Nudge Security’s funding round reflects AI and SaaS governance demand

At a glance

What this is: Nudge Security's Series A and growth update argue that workforce AI and SaaS governance is becoming a core identity security problem, not just a visibility problem.

Why it matters: IAM, NHI, and security teams need governance that tracks apps, integrations, and non-human identities together because embedded AI changes access paths and accountability.

By the numbers:

• Nudge Security reported 3x growth in ARR for two consecutive years and nearly 200 customers.
• The company said it shipped over 60 feature releases in the last 12 months.

👉 Read Nudge Security's announcement on workforce AI and SaaS governance funding

Context

Workforce AI governance now sits inside identity security because employees are making daily access and sharing decisions across SaaS apps, embedded AI features, integrations, and non-human identities. Once those connections are invisible, security teams lose the ability to judge who or what can move data, trigger actions, or extend trust across the environment.

That gap is wider than classic SaaS discovery. The harder problem is understanding how human identities, service accounts, tokens, and AI-connected workflows combine to create access paths that were never formally approved, reviewed, or offboarded.

For teams already mapping SaaS sprawl, the relevant control question is no longer whether an app exists. It is whether the identity relationships behind that app are governed well enough to survive AI-enabled adoption at workforce speed.

Key questions

Q: How should security teams govern workforce AI across SaaS apps and integrations?

A: Security teams should govern workforce AI as a workflow problem, not a single-app problem. That means discovering the full SaaS footprint, mapping connected integrations, identifying the non-human identities behind each connection, and reviewing how data can move between systems. If the governance model stops at app inventory, it will miss the real access paths.

Q: Why do non-human identities make SaaS governance harder?

A: Non-human identities make SaaS governance harder because they create durable access paths that are often invisible to business users and inconsistently owned by security teams. API keys, OAuth grants, and service accounts can keep operating after the original owner changes roles or the use case ends, which widens the blast radius of ordinary SaaS sprawl.

Q: What should teams look for when embedded AI starts appearing in SaaS tools?

A: Teams should look for where embedded AI can read data, trigger workflows, or connect to downstream systems. Those capabilities change the trust boundary even if the application already existed before AI features were added. Governance should therefore include data-access review, integration review, and revocation processes for any credentials that support the feature set.

Q: Who should own identity governance for SaaS and AI adoption?

A: Ownership should sit across IAM, security architecture, and the teams that manage SaaS and automation, with clear accountability for discovery, review, and offboarding. The practical test is whether every connected app and credential has a named owner, a review cadence, and a revocation path when business use changes.

Technical breakdown

Why workforce AI creates a new identity inventory problem

Workforce AI use is not limited to standalone chat tools. Many SaaS products now embed AI features, chain integrations through APIs, and create secondary identity relationships through tokens and service accounts. That means the inventory problem is no longer just app discovery. It becomes identity relationship discovery across people, machines, and embedded automation. If the security programme only tracks sanctioned applications, it will miss the pathways that actually move data and initiate actions.

Practical implication: inventory apps, integrations, and the identities attached to them as one governed surface.

How non-human identities extend SaaS and AI risk

Non-human identities are the credentials that let software act, connect, or delegate access, including API keys, OAuth grants, service accounts, and workload tokens. In a SaaS and AI context, they are often the hidden layer that keeps automations and embedded features running. If those identities are over-privileged, poorly monitored, or never revoked, they can outlive the business process that created them and silently widen the blast radius of an ordinary user action.

Practical implication: bring NHI lifecycle, privilege scope, and revocation into SaaS governance reviews.

What just-in-time guardrails change in the browser and collaboration layer

Just-in-time guardrails work by influencing decisions at the moment of use rather than only after the fact. In a workforce setting, that means policy prompts, browser controls, and collaboration nudges can reduce risky sharing, unapproved app adoption, and shadow AI use before access patterns harden. The limitation is that guardrails cannot compensate for missing identity visibility. If the underlying entitlements are unknown, the control only nudges behavior around an incomplete picture.

Practical implication: pair real-time nudges with entitlement discovery, or the policy layer will be partial.

