Brex uses C1 to scale AI adoption securely on AWS

At Brex, IT, security, and GRC teams manage identity and access across a fast-growing, highly regulated business, but the company’s growth complicated that responsibility. “As the company scales, identity naturally becomes more complex and convoluted,” says Mark Hillick, chief information security officer at Brex. So, the fintech needed more visibility to track who did what, when they did it, and how they did it. At the same time, Brex was pursuing an ambitious company-wide AI initiative that would require strong controls over which tools employees could access and how those tools handled business data.

Brex also wanted to streamline the enforcement of least-privilege access. Employees sometimes retained permissions after changing roles, and removing those permissions required manual intervention from the IT team. There was no efficient path to grant elevated access for urgent issues, and the process lacked the automation and auditability that a regulated financial services environment required. These gaps created operational overhead, slowed response times, and made it increasingly difficult to demonstrate compliance. As Brex prepared to roll out AI tools across the business, these governance gaps would need the same rigor applied to AI access.

Brex adopted C1 as a single solution to manage the full access-governance lifecycle: access requests, access reviews, and entitlement changes. For IT, this meant replacing hours of weekly manual processing with automated, policy-driven workflows. The team can grant elevated just-in-time access only when needed and automatically revoke it afterward. For the GRC team, the solution brought consistent, auditable records ready for regulatory review without labor-intensive evidence collection. C1 operates seamlessly with AWS Identity and Access Management (AWS IAM) Identity Center, a service for connecting existing workforce identity sources and centrally managing access to AWS. The solution also works with Okta for identity provider connectivity across the organization.

Equally important, C1’s native support for Terraform helps Brex manage access configurations as code. Every entitlement change has become auditable in version control, and application owners can contribute changes through pull requests without routing each request through IT. “One of the nice things about Terraform is that application owners have autonomy,” says Hillick. “They can change configurations and send us a pull request, and we approve it. Previously, IT would have needed to do it all manually. Now, our role is less than 10 percent of what it would have been.”

Brex extended the same C1 workflow to govern company-wide adoption of AI tools. Rather than conducting individual legal and procurement reviews for each new AI product, the company preapproved categories of tools that met defined data-handling controls. For example, there’s no data retention beyond 30 days or use of inputs for model training. Through a seamless integration with an internal messaging application, employees can enter /c1 and select from approved AI tools. This way, Brex gains near real-time visibility into tools that employees use, with the possibility of applying that data to vendor contracting and renewal conversations.

Since deploying C1, Brex has processed more than 50,000 access requests with full auditability, reducing operational expenses across IT and GRC. In a single weekend, the IT team deployed 400 new entitlements for infrastructure resources by using Terraform, cutting entitlement management work by over 90 percent. Access reviews that once demanded heavy evidence collection now draw on consistent, automated audit logs, a material improvement in a highly regulated industry. “Through automation, integrations, and improved logging, C1 has dramatically reduced the time to perform access reviews,” says Hillick. “In a highly regulated industry like ours, that time savings is incredibly important.”

The same self-service model that transformed access management now supports AI access across the business. With Terraform automation, ephemeral access, and integrated compliance workflows, Brex has strengthened identity governance while giving employees a controlled path to adopt the approved AI tools. Throughout the project, C1 was invested in Brex’s long-term success, tailoring the solution to the fintech’s needs. “It’s truly a partnership as both companies walk forward,” says Hillick.