New research from Opal Labs reveals nearly half of employees have at least one entitlement they haven't used in 90+ days, and those stale entitlements touch 79% of resources; Opal responds with Paladin, OpalScript, and OpalQuery — a unified AI-native identity security platform

Opal Security, the modern identity security and access governance company, today announced three new AI-native capabilities that together form the industry's first unified platform for seeing, encoding, and enforcing access governance. The launch, anchored by Paladin, an access evaluation agent, positions Opal as the defining company in AI-native identity governance. Rather than bolting AI onto legacy workflows, the company is creating AI that operates as a first-class participant in access decisions, orchestration, and policy reviews.

This announcement comes on the heels of new data from Opal Labs' report The Permission Gap: How Unused Access is the Newest Security Crisis. The data is clear: overprovisioning is already out of control, and without automated governance, AI agents will increase risk exponentially.

Paladin: AI Governance that uniquely understands access

At the center of this launch is Paladin, an AI access evaluation agent that goes beyond first generation agents that merely respond to access requests and fundamentally governs access intent. Paladin automatically aligns access policies with an organization’s evolving risk tolerance and growth objectives. Paladin thinks about access in ways no other product does – investigating every access request in seconds with the expertise of a senior security engineer. When an employee requests access to a system, Paladin automatically examines the requester's identity, access history, ticket references, resource sensitivity, and justification. It then either approves the request directly or escalates it for human review with a detailed explanation of what's missing or concerning.

Unlike AI copilots that generate recommendations for humans to act on, Paladin operates as a first-class reviewer within Opal's approval chain, with its own identity, audit trail, and decision authority. When Paladin escalates, the process doesn't end there. The requester can provide additional context, and Paladin re-evaluates and resolves the request dynamically — often without a human reviewer ever getting involved. Paladin also cross-references access requests against project management systems like Linear and Jira, verifying that cited tickets exist, are active, and match the requested resource. Every decision is captured in the system's standard activity feed with full reasoning.

The company believes that as AI agents continue to multiply, organizations will face a scale and level of complexity that no security team can handle manually. The spin-up and tear-down patterns of agents move too fast for click-based operations to keep pace. The only viable answer is automation: encoding access through systems like MCP, Terraform, or Opal's APIs so that access governance keeps pace with AI workload velocity.

OpalScript and OpalQuery: Completing the Loop

Alongside Paladin, Opal is announcing two additional capabilities to govern access in the agentic era:

OpalScript is a Python-like policy language that lets security teams codify access decision logic as executable automations. Administrators write short scripts — or ask an AI assistant to generate and modify them in natural language — that run automatically when access events occur. OpalScript bridges the gap between rigid rule toggles and custom engineering, without filing a developer ticket. The tool lets teams express complex, organization-specific policies such as separation-of-duties enforcement to limit toxic combinations: "GitHub admins cannot be Panther admins." As a second example, one customer scripted a workflow that requires a ticket number, group-based authorization check, a duration enforcement (≤12h in this case), admin notifications, and auto-approval logic tied to every entitlement.

OpalQuery is an AI-powered access query environment that lets security teams, GRC analysts, and IT administrators explore their organization's access data by describing what they're looking for in plain English. The AI translates queries into structured filters against Opal Security's identity and access graph, returns results instantly, and lets users save, share, and export queries for audit evidence. What previously required filing a ticket with engineering, writing custom SQL, or manually cross-referencing systems now takes seconds.

Together, the three capabilities form a closed loop: See your access posture (OpalQuery), Encode your policies (OpalScript), and Enforce them autonomously (Paladin).

The Data Behind the Launch

This announcement comes as overprovisioning reaches unprecedented levels, driven by the way access is granted in most organizations. New data from Opal Labs' report The Permission Gap: How Unused Access is the Newest Security Crisis reveals that:

• Auto-granted access is up to 50% more likely to go unused than access that's been manually reviewed. The faster and easier it is to give someone access, the more bloat builds up.
• Nearly half (48.6%) of all employees are holding at least one entitlement they haven't touched in 3+ months, and 4 out of 5 resources have at least one stale assignment — each one represents an open door that most organizations can't detect, let alone close.
• Over 40,000 active access assignments haven't been used in 3+ months, increasing risk of breaches.
• Organizations could face up to 900,000 manual access reviews per year, costing an estimated 213,000 hours in reviewer time just to keep pace — a volume that will explode as AI agent adoption accelerates.¹

"Organizations are drowning in access they can't see, track, or clean up fast enough," said Howard Ting, CEO of Opal Security. "Excessive and outdated privileges are a fundamental breakdown in how organizations manage trust. Every unused permission is an open door, and most organizations have thousands of them sitting undetected. Our goal is to help teams get ahead of this problem so they can move faster while also mitigating their risk."

Availability

Opal Security's latest platform capabilities are now available for all customers. Learn more about Opal Labs’ report The Permission Gap: How Unused Access is the Newest Security Crisis here.

About Opal Security

Opal Security is the programmable authorization platform that empowers security teams to manage access and reduce identity risk at scale. OpalQuery provides real-time, AI-assisted visibility into the access graph. OpalScript gives teams an expressive language to encode access policy as code — from JIT rules and approval workflows to SoD constraints and break-glass procedures. Paladin, Opal's autonomous agent, enforces policy continuously without human toil. At Opal's core is an intelligent data layer that surfaces and contextualizes the most critical risks. Unlike legacy IGA or workflow tools, Opal gives security teams direct authority to remediate exposures in real time. Customers including Cloudflare, Databricks, Elastic, Figma, Grammarly, Scale AI, and Verily trust Opal to secure their most important assets. Based in New York City and San Francisco, the company is backed by Greylock, Battery Ventures, Box Group, SVCI, and prominent cybersecurity industry leaders. For more information, visit opal.dev.

¹ Projections calculated based on a 10:1 agent:employee ratio at an 8,000-seat cloud-native Opal customer.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260319971624/en/