Sabiki was founded by engineers and executives who spent decades at the kinds of cybersecurity companies that show up year after year in the analyst reports. We saw the gap that AI agents and non-human identities were going to open before most people did.
Sabiki was founded in 2021 by a team of cybersecurity engineers and executives with over 30 years of combined experience. The companies we came from appear year after year in Gartner Magic Quadrant reports across multiple security categories.
We didn't start with AIRM. Our first product, Sabiki Email Security, was an experiment in applying proprietary AI models to phishing detection. It outperformed the legacy solutions, and it taught us that machine learning trained on Microsoft 365 data produces meaningfully better security outcomes than rule-based engines.
As we built BEC protection into Sabiki Email Security by layering in human identity signals, we kept running into the same unguarded threat surface: non-human identities. AI agents, service principals, and automated accounts operating with broad permissions and no governance. The deeper we looked, the larger the problem turned out to be. That's where AIRM came from.
In 2025, we consolidated our engineering operations entirely in Australia. It was a deliberate move. We wanted privacy-first development as a default, proximity to the regulatory environment now shaping AI governance, and access to Australia's security engineering talent pool.
You can't govern what you can't see. Before any alert, score, or compliance report, AIRM has to show you exactly what is in your environment. Not an estimate. A real inventory of every identity, on the first scan.
A security tool that only sees the present is of limited use. AIRM gets smarter with every scan. It builds behavioural baselines. It tracks change over time. It detects anomalies that only become visible once you know what normal looks like for a particular identity. History is part of how the product works.
AI agents are new. The governance frameworks for them are still being written. We've decided that in this environment, response actions should be human-initiated. Always. AIRM surfaces the findings and provides guidance. Your team makes the call. That isn't a limitation of the product. It's a principle.
Sabiki is incorporated as a co-headquartered security software company. The founding team comes from Gartner Magic Quadrant-recognised security organisations and sets out to build the identity monitoring tool they wished existed at their previous jobs.
Our first product, Sabiki Email Security, is built and launched. Using a proprietary AI detection engine, we showed that machine learning models could identify and predict phishing attempts more accurately than rule-based legacy solutions. The thesis held up in production. The work gave us hands-on experience training AI models on Microsoft 365 data at scale.
As Sabiki Email Security matured, we began layering in human identity metrics to provide better Business Email Compromise (BEC) protection. The goal was to understand not just the email, but who sent it and what access they had. While doing that, we kept running into the same blind spot: non-human identities. Service principals, AI agents, and automated accounts with broad permissions, no owners, and no governance. The threat surface was enormous, and almost entirely unmonitored. Research on AIRM begins.
Development operations consolidate fully in Australia. We formalise our privacy-first philosophy as a foundational engineering commitment, not a marketing position. Data sovereignty options, read-only architecture, and the rule that customer data is never used for third-party purposes become explicit engineering constraints. Not optional features.
AIRM goes live. The platform monitors AI agents and non-human identities in Microsoft 365 environments for MSPs and direct enterprise customers across Asia-Pacific, Europe, and beyond. It ships with coverage for EU AI Act, DORA, ISO 42001, Essential Eight, and 7 other compliance frameworks built in from launch.
In 2025 we made a deliberate decision to formalise privacy as an engineering constraint, not a compliance checkbox. Every feature we build, every data flow we design, every third-party integration we consider gets evaluated against one question: does this respect the customer's right to control their own data?
A security platform that handles sensitive Microsoft 365 tenant data has an obligation to treat that data with the same care it asks its customers to apply to the identities in their environments. We hold ourselves to that standard.
AIRM never writes to your Microsoft 365 environment without explicit, per-action consent from an authorised user. Read-only isn't a limitation. It's how AIRM is built.
Enterprise customers can specify the Azure region where their data is stored: Singapore, Australia, EU, UK, or anywhere Microsoft Azure operates globally. Data residency stays in your hands.
We do not sell customer data. We do not use customer data for advertising. We do not share tenant security data with third parties beyond what is necessary to deliver the service.
AIRM is hosted on Microsoft Azure. SOC 2 Type II attested, ISO 27001 certified, with AES-256 encryption at rest and TLS 1.2+ in transit across every data path.
When you disconnect a tenant or close your account, your data is deleted within 30 days. No hidden retention, no repurposing. Your data leaves when you do.
Connect your first Microsoft 365 tenant in minutes. No agents, no complex setup, no credit card.