NewCore raises $66M to put AI agents inside enterprise identity systems

NewCore came out of stealth on Monday with $66 million in seed funding and a blunt premise: AI agents are becoming an identity-management problem faster than most companies are preparing for it.

Cyberstarts led the round, with Index Ventures and Evolution Equity Partners participating. NewCore is valued at $300 million post-money. That’s a big seed round, but investors know this market. Identity is expensive, sticky, security-sensitive, and hard to replace. Add thousands of autonomous or semi-autonomous AI agents, and the old categories of users, service accounts, and permissions start to break down.

NewCore’s argument is straightforward. If companies let AI agents write code, query databases, open tickets, update CRM records, or operate internal tools, those agents need identities. They need permissions, owners, audit trails, expiration policies, and revocation. Treating them as shared API keys or generic machine accounts is a bad habit with a larger blast radius.

AI agents are becoming an access-control headache

The timing is deliberate. Companies have moved past chatbot pilots and are giving AI systems actual work.

Goldman Sachs tested the AI coding agent Devin as a kind of new employee last year. McKinsey has said 25,000 AI agents already work alongside its 60,000 employees. TCS Chairman N. Chandrasekaran recently said AI agents could eventually rival the size of the company’s human workforce.

Some of that language is inflated. “Employee” is doing a lot of work for software that still fails unpredictably, needs supervision, and often struggles outside constrained workflows. The access problem is real anyway.

A developer using Claude Code, OpenAI Codex, or Cursor may want the assistant to inspect a repository, create a branch, read logs, call an internal API, or update a Jira issue. A sales operations agent might need Salesforce, Slack, Snowflake, and a ticketing system. A finance agent could touch far more sensitive systems.

The easy path is to hand these tools credentials. Developers already do that with scripts, CI jobs, local automation, and internal bots. It works until nobody knows who owns the token, what it can access, where it was copied, or whether it should still exist.

AI agents make that mess larger and stranger. They can spawn subtasks, interact with tools through plugins or MCP-style connectors, and operate with autonomy that doesn’t map cleanly to a human session or a traditional workload identity. Even when an agent acts on behalf of a human, its behavior can diverge from what that person would have done manually.

That leaves security teams with awkward questions:

• Is the agent acting as itself, as the employee, or as a delegated process?
• Who approves its access?
• How long should that access last?
• Can it request new permissions?
• What happens when the employee changes teams or leaves?
• How do you audit a chain of actions where human intent, model output, and tool execution all interact?

Those questions belong in identity and access management, but most IAM systems weren’t designed around this pattern.

NewCore wants agents treated as first-class identities

NewCore says its platform manages human and AI-agent identities in one system. Its position is that agents shouldn’t be forced into old buckets such as service accounts, machine credentials, or shared integration users. They should have their own lifecycle controls.

That distinction matters. A service account is usually tied to an application or workload. It often has broad permissions because narrowing access takes effort, breaks integrations, or requires governance work teams don’t have time for. An AI agent may act in short bursts, on behalf of different users, across several systems, with varying levels of autonomy.

A mature setup needs at least four things:

1. Scoped access: Agents should get only the permissions needed for a task or role.
2. Ownership: Every agent identity should map to a responsible human, team, or business process.
3. Observability: Actions need to be logged in a way security teams can investigate later.
4. Revocation: Access should be easy to suspend when an agent misbehaves, becomes obsolete, or changes purpose.

NewCore also describes a “split-key” architecture that divides critical identity credentials between the customer and the platform. The goal is to avoid an obvious failure mode: a centralized identity vendor becoming the place where one compromise turns into broad enterprise access.

The split-key idea is familiar in security. Variants show up in key management, password managers, confidential computing workflows, and zero-knowledge-style architectures. Its value depends on implementation details: where keys are generated, how recovery works, what metadata the vendor can see, how sessions are brokered, and whether the design survives operational realities like mobile approvals, emergency access, and legacy apps.

It’s still a sensible direction. If a new identity provider asks customers to route high-value human and agent access through its control plane, customers should ask exactly what happens when that provider gets breached.

Coding agents are the clearest use case

NewCore is also offering an “Agentic Skill” integration package for coding assistants including Anthropic’s Claude Code, OpenAI’s Codex, and Cursor. The idea is to let those tools access enterprise systems through managed identities instead of credentials passed around by hand.

For engineering teams, this is the part to watch.

Coding agents are among the first AI systems getting meaningful access inside companies because developers are already comfortable with automation. They can also do real damage. A coding agent with access to source code, CI/CD, package registries, secrets managers, issue trackers, and production logs has a rich attack surface around it.

