Oso’s CEO and co-founder Graham Neray spoke with Techstrong Group CEO and co-founder Alan Shimel about his path from seven years at MongoDB to founding Oso, a company focused on building a unified permissions layer for software applications, humans, and agents.
Neray described what motivates him:
- Doing things that are extremely hard
- Working with people who operate at the highest level
- Having a real chance to win
I am an intense entrepreneur that likes infrastructure.
He referenced Shopify founder Tobi Lütke’s idea that it’s lucky to find a problem you can fall in love with, and shared his own version:
As most men in their thirties do, I fell in love with permissions.
Neray explained how Oso arrived at its mission:
We were initially building a different product that no one wanted. But people were asking us about permissions, and we heard a lot of, ‘We have a full team that’s been working on this for a year and a half, and it’s still not solved,’ and, ‘Our permissions are specifically complex — more complex than anything you’ve ever seen.’
He continued:
Every single company on the face of the earth has to build this invisible mechanism behind their application to govern who’s allowed to do what and see what. Everyone builds it custom, and everyone spends millions of dollars a year in engineering effort doing this. Combine that with the fact that these systems are not built or prepared for what agents are bringing in the next few years… and yeah, I could fall in love with this problem for a bit. Absolutely.
The rest of the conversation focused on the challenges of managing permissions at scale and the widespread issue of over-permissioning, where users or systems receive more access than they need. Neray noted that as AI agents become more common, organizations need a more precise approach to identity and access management:
Agents don’t behave like humans. I have this hypothesis that we tolerate a gross amount of over-permissioning in all the software we use — I was looking at a customer this morning, and 98% of permissions assigned in that application never get used — because there’s an implicit limit in the amount of time you or I have to do bad or stupid things. That doesn’t apply to agents. Ultimately, you need to move toward a model of automated least privilege. That is the only thing that’s going to survive the next few years of agentic shenanigans. This is the main problem we’re working on now at Oso.
He added:
There are places where we’re already using AI. We shipped an MCP server, which can do all kinds of things to help you construct authorization logic, debug, and understand why things are failing.
Watch the full interview: https://techstrong.tv/videos/interviews/tackling-over-permissioning-with-oso-ceo-graham-neray
Learn more about Oso’s customers: https://www.osohq.com/customers
Press & media inquiries: https://www.osohq.com/press
Frequently asked questions
