We built Aembit because credentials sprawl is a silent audit failure

Every security team we talked to had the same problem: dozens of services, hundreds of credentials, zero visibility into who authenticated what, when. We decided to fix the root cause.

The problem we kept running into

David spent years working on zero-trust network architectures for highly-regulated environments — financial services, government-adjacent infrastructure. The pattern repeated: human IAM was solved (Okta, Azure AD), but non-human workload identity was still managed by hand. Credentials in environment variables, service account keys on shared drives, rotation schedules nobody followed.

Cloud platforms had made partial progress. AWS IAM roles and GCP Workload Identity gave EC2 instances and Cloud Run containers an identity without static keys. But that didn't extend across clouds, into Kubernetes pods running in your own data center, through GitHub Actions pipelines, or into LLM agent runtimes spawning at runtime.

SPIFFE was the right abstraction. OIDC was the right protocol. What was missing was the authentication proxy that made them composable — letting any workload authenticate to any service without a stored secret, with a policy engine and audit log sitting in the middle. We built that in Bethesda in 2023. That's Aembit.

Timeline

2023
Aembit founded in Bethesda, Maryland. First workload attestation prototype running on Kubernetes.
2024
GitHub Actions and AWS Lambda integration shipped. First design partners onboarded.
2025
AI agent identity support ships. LangChain and AutoGen runtimes get per-invocation SPIFFE-backed tokens without code changes.
2026
Multi-cloud identity federation across AWS, GCP, and Azure. SOC 2 Type II audit completed March 2026.

Three people who have seen this problem from the inside

David Goldschlag, CEO
David Goldschlag
CEO & Co-founder

Over 15 years in distributed systems and network security, including work on zero-trust architectures for highly-regulated environments. Started Aembit in 2023 after seeing credential sprawl cause the same class of incident, repeatedly, across different organizations.

Maya Chen, Head of Engineering
Maya Chen
Head of Engineering

Previously staff engineer at a cloud infrastructure company, where she led the migration from static service account keys to SPIFFE-backed workload identity across a Kubernetes fleet. Has been running SPIRE in production environments since 2021.

Raj Patel, Lead Security Researcher
Raj Patel
Lead Security Researcher

Previously security researcher at a government cybersecurity contractor. His work on OIDC token replay attack patterns and SVID attestation nonce binding directly shapes how Aembit's proxy sidecar prevents credential replay.

How we think about identity

Verifiable, not trusted

Every claim Aembit makes about a workload's identity is cryptographically verifiable. We do not store credentials. Our control plane has no secret database to breach. Trust is not assumed — it is attested and logged.

Logged, not assumed

Every authentication decision is recorded: which workload, which target, which policy, which token, which TTL. The audit log is not a compliance checkbox — it is the product. You can query the complete history of every access event.

Minimal footprint

We intercept the authentication path, not the data path. Aembit sees workload identities and policy decisions — never payload content. We implement SPIFFE, OIDC, and OAuth 2.0 token exchange (RFC 8693). Your policies are portable if you ever run your own control plane.

Talk to the people who built this

We're a small team. When you contact us, you get the engineers, not an SDR. Tell us about your workload environment and we'll give you an honest answer about whether Aembit fits.