Prompt injection is the obvious concern. If an agent reads untrusted content from an issue, pull request, README, ticket, or log file, that content can try to steer the model into unsafe behavior. Good tool design can reduce the blast radius, but identity controls are still needed. A malicious instruction should not be able to turn a code assistant into a privileged deployment bot.

Managed identity gives teams a cleaner boundary. Instead of embedding a GitHub token or cloud credential in a local setup, the agent can request access under policy. A human can approve or deny. The system can log the action against the agent identity, the employee who initiated it, and the target resource.

That won’t fix model reliability or prove the agent made a good code change. It does make access less sloppy.

Existing IAM vendors will move here too

NewCore’s founders are not pretending identity is an empty market. Okta and Microsoft Entra already dominate many enterprise deployments, and both have been adding AI-agent-related capabilities. Microsoft has a structural advantage because Entra sits close to Azure, Microsoft 365, GitHub, Copilot, and a huge base of enterprise directories.

NewCore CEO Zohar Alon argues those incumbents are extending platforms originally built for human employees, while NewCore has been built around a mixed workforce of humans, machines, and agents. Alon previously founded Dome9, a cloud-security startup acquired by Check Point. His co-founders are CTO Amihai Neiderman, a former Unit 8200 research leader and founder of healthcare AI company Nym Health, and chief commercial officer Erez Yarkoni, previously CIO of T-Mobile USA and Telstra.

The critique of incumbent IAM has some bite. Identity platforms tend to accumulate features slowly because they sit at the center of enterprise risk. Customers don’t swap them casually. That creates room for stale product design, painful pricing, and bolt-on governance.

Incumbency still matters. Identity systems win through integrations, uptime, compliance posture, directory compatibility, and boring administrative workflows. A startup can have the cleaner model and still hit the hard edge of enterprise adoption. Nobody wants a beautiful identity graph that doesn’t work with their HRIS, IdP, SIEM, SaaS estate, cloud accounts, PAM tooling, and audit process.

NewCore says it has fewer than 10 customers and more than 10 design partners. It expects to begin charging customers this summer. That’s early. The architecture may be promising, but production proof across messy enterprise environments is still ahead.

The hard part is policy

Giving an agent an identity is only the first layer. The tougher problem is deciding what that identity can do.

Human identity governance already struggles with over-permissioning. Employees accumulate access as they move between projects. Managers rubber-stamp reviews. Service accounts linger for years because nobody wants to break a workflow. AI agents could multiply that problem quickly.

Agent permissions need to account for context:

• The human who initiated the task
• The system the agent wants to access
• The sensitivity of the data
• The action being attempted
• The agent’s confidence or operating mode
• The approval path required for risky operations
• The history of previous actions in the session

This points toward policy engines that combine identity, authorization, and runtime behavior. Standards and patterns such as OAuth 2.0, OpenID Connect, SCIM, workload identity federation, SPIFFE/SPIRE, and policy-as-code tools like Open Policy Agent may all play a role, depending on the environment. The agent layer adds complications around delegated authority and tool use.

A coding agent probably shouldn’t be allowed to read secrets just because a human developer can. Opening a pull request may be fine. Merging to main may need human approval. Deploying to production should require a much tighter control path.

The identity system has to express those differences without turning every action into a ticket queue. Too much friction and engineers route around it. Too little control and the company has created a fast, tireless insider risk.

What technical teams should take from this

Most companies don’t need NewCore yet. Many do need to stop improvising around agent access.

If developers are already using AI coding tools, or if business teams are wiring agents into SaaS workflows, the identity model matters. The bad habits will be harder to unwind later.

Technical leaders should be asking:

• Are AI tools using personal credentials, shared tokens, or managed identities?
• Can we distinguish human actions from agent actions in logs?
• Do agents have owners and expiration dates?
• Can security revoke an agent without disabling the human employee?
• Are high-risk actions gated by approval or step-up authentication?
• Do our DLP, SIEM, and audit systems understand agent activity?

A lot of companies will discover the answer is “sort of” or “no.”

NewCore is betting that “sort of” becomes unacceptable as agent counts rise. That bet is plausible. Its challenge is proving that a new identity layer can integrate deeply enough to matter without becoming another control plane security teams have to babysit.

The funding gives NewCore time to make that case. The market will be less forgiving than the pitch deck. Identity products are judged in outages, audits, breach investigations, and tedious migration projects. AI agents raise the stakes, but they don’t make enterprise identity any less operationally ugly.