NHI Mgmt Group analysis

Workforce AI governance is becoming an identity problem, not a software usage problem. Once AI is embedded across SaaS, the control surface shifts from application approval to identity relationship management. Human users, delegated tokens, and connected systems all influence what data can be reached and what action can be taken. The implication is that governance programmes need to treat app discovery as only the first layer of assurance.

Embedded AI creates identity paths that traditional SaaS inventories were not designed to explain. The article points to apps, integrations, and non-human identities all participating in the same workflow, which means access decisions now span multiple control domains. A SaaS register that omits OAuth grants, service accounts, or agent-like automations leaves an incomplete risk picture. Practitioners should expect identity sprawl to follow AI sprawl unless those relationships are governed together.

Non-human identity sprawl is the hidden multiplier in workforce AI adoption. AI features inside business applications often depend on credentials that are easy to overlook during onboarding and difficult to retire during offboarding. That creates lingering access paths that survive beyond the original use case. The operational conclusion is simple: if NHI lifecycle is outside your SaaS governance model, your AI governance model is already incomplete.

Policy-driven nudges only work when the underlying identity graph is visible. Real-time guidance can shape workforce behavior, but it cannot fix unknown entitlements, unknown integrations, or unmanaged machine access. This is where the governance stack becomes layered: discover, classify, assess, and then intervene at the point of use. Teams that skip the first layers will end up with partial control and false confidence.

Identity governance for AI-first workplaces now spans human, machine, and embedded automation at once. This is not a separate AI programme bolted onto IAM. It is an expansion of existing governance responsibilities into environments where a person, a service account, and an AI-enabled feature may all participate in a single business workflow. Practitioners should therefore reframe programme scope around the workflow, not the tool category.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• For a governance lens on the operational gap behind that visibility problem, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.

What this signals

Identity governance will need to move from application lists to relationship maps. As SaaS products absorb more AI capability, the useful control unit becomes the chain of app, integration, credential, and owner. Teams that cannot trace those relationships will struggle to prove whether AI use is sanctioned, monitored, or offboarded correctly.

The visibility gap is already well documented: 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to the State of Non-Human Identity Security. That is a strong signal that many programmes are governing the interface while missing the delegated access underneath it.

Shadow AI will increasingly look like shadow identity. The fastest-growing risk is not a standalone AI tool but the hidden credential path that makes it functional inside an ordinary SaaS workflow. Security teams should therefore prepare for identity review processes to expand into software procurement, integration approval, and offboarding controls.

For practitioners

• Inventory SaaS, AI, and connected identities together Build a single view that links applications, integrations, service accounts, OAuth grants, and user activity so the governance team can see how access actually flows.
• Review non-human identity lifecycle during app onboarding and offboarding Require teams to identify which tokens, keys, and delegated credentials are created by each SaaS or AI integration and define how they are revoked when the use case ends.
• Map embedded AI features to data-access and sharing paths Treat AI features inside SaaS as separate trust consumers when they can read, transform, or forward sensitive data through APIs or internal integrations.
• Pair real-time nudges with entitlement verification Use browser or collaboration prompts to influence user behaviour, but verify the underlying entitlements first so the control is based on a complete access picture.

Key takeaways

• The funding round matters because it confirms that workforce AI governance is now being treated as an identity and access problem.
• The operational risk is hidden in the connections between SaaS apps, embedded AI features, and non-human identities that are often poorly inventoried.
• Practitioners should govern the full workflow surface, including discovery, entitlement review, and offboarding of connected credentials.

Key terms

• Workforce Edge: The workforce edge is the point where people make day-to-day technology choices across approved and unapproved SaaS and AI tools. It matters because identity risk often appears there first, when access, sharing, and integration decisions happen outside the central control plane.
• Non-Human Identity: A non-human identity is any credential or account used by software rather than a person, including API keys, service accounts, tokens, and certificates. In SaaS and AI environments, these identities are what connect tools, move data, and enable automation, which makes their lifecycle and privilege scope security-critical.
• Embedded AI: Embedded AI is artificial intelligence built into a broader application rather than delivered as a separate product. It matters because the AI feature may inherit the app’s access, integrations, and data paths while also creating new identity dependencies that security teams do not immediately see.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Nudge Security: Nudge Security raises $22.5M Series A to secure workforce AI and SaaS. Read the original.