From Nairobi to YC: Kevan Dodhia on Building the Security Backbone for AI Agents

~Akanksha Harsh

Kevan Dodhia’s journey began in Nairobi, Kenya, and led to the halls of Silicon Valley. After moving to the U.S. to study electrical and computer engineering at Carnegie Mellon University (CMU), he graduated in 2019 and joined Xcalar, a startup focused on distributed analytics. In 2020, he co-founded Compute.AI, building a high-performance SQL compute engine that ran five times faster than Spark on AWS EMR. That technology was sold into highly regulated environments and the company was then acquired by cloud platform Terizza in early 2025. This first successful startup gave Dodhia hands-on experience in enterprise software and big data,  lessons he now brings to his next venture.

Dodhia is currently the co-founder and CTO of Alter, a startup accepted into Y Combinator’s Summer 2025 batch. Alter is “a zero-trust identity and access control platform purpose-built for AI agents”. In YC’s words, it “sits in the middle of every AI agent interaction, verifying identity and applying fine-grained RBAC & ABAC… It instantly rejects dangerous actions and provides clear audit trails”. In essence, Alter acts as a gatekeeper between automated AI workflows and the systems they manipulate. Every agent request is authenticated, checked against detailed policies, and either approved or blocked on the spot. Dodhia puts it bluntly: “If your agents can do anything your service account can do, you don’t have authorization, you have hope,” he said. “Hope isn’t a control.”

Dodhia co-founded Alter with Srikar Dandamuraju, who is the CEO. Dandamuraju was previously a platform lead at Goldman Sachs, where he saw this critical security gap first hand. As Dandamuraju said, “Agents provide real world vulnerabilities, especially in tightly  regulated environments. Conventional Identity and Access Management was not designed for autonomous agents.” An AI agent can hallucinate or be given a malicious prompt and then wield broad permissions unchecked.

Alter fixes this oversight with fine-grained, intent-based authorization. The system verifies each agent’s identity and applies role-based and attribute-based rules to every parameter of a request. Unsafe actions, whether a rogue DROP TABLE in production or an excessive transaction, are blocked before they execute. Behind the scenes, Alter issues ephemeral, narrow-scoped credentials for each call so there are no long-lived API keys that could leak. A detailed audit trail is kept for every decision. As the company notes, Alter provides “real-time visibility, detailed audit logs, and compliance-ready controls,” enabling teams to move fast with AI while remaining compliant with SOC 2, HIPAA, GDPR, and other standards.

Dodhia stresses the urgency: “When agents touch money, health, or PII, ‘observability later’ is too late,” he said. “Enforcement must happen in line.” This in-line blocking, combined with row-, column-, and attribute-level policies, means Alter can prevent prompt injection, PII leakage, or other AI-driven threats in real time. In practice, this ensures that even if an agent is tricked by bad input, it cannot execute a harmful command in production.

Bringing Alter to market required careful product design and messaging. Early customers were confused: “Is this IAM, data security, or an AI runtime?” Dodhia recalls. The team reframed it as Agent Authorization, a new horizontal security layer. They focused on three core pillars: fine-grained data controls, real-time threat blocking, and rigorous auditability.

For example, Alter’s policy builder lets security teams (not just developers) define precise permissions at the data level. If an agent tries to violate policy, Alter blocks the action instantly. The platform also generates immutable logs that auditors can review for compliance. One note points out that with Alter, enterprises can “pass SOC 2, HIPAA, and GDPR audits without slowing down” because security controls run automatically. To appeal to non-technical stakeholders, Alter includes an intuitive UI and a CISO-ready dashboard.

Dodhia said: “We designed Alter to be neutral and in-path: intent in, enforceable policy out, with an audit you can take to your regulator”. This vendor-agnostic approach matches enterprise reality: companies want a horizontal solution that works across any cloud or AI stack. Dodhia often said neutral beats proprietary, underscoring his view that avoiding lock-in is essential for broad adoption.

As a second-time founder, Dodhia has picked up hard-won wisdom. He emphasized rapid iteration and evidence-based decisions: “We iterate fast with evidence, and if the data says move on, we move on decisively,” he says. He also values clarity over noise, hiring team members who “prize clarity over theater.” This means focusing on solving the real problem rather than chasing buzz. Another guiding principle is designing for the real buyers: since AI projects often touch regulated data, Dodhia insists that security, risk, and compliance leaders are treated as first-class stakeholders (not just developers). 

Dodhia’s long-term vision is equally ambitious. “We’re building the universal authorization layer for AI-to-system interactions, independent, cross-platform, and embedded everywhere,” he said. Upcoming features include simulation sandboxes, policy recommendations, and deeper analytics. Underpinning all this is a “compliance-by-design” philosophy: audit and observability are treated as products, not afterthoughts.

As Alter’s tagline puts it, the goal is to “Connect, Protect, Unleash AI, safely.” Kevan Dodhia’s story, from Nairobi through CMU, a startup exit, and now Y Combinator, reflects a founder solving the pressing problem in tech today. In his own words, if an enterprise relies on hope instead of hardened controls, it risks derailment. By building Alter as a security backbone for AI agents, Dodhia aims to replace that hope with robust, proven control, helping companies safely unlock the power of autonomous AI.