Most enterprise AI agents never leave the pilot phase. Not because the model underperforms. Not because the use case is wrong. Because no one on the security team can answer a basic question: which agent did what, on whose behalf, to which system?

That question just attracted $60 million in venture capital.

The money followed the bottleneck

On June 15, Arcade raised $60 million in Series A funding led by SYN Ventures, with strategic investment from Morgan Stanley and Wipro. The company does one thing: it proves that a given agent, acting on behalf of a given user, is authorized to perform a given action on a given resource. That is the entire product. Authorization for agents in production.

The round brought total funding to $72 million. Tool call volume: up 25x in six months. They authored the MCP authorization specification that Anthropic adopted, and their customers include a top US bank, Prosus, and LangChain.

Here is what matters about that list: these are not companies experimenting with agents. They are companies that tried to put agents into production and hit the same wall.

Arcade’s CEO, Alex Salazar, said it plainly: “Agents don’t fail in production because the model is wrong. They fail because nobody can prove that for any given action by an agent, whether that agent on behalf of that user can perform that action on that resource.”

That sentence should be printed and taped to the wall of every AI implementation team in the country.

This was not one company. It was the entire week.

Arcade was not alone. In the same 48-hour window:

Ping Identity extended its Runtime Identity platform for AI agents across AWS, Google Cloud, and Cloudflare. The product gives agents verifiable identities so enterprises can track and control what they do across cloud environments.

Aembit announced support for Microsoft Copilot Studio, extending identity and access management directly into agentic AI workflows.

KPMG and Microsoft announced a global deployment of Agent 365, the system that lets KPMG manage and control AI agents for its clients at scale.

Four companies. Four different products. All solving the same problem in the same week: who is this agent, what is it allowed to do, and can we prove it after the fact?

When every major vendor converges on the same problem in the same week, the market is telling you where the bottleneck actually is.

The bottleneck is not what most leaders think

If you asked most business leaders what is stopping their AI agents from reaching production, the top answers would probably include: the model is not good enough, the data is not ready, we need more training, the team needs time to learn.

None of those are the real blocker.

The real blocker is that security and compliance teams cannot approve an agent that has standing access to enterprise systems with no way to audit what it did. An agent with overprivileged service account access is not a productivity tool. It is a liability. One hallucination with full system access is a data breach.

This is why Arcade built authorization that gives agents only the access the user has, only for the specific action they are taking. No standing permissions. No overprivileged accounts. A complete audit trail of every action.

That is not a technology problem. It is an operations problem. And it is the reason 76% of enterprises say they are not ready for agentic AI but are deploying it anyway.

What this means for your organization

The authorization layer is becoming the gate between pilot and production. If your agents do not have verifiable identity, scoped permissions, and an audit trail, they will stay in pilot. Not because the technology is not ready. Because your security team will not sign off. And they should not.

Three questions to bring to your next AI review:

Can your security team tell you exactly which actions your AI agents took last week, on whose behalf, and against which systems? If not, your agents are running without governance.

Does your agent have its own identity in your access management system, or is it borrowing a service account? Borrowed accounts mean borrowed risk. When the agent does something unexpected, the blast radius is whatever that account can reach.

Is authorization enforced per action, or does your agent have standing access once activated? Standing access is the default in most pilot setups. It is also the reason most pilots never get security approval to scale.

The gap just moved

Six months ago, the gap between AI-forward organizations and everyone else was about adoption. Who was using AI and who was not. That gap has not closed. But a new one opened inside of it.

Among organizations actively deploying agents, the divide is now between those who solved the operations layer and those who are still treating agents like chatbots with extra steps. The companies that built authorization, identity, and governance into their agent infrastructure from day one are the ones moving from pilot to production. Everyone else is stuck explaining to their CISO why an AI agent needs admin access.

The model was never the bottleneck. The workflow was. And the workflow starts with proving that the agent is allowed to do what it is about to do.