trust, transparency, and accuracy. And when you work on critical decision systems, if you think about anomaly detection, even like in credit cards or like, you know, fraud or things like that, you don't want to get distracted. First, you need to establish that you know what you're doing and how you're solving a problem before you start to layer on like different types of innovation. So I think

company being aligned on what problems you're solving, but also making space to continue to be curious and stay aware of things. Yeah, absolutely. This kind of leads to the last question I have for you, which is what's coming next for Opal? And like, if you take kind of, let's say a two-year view and then a five-year view, so I'll ask you two forms of the question. What will Opal look like and what will the way, how will the way enterprises secure their identity change? Yeah. Yeah.

Another theme you and I talk about at times is positioning. And I think a lot about, and I've mentioned sort of over the course of this conversation, this idea of security-first identity. I think there's a unique opportunity right now and a unique window, let's say in the next two years, to really establish what it means to build a security-first identity company.

And, you know, what that means practically is shifting some of the ways in which we measure, which we monitor and the ways we think about architecting identity solutions and the identity stack to your point. We're already seeing some initial early signs of this, you know, there's been like sort of the whole non-human identity space, but there hasn't really been like this cohesive, almost like manifesto, like this is how you have to think about identity security.

And I think we have like a unique opportunity to sort of set some of those precedents. So continuous monitoring, immediate remediation, not waiting for regulation to force better authorization decisions, but actually building them in directly from the ground up and really sort of revitalizing the industry from that standpoint. I think what makes Opal unique in this space is that we're not, we're, we are,

intentionally not abstract about it. And this was the thing I learned when I built up my last job. You can build the nicest policy language in the world, but at the end of the day, if people aren't using it, then you haven't built the right system. So I think if we build the right system for getting people to think about authorization from a secure and access from a security standpoint, it will naturally change some of these cultural attitudes. And we measure these things in our customers when they deploy. We see how

How many of them are like operating in like a zero trust model? How many of them are actually using multi-factor? How many of them are like actually getting benefit from having like use these strategies? On a five-year, you know, one of the reasons I love this, and you and I joked about this once where I was like, if I wasn't doing this, I'd probably just go do it again. It was like some joke of this form.

I just think it's like such a great market and in security, it's always a game of entry points and then boxing out markets. Right. And I think if you solve the IAM layer in this like sort of practical, Oh, we have the context, we have the visibility, we have the orchestration remediation way that gives you the ability to, to,

go in several directions. You have the ability to influence what the authorization schema standard could look like because you've effectively built the database. You can define what vulnerabilities look like at the OSP or NIST level. You can even help set direction on hardware for identity. If you control this layer of the stack,

And, you know, you have like just like this incredible opportunity to really build like an iconic company and identity security. But in order to get there, you have to be pragmatic about like where you're meeting customers today without being overly rigid and how like that solution is architected. Yeah. I mean, that's one of the many things of the many things that impressed me about what you're building at Opal. Like that's that's always the thing that stands out, which is it feels like I don't want to jinx it, but you all have found this balance of.

a really clear point of view on how this category should converge and work very seamlessly end-to-end with great UI/UX

AI and power developers, strength and security, but you've entered the market very pragmatically. And in a way where you can solve concrete problems today, you can live alongside other tools and make those tools better and kind of progressively get the customer to modern identity security. And I think that's a great template for company building in general. And the way you're applying that in this space seems to really be resonating in the market.

I appreciate that. I mean, I will say there were there were there were hard lessons won. And, you know, we talked a lot about pragmatism. But I mean, I, I do think like a mathematician sometimes, and there's only so many systems you can build, and you realize that they don't work where you have to realize you have to be pragmatic and people where they are.

Exactly. Exactly. Well, Mima, this was a lot of fun. I'm really glad we were able to have you on Gray Matter and for our listeners to get to hear more about the Opal story. And I'm really excited for what's ahead for Opal. It's amazing how far you guys have come in just a few short years and the best is very much ahead of us. Awesome. Thank you so much for having me.