Featured
B2B Saas
Figma adopted Opal to convert standing privileges into just-in-time access for AWS, GitHub, and Snowflake, thereby identifying and remediating overprivileged access for their most risk-sensitive systems.
At a Glance
Company: Figma, the design platform company, delivers a multiplayer creative canvas to users through Figma, Slides, Sites, and FigJam. The company was founded in 2012 and went public in 2025
Challenge: Manual access reviews slowed engineers, standing privileges created risk, and SOX audits added growing burden
Solution: Figma adopted Opal to automate approvals, enforce just-in-time access, and codify authorization in Terraform
Impact:
Opal’s automations eliminated standing privileges across 14,000 Okta groups and 1,900 active AWS groups
Opal supported IPO-readiness by helping Figma achieve SOX and SOC 2 Type 2 Compliance via UAR that only took 22 days and covered over 16,000 users1
82% of Figmates’ access requests are approved within 1 hour
Operating Environment
Identity providers: Okta, Google Groups
Core systems: AWS, Snowflake, GitHub, Datadog, Jira
Workforce: 2400 employees distributed globally, including 800 in the U.S.
Challenge
As Figma scaled to thousands of employees, access requests piled up across spreadsheets and Jira tickets. Figma rapidly assembled and grew a world-class security team, and yet software engineers sometimes had to wait hours or days for AWS roles or GitHub repo access, slowing product development.
Standing privileges accumulated across critical systems, creating unnecessary exposure to insider and outsider threats. The security team responded: identifying individual team and BU leads who owned access for their reports. They wanted to deploy a robust platform to improve these stakeholders' processes.
As Figma prepared for an IPO, SOX compliance requirements increased the burden further: auditors required clear evidence of least-privilege controls, but existing IAM tools only handled single sign-on — not time-bound access to cloud infrastructure and developer tools.
Goal
Figma’s security team sought a scalable model for access governance that would:
Eliminate standing privilege across sensitive systems
Reduce security team toil by replacing spreadsheets and manual reviews
Distribute approvals to system owners with the right context (IT Ops, IT Engineering, Data Engineering)
Codify policies in Terraform and GitOps workflows so governance could scale with engineering
Preserve global guardrails and auditability to meet SOX and other compliance requirements
Ensure engineers could get secure access in minutes, not hours or days
Opal Solution
Figma adopted Opal to convert standing privileges into just-in-time access for AWS, GitHub, and Snowflake, thereby identifying and remediating overprivileged access for their most risk-sensitive systems. Then, by using Opal’s Terraform provider to define identity boundaries for full-time employees and contingent workers, the team codified access approvals in the same workflows engineers already used to deploy infrastructure. Lastly, the team categorized sensitive systems by priority during audits and the process of establishing least-privilege.
This GitOps-style approach meant engineers could request and approve access through the same pull-request workflows used for infrastructure changes, ensuring version control and visibility are built into every decision.
Requests are routed directly to system owners or managers with relevant context, with automated delegation and escalation when needed. Opal’s Slack integration makes the process seamless for employees while maintaining complete audit trails for compliance.
“Moving our identity and governance systems over to use the same infrastructure-as-code paradigms as engineering really reduces the amount of toil we have to endure to support such a large and fast-growing organization. This engineering-first approach helps us both reduce risk and unblock engineering productivity,”
Hongyi Hu, Head of Security Engineering at Figma.
Opal now governs Figma’s most critical environments, including 1900 AWS resources and over 14,000 Okta groups, while a small number of external systems continue to be reviewed manually.
Key Results
Accelerated deployment velocity: Engineers now receive production access in minutes instead of hours or days
Reduced operational toil: The security team’s time spent on user access reviews was cut in half
Stronger risk posture: Standing privileges were eliminated across core systems
Streamlined compliance: Automated evidence generation replaced the weeks previously spent exporting CSV files for SOX audits
Strategic Impact
Opal became a key control for SOX compliance during Figma’s IPO preparation and continues to underpin audit readiness today. By codifying policies in Terraform and distributing reviews to system owners, Figma shifted access governance from a centralized bottleneck to an engineering-driven model. This approach now supports global expansion and positions the company to handle future identity challenges with the same balance of speed and security.
“Opal lets us push access decisions closer to the teams that know the context best – which means faster, safer approvals and fewer bottlenecks.”
Devdatta Akhawe
VP of Engineering