Veza Access Graph: Patents Behind Identity Visibility
Every security leader asks the same question: who can access what? For people, that is hard. Once you add in service accounts, AI agents, and cloud workloads, it becomes impossible. That is why we built something different, a unified access graph that turns the question into an answer you can trust
The patents are proof points, not the story. From Cookie.AI to Veza, we protected the same architecture with more than a dozen filings, all aimed at one outcome: visibility that drives control.
These filings aren’t random shots in the dark. They’re markers of a singular belief that’s guided every line of code and every product decision:
Architecture matters. [The] rest is all noise. – Tarun Thakur
These patents aren’t about defending turf in a courtroom. They’re about defending an architectural vision: one unified, dynamic, explorable graph of access that powers visibility, automation, and control. We didn’t pivot into this space; we started here.
And critically, this graph was designed from day one to model all identities-not just people, but non-human identities (NHI) like service accounts, tokens, workloads, APIs, SaaS connectors, and AI agents (model-serving endpoints, retrieval connectors) that now carry real privilege.
The First Principle: Model Everything
Start by making access visible in one place. Think of it as a searchable map that spans people, service accounts, tokens, pipelines, and AI agents. Ask a question like “Who can update Billing Records across AWS and Snowflake?” and get an answer you can use. The map exists because we represent access as a navigable graph (US20220067186A1) and unify many sources into a single, consistent model (US20220067194A1). It stays trustworthy by removing duplicate objects that create noise (US20240020407A1) and stays usable because lookups are tuned for big environments (US20240095279A1).
TLDR: Without the graph, “Who can do what on which data?” is guesswork. With it, it’s a query, and an answer, done.
The Second Principle: Govern Intelligently
Seeing risk is one thing; shrinking it is the job. We calculate the exact rights every identity really has – humans and non-humans – from the policies that grant them, so reviews run on facts, not folklore (US20220286466A1; continuation US20250097233A1). Policy then becomes control: rules are turned into actual enforcement across data environments (US20220358228A1), approvals and evidence are captured where work happens so audits are calm, not chaotic (US20240406214A1), and access that no one uses gets right-sized or removed based on real
TLDR: Governance moves from reactive audits to continuous posture management – least privilege by design, not by quarterly clean-ups.
The Third Principle: Act in Real Time
Environments change by the minute. When a group shifts in Okta or a role updates in AWS, the access map updates from the source so decisions reflect current reality, not last month’s export (US20220358233A1 (Cookie.AI) and US20220358233A1 (Veza)) by building a framework for pushing access/privilege updates from source systems, keeping the graph fresh for near real-time decisions on human and non-human access. For high-impact changes, reviewers see the full context to approve or deny quickly and confidently (US20240406177A1). Bringing intelligent review of access decisions (approve/deny with full context) is well-suited to NHI and AI integration flows.
TLDR: Real-time visibility without real-time action is just an expensive audit log.
The Human Principle: Make It Usable
Security only sticks if people can explain it. When someone asks, “Why does Priya have delete on Billing?”, the answer should show the path that grants it, the policies that produced it, and the approvals that kept it.
Clarity comes from aligning names and objects across sources in one consistent model (US20220067194A1) and pruning duplicate objects that create noise and false positives (US20240020407A1). Accountability comes from recording reviews, approvals, and evidence in the flow of work, so audit is an export, not an excavation (US20240406214A1) – even on fast-moving NHIs and AI connectors.
Result: Access intelligence that escapes the SOC and empowers decision-makers across the business.
We Built It Before It Had a Name
When Gartner later defined Identity Visibility & Intelligence Platforms (IVIP) and Identity Security Posture Management (ISPM), they didn’t set our direction-they described it. Our filings, from Cookie.AI through Veza, were already anchored in a single design conviction: a unified, dynamic, explorable access graph that turns visibility into control, for humans and non-humans alike.
How the portfolio maps to IVIP and ISPM
Visibility — mapping who has access
| Patent | What it contributes | IVIP alignment | ISPM alignment |
|---|---|---|---|
| US20220067186A1 | Privilege-graph model and traversal across systems | Centralized entitlement visibility | Posture baseline |
| US20220067194A1 | Build one model from many sources; normalize and merge | Normalized ingestion | Cross-source consistency |
| US20240020407A1 | Deduplicate nodes and edges to keep the model clean | High-fidelity inventory | Fewer false positives |
| US20220358233A1 | Event-driven push of access changes from source systems | Fresh identity and entitlement signals | Real-time posture updates |
| US20240095279A1 | Acceleration of graph traversal at scale | Scalable visibility | Timely posture queries |
Governance — enforcing least privilege
| Patent | What it contributes | IVIP alignment | ISPM alignment |
|---|---|---|---|
| US20220286466A1 | Compute effective permissions from IAM policies (entitlement truth) | Entitlement truth | Risk quantification |
| US20250097233A1 (continuation) | Continuation on the effective-permissions invention family | Entitlement truth | Risk quantification |
| US20220358228A1 | Translate authorization rules into enforceable controls | Relationship mapping to control | Continuous control and review |
| US20240406214A1 | Governance workflows with approvals and evidence capture | Certification and governance flows | Audit-ready controls |
| US20240411905A1 | Usage-based privilege right-sizing and cleanup | Behavior and usage insight | Preventive risk reduction |
Intelligence — making smart decisions
| Patent | What it contributes | IVIP alignment | ISPM alignment |
|---|---|---|---|
| US20240406177A1 | Risk inference and context for human review (approve or deny with full context) | Decision intelligence | Proactive remediation |
Bottom line: this portfolio is not a collection of one-offs; it’s a system design. The patents are our receipts.
What’s next
If you want to see how architecture-first thinking reshaped the identity security landscape:
Explore how Veza’s architecture led the identity security revolution
If you’re ready to go deeper – see how our Access Graph turns into real-time decisions with AI-powered precision:
See Veza in action with Access AI
And if you’re looking to put this architecture to work in your environment:
Schedule a demo and see how Veza makes identity architecture part of your security DNA.
About the Author
Matthew Romero is a Technical Product Marketing Manager focused on SecOps and Identity. He writes for an IT-pro audience – translating deep engineering into clear, actionable outcomes – without the hype. He partners with product and customers to shape narrative, sharpen positioning, and prove value with real-world use cases. When he’s not mapping privileges to business risk, he’s pressure-testing ideas to keep the story honest and the roadmap pointed forward.
