We built Aembit because credentials sprawl is a silent audit failure
Every security team we talked to had the same problem: dozens of services, hundreds of credentials, zero visibility into who authenticated what, when. We decided to fix the root cause.
The problem we kept running into
David spent years working on zero-trust network architectures for highly-regulated environments — financial services, government-adjacent infrastructure. The pattern repeated: human IAM was solved (Okta, Azure AD), but non-human workload identity was still managed by hand. Credentials in environment variables, service account keys on shared drives, rotation schedules nobody followed.
Cloud platforms had made partial progress. AWS IAM roles and GCP Workload Identity gave EC2 instances and Cloud Run containers an identity without static keys. But that didn't extend across clouds, into Kubernetes pods running in your own data center, through GitHub Actions pipelines, or into LLM agent runtimes spawning at runtime.
SPIFFE was the right abstraction. OIDC was the right protocol. What was missing was the authentication proxy that made them composable — letting any workload authenticate to any service without a stored secret, with a policy engine and audit log sitting in the middle. We built that in Bethesda in 2023. That's Aembit.
Timeline
The team
Three people who have seen this problem from the inside
Over 15 years in distributed systems and network security, including work on zero-trust architectures for highly-regulated environments. Started Aembit in 2023 after seeing credential sprawl cause the same class of incident, repeatedly, across different organizations.
Previously staff engineer at a cloud infrastructure company, where she led the migration from static service account keys to SPIFFE-backed workload identity across a Kubernetes fleet. Has been running SPIRE in production environments since 2021.
Previously security researcher at a government cybersecurity contractor. His work on OIDC token replay attack patterns and SVID attestation nonce binding directly shapes how Aembit's proxy sidecar prevents credential replay.
Engineering principles
How we think about identity
Every claim Aembit makes about a workload's identity is cryptographically verifiable. We do not store credentials. Our control plane has no secret database to breach. Trust is not assumed — it is attested and logged.
Every authentication decision is recorded: which workload, which target, which policy, which token, which TTL. The audit log is not a compliance checkbox — it is the product. You can query the complete history of every access event.
We intercept the authentication path, not the data path. Aembit sees workload identities and policy decisions — never payload content. We implement SPIFFE, OIDC, and OAuth 2.0 token exchange (RFC 8693). Your policies are portable if you ever run your own control plane.