Introduction
Every enterprise has an AI problem they don't fully see yet. Employees are using dozens of AI tools — ChatGPT, Claude, Gemini, Cursor, Perplexity, and hundreds of niche alternatives — without IT knowing, without finance tracking the spend, and without security watching where the data goes.
Shadow AI has become the biggest blind spot in enterprise technology. Employees adopt ChatGPT, Claude, and hundreds of other AI tools without IT approval, creating security risks and compliance gaps.
Layer 1 — Visibility. Most organizations have no reliable inventory of what AI tools their workforce actually uses. Surveys go stale within days. IT ticket requests only capture formally sanctioned tools. The rest is invisible. Research shows 65% of AI tools in enterprise environments operate without IT approval, and nearly 90% of CISOs report being unable to get a clear picture of employee AI usage.
Layer 2 — Spend. AI costs accumulate fast and across dozens of budget lines — individual employee subscriptions, team licenses, API usage, redundant tools doing the same job. Finance teams are increasingly asked to report on AI ROI and can't. Nobody has the number.
Layer 3 — Risk. Sensitive data is moving through AI tools that IT never vetted. Patient records uploaded to an AI transcription tool. Customer lists pasted into ChatGPT. Proprietary code fed into a code assistant. In healthcare and financial services, the consequences are regulatory, not just reputational.
This article examines Oximy and three established players from a business standpoint.
Oximy Company Overview
Oximy launched in 2025 through Y Combinator's accelerator program and addresses a specific enterprise need: organizations cannot see what AI tools employees actually use.
Category | AI Usage Visibility & Governance |
Headquarters | San Francisco, CA |
Y Combinator Batch | W25 |
Team Size | 3 |
Founder |
Core Capabilities
Oximy delivers three main functions:
Discovery: Automatic detection of every AI tool across the workforce
Spend Intelligence: Real-time cost tracking by team, tool, and usage pattern
Data Protection: Monitoring for sensitive information shared with AI services
The platform operates at the network level and processes millions of requests daily for clients in financial services and healthcare sectors. According to the Y Combinator profile, Oximy serves security, finance, and transformation teams managing AI governance at scale.
The platform installs through existing MDM infrastructure, requires no app integrations or API keys from individual AI vendors, and starts surfacing data within hours. It tracks AI tool usage across the organization — sanctioned and unsanctioned — and surfaces that data as three distinct views: adoption (who's using what), spend (what it costs and where budget is going), and governance (where sensitive data is flowing and whether policies are being followed).
Oximy's design choice to sit on the network is significant. It means coverage is complete regardless of which tools employees use or how they access them — browser, desktop app, or API call. No agent needs to live on each device and no vendor needs to be integrated.
Oximy's Top Competitors
WitnessAI
WitnessAI stands as the category leader with the most funding. Founded in 2023 by Rick Caccia and Gil Spencer, the Mountain View company has raised $85.5 million total, including a recent Series B round of $58 million led by Sound Ventures in January 2026.
Caccia brings security product experience from Palo Alto Networks, Google, and Symantec. Spencer previously founded IronKey (acquired by Imation) and Marble Security (acquired by Proofpoint). The founding team's exit track record attracted backing from Google Ventures, Ballistic Ventures, and strategic investors including Anthropic and SentinelOne.
WitnessAI focuses on both shadow AI discovery and protection against emerging threats like prompt injection and jailbreaking. It also provides agentless network-level visibility across thousands of AI applications. The platform monitors every prompt and response, classifies intent using proprietary models, and enforces context-aware policies. Unlike basic keyword blocking, WitnessAI understands employee intent to balance security with productivity.
The company became commercially available in October 2024 and already counts a Top 3 global airline, major telecommunications provider, and national payments processor among customers.
Portal26
Portal26 took a different path to market. Founded in 2019 by Arti Raman (initially as Titaniam), the Los Gatos company pivoted to focus specifically on GenAI adoption management after ChatGPT's launch. Portal26 has raised $15 million total, including a $9 million Series A led by Shasta Ventures in November 2025.
Raman spent over 20 years at companies like Symantec before founding Portal26. Her background in cybersecurity and risk management shapes the company's enterprise-first approach. Portal26 emphasizes fast deployment, with many customers up and running in under 30 minutes.
The platform provides what it calls zero-day Shadow AI detection through real-time monitoring of hundreds of thousands of enterprise users. Portal26's forensic vault stores interaction data with NIST FIPS certification, enabling both security investigations and compliance documentation. The company also tracks AI adoption patterns to measure ROI and optimize licensing.
Portal26 has secured multi-year deals up to seven figures with Fortune 500 customers. The company's value proposition extends beyond security to include productivity analytics, use case development, and license intelligence.
Harmonic Security
Harmonic Security represents the newest category entrant with the most focused value proposition. Founder Alastair Paterson previously built and sold Digital Shadows to ReliaQuest for $160M, bringing both exit experience and deep security product understanding. The $17.5M Series A was led by Next47 with Ten Eleven Ventures participating.
Harmonic doesn't try to solve visibility, spend, or adoption analytics. It solves one job: preventing sensitive data from leaking through AI interactions. The technical approach reflects this narrow focus. Harmonic built proprietary small language models trained on realistic sensitive data to classify information in milliseconds with minimal false positives. The platform analyzes prompts, attachments, and responses in real-time, blocking data exposure before it leaves the organization.
Detection operates at the browser level via lightweight extension, providing inline enforcement without network infrastructure requirements. The system operates locally in the user's browser, which addresses some privacy concerns (sensitive data never leaves the device during analysis) while introducing the same coverage limitations as Portal26's browser-based approach.
Key Takeaways
The Oximy company and competitors address the same fundamental problem through different technical approaches and market positioning. Shadow AI represents a blind spot that enterprises must resolve regardless of which platform they choose.
Market timing favors all players. AI adoption continues accelerating while specialized visibility tools remain nascent. Organizations currently managing AI through spreadsheets and surveys need purpose-built platforms. Industry data shows 750 million apps will use LLMs by end of 2025.
Success factors will include deployment speed, accuracy of AI tool detection, depth of usage insights, and ability to enforce policies without blocking productivity. Companies that balance security with enablement will capture the largest market share.
For deeper analysis of Oximy's competitive positioning, market sizing, and strategic options, explore Outspy for comprehensive startup intelligence and competitive landscape mapping.
