Ploy raises £2.5M to fix identity sprawl with AI-led access management
Identity is now the open door. Ploy, a London-based cybersecurity startup, just raised £2.5 million ($3.3 million) to close it for mid-market companies that are still wrestling with manual access controls and untracked apps.
The seed round was led by Osney Capital with backing from Superseed, Tiny.vc, Rule30, and angels from ForgeRock, Digital Shadows, Zscaler, Rapid7, Egress, and ComplyAdvantage. Ploy has four employees, says revenue has doubled, and will use the funding to speed up product development and go-to-market.
Why this matters for management
If your company runs on hundreds of SaaS tools and cloud services, you likely don't know exactly who has access to what. That's the risk. Identity sprawl creates blind spots, audit gaps, and easy wins for attackers.
As the IGA market expands (projected from $7.1B in 2023 to $23.4B by 2032), boards are pushing for simple, provable controls that scale. Ploy is going after that gap for firms up to 5,000 employees.
What Ploy offers
Ploy is an AI-powered Identity Governance and Administration platform that automates access across SaaS, cloud, and collaboration tools. It ships with pre-built integrations and workflow automation for onboarding, offboarding, access requests, and reviews.
The company says teams can get core workflows running in under 20 minutes and cut identity management time by up to 90 percent. Its platform has secured over one million access entitlements and surfaced more than 26,000 SaaS applications across customers-evidence of how sprawling modern stacks have become.
AI assistant and just-in-time access
Ploy combines modern cloud architecture with an embedded AI assistant, Luna, to flag anomalies and support context-aware access decisions. It also leans into just-in-time access-making access temporary by default-and centralizes risk detection in real time.
That direction aligns with Zero Trust principles and current identity guidance from security agencies. For reference, see the CISA Zero Trust Maturity Model for broader context on least-privilege and continuous verification principles here.
Who's behind it
Ploy was founded by former Metomic executives: CEO Jacob Prime and CTO Harry Lucas. They're focused on the underserved mid-market-teams that need enterprise-grade controls without the overhead of legacy IGA deployments.
What customers are seeing
Customers including Payfit, Not On The High Street, ComplyAdvantage, and Times Higher Education report stronger security posture and faster reviews. Ellie Mental Health in the U.S. uses Ploy to detect risky entitlements within seconds as it scales.
Investor and leadership perspective
"With 80 percent of breaches now stemming from identity, boards are realising it's the biggest area they need to prioritise in their security strategy," says CEO and cofounder Jacob Prime. "Spreadsheet-based access tracking is now a legal and security liability. They need real-time visibility into who has access to what, before attackers or regulators find the gaps. That's exactly the problem Ploy solves."
"Identity sprawl has become a significant issue… particularly for modern stacks with hundreds or thousands of SaaS apps," says Joshua Walter, Partner at Osney Capital, who joins Ploy's board. "Ploy's just-in-time approach to access, making all access temporary by default, and identifying risks centrally in real-time, is becoming the only approach that scales with modern threats, ways of working, and technology stacks."
What managers should do now
- Inventory and map: Pull a unified view of users, roles, groups, and entitlements across SaaS, cloud, and internal apps. Assume shadow apps exist.
- Make access temporary: Shift to just-in-time access for privileged roles and sensitive data. Set short expiry windows by default.
- Automate the basics: Standardize onboarding, offboarding, and access reviews. Tie them to HRIS events to remove lag.
- Define owners: Assign clear application owners who approve access and attest regularly.
- Track metrics: Time-to-provision, time-to-revoke, number of dormant accounts, privileged access duration, and exceptions per quarter.
- Prepare for audits: Keep immutable logs of who approved what, when, and why. Make evidence exportable in minutes, not weeks.
- Use AI with guardrails: If you adopt AI-assisted decisions, require transparency, explainability, and override controls.
Buying checklist for IGA in the mid-market
- Coverage: Pre-built connectors for your top 20 apps and cloud platforms.
- JIT and least privilege: Temporary access by default, with policy enforcement and automated expiry.
- Risk detection: Anomaly alerts on entitlements, toxic combinations, and suspicious approval patterns.
- Workflow speed: Ability to deploy core workflows in hours, not quarters.
- Audit trail: End-to-end evidence and reporting for internal and external audits.
- Admin experience: Simple policy setup your team can manage without professional services.
The bottom line
Identity is where most attacks start, and spreadsheets can't keep up. Mid-market teams need automation, temporary access by default, and real-time visibility. Ploy is betting that a lighter IGA model with AI assistance is the practical path to get there.
If you're planning an AI rollout and want your team trained on practical automation skills, explore role-based AI learning paths here.
Your membership also unlocks:
