As artificial intelligence moves from experimentation to production within enterprise environments, one question is quietly becoming decisive: who—or what—is allowed to access sensitive systems?
For Eeshan Agarwal, a software engineer specializing in identity and authorization systems, that question has defined his career. His work focuses not on visible features or user interfaces, but on the infrastructure beneath them — the layer that determines whether enterprise software can be trusted at scale.
“Every company handling sensitive data faces the same fundamental challenge,” Agarwal explains. “It’s determining who can access which data, under what conditions, and proving those controls hold up as you grow. Authorization isn’t a feature on top of a product. It’s the foundation underneath it.”
He refers to this as the foundation of trust in enterprise software—the system that sits beneath all application logic and makes access-control decisions in real time. Without it, products cannot pass audits, serve enterprise customers, or scale securely across regulated industries.
The distinction matters. Security typically thinks about keeping bad actors out. Authorization thinks about whether a legitimate actor is allowed to do what they’re trying to do. It’s the difference between locking the front door and enforcing the rules about who can access which rooms inside.
From Berkeley to Enterprise Infrastructure
Agarwal earned his B.S. in Electrical Engineering and Computer Sciences from UC Berkeley, one of the most competitive and highly ranked engineering programs in the United States, where he focused on distributed systems and software architecture. An early engineering project — designing a head-movement-controlled wheelchair for a quadriplegic individual — offered an early signal of his engineering instincts. The project was selected from over 30,000 applicants in a national innovation competition in India and earned recognition from Dr. A.P.J. Abdul Kalam, former President of India. The experience reinforced a principle that would carry through his career: engineering is measured not just by performance but also by reliability and usability under real-world conditions.
After Berkeley, he joined Box, one of the world’s largest enterprise cloud content management platforms. Box serves Fortune 500 companies and government agencies, managing billions of file operations across millions of users globally. It was deeply technical infrastructure work — core database systems, caching layers, and metadata services that powered the entire platform — and Agarwal thrived in it. He was promoted to Senior Software Engineer in under a year, a pace well ahead of the typical timeline for engineers at that level.
“Infrastructure problems at scale aren’t just about speed,” he says. “They’re about correctness, durability, and making systems simple enough for other engineers to use safely. At Box, I learned what it means when your infrastructure silently fails — there is no graceful degradation. Every user, every organization on the platform is affected.”
From very early in his career, Agarwal was a deeply technical contributor operating at the infrastructure layer—the kind of engineer who gravitates toward the hardest problems beneath the surface rather than the visible features above it. That instinct, and the speed at which he rose relative to his peer group, marked him as someone building toward something larger.
Scaling Authorization from Startup to Enterprise
Agarwal joined Vanta as one of its earliest engineers when the company had fewer than 15 people. Today, Vanta is valued at $4.15 billion and serves more than 12,000 organizations worldwide, supporting compliance frameworks including SOC 2, ISO 27001, HIPAA, and FedRAMP. Agarwal rose to become the company’s most senior software engineer — again, faster than the typical trajectory — reflecting the technical depth and scope of his contributions.
Within that environment, authorization is not theoretical. Access decisions are audited and scrutinized by third parties. A misconfigured permission does not create inconvenience — it creates regulatory risk. For Agarwal, whose expertise in identity and authorization infrastructure spans his entire career, the problem was familiar — but the stakes were sharper than anywhere he had worked before.
One of his most consequential contributions was leading the authorization through a fundamental architectural shift: from logic embedded in application middleware to a standalone platform service that other parts of the system could rely on independently. It was the kind of transition that only someone with deep experience in access control systems would recognize as necessary before it became urgent.
Instead of scattering authorization logic across dozens of services, Agarwal designed a centralized service to make consistent access-control decisions across the entire platform.
“The key insight was that authorization is a crosscutting concern,” Agarwal explains. “If it lives in a dozen different places, embedded in different services, you get a dozen different behaviors. You get inconsistency. You get bugs. You get security gaps. The only way to scale authorization correctly is to make it a first-class system that everyone builds on.”
The transition surfaced three architectural principles that Agarwal has advocated for throughout his career at Vanta.
First, simplicity at the interface. An engineer should be able to ask a single question — “Does user X have permission to do action Y on resource Z?” — and get a clear yes or no. That simplicity matters because authorization decisions get embedded in hot code paths. They execute billions of times. Performance is not negotiable. But neither is clarity.
“When authorization is difficult to use, engineers work around it,” he says. “And workarounds in authorization become security vulnerabilities. The system has to make it harder to ship a feature without proper access controls than to ship one with them.”
Second, safety by default. Authorization should be designed so that the easiest path is the secure path. This means integrating checks early in the development process — at the CI/CD stage, in pre-commit hooks, in development environments. Developers encounter authorization constraints before they write code that violates them.
Third, transparency. Every access decision should be observable and auditable — not just at a high level, but with real-time visibility into the decision logic. Why was this request approved or denied? What rules applied? Which organizational policies mattered? This transparency lets developers debug authorization logic when it goes wrong, and lets compliance teams prove that access is being governed correctly.
“Simplicity makes authorization easier to embed consistently,” Agarwal says. “Safety by default removes the question of whether to check authorization. Transparency makes it impossible to hide authorization gaps. They work together.”
The Blast Radius of Infrastructure
One concept that Agarwal has used to clarify thinking about authorization is what he calls “blast radius.” In a typical application bug — a defective search filter, a miscalculated price, a display glitch — the impact is localized. One feature breaks. One user is confused. One order is incorrect. The blast radius is bounded.
Authorization failures have a different character. When authorization logic breaks, it doesn’t affect a single feature or user. It affects every feature, every user, every organization. It’s not a localized bug. It’s a category of failure that can compromise the entire system.
That asymmetry changes how infrastructure engineers think about design, testing, and rollout. Authorization sits beneath every workflow — compliance documentation, financial data, internal security tools, and increasingly, AI-powered automation. You don’t treat it as code that can be iterated on lightly. You don’t treat authorization bugs as something you’ll fix in the next sprint. You build authorization so that failure is unlikely.
“At some point in your growth, authorization stops being a feature and becomes an invariant,” Agarwal says. “It has to be. If your organization is using your platform for mission-critical work, they need to know with absolute certainty that access control is not going to break.”
The architecture Agarwal designed during Vanta’s early growth continues to serve the platform at its current scale. That longevity is intentional. He describes the philosophy as “design for the organization you will become” — anticipating the failure modes of a system that will eventually serve thousands of organizations, and building the guardrails to prevent them, before the complexity arrives.
“The goal is architectural durability,” he notes. “You build enforcement mechanisms, validation pipelines, and monitoring into the system itself so that correctness is a property of the architecture, not something that depends on any individual engineer’s vigilance.”
Looking Ahead
Agarwal describes himself as a platform engineer at heart — someone focused on building systems that endure complexity and growth.
Over the next decade, he believes enterprise software will undergo a transformation similar to the era of cloud migration. Just as companies had to rethink deployment architectures, they must now rethink access governance in the context of machine-speed automation. As AI agents begin operating within enterprise environments — reading data, triggering workflows, and making decisions autonomously — authorization becomes the system that determines how confidently organizations can automate.
“If we get this right,” he says, “AI agents will automate enormous amounts of work without introducing systemic vulnerabilities.”
In enterprise systems, innovation may move quickly.
Trust must last longer.
Agarwal has spent his career making sure it does.
