Robinhood Cuts Access Approval Time to Support High-Velocity Development

APPLICATION SECURITY CYBERSECURITY OPERATIONS CYBER RISK IDENTITY & ACCESS MANAGEMENT SECURITY CASE STUDIES News, news analysis, and commentary on the latest trends in cybersecurity technology. Robinhood Cuts Access Approval Time to Support High-Velocity Development The fintech company's engineering-first application security team reengineered the process for granting system access, making it easier and more secure for developers working on their projects. Here are the lessons learned from Robinhood's experience. Ericka Chickowski,Contributing Writer,Dark Reading June 25, 2026 7 Min Read SOURCE: DZIANIS APOLKA VIA ALAMY STOCK PHOTO When incidents are flying and proof-of-concept ideas are bubbling, there's nothing more frustrating than waiting for system access before getting the software engineering work underway.  Too much friction in the approval process aggravates human engineers, and it can be downright debilitating for automated jobs and agentic processes. Gum up the works enough with security red tape, and access becomes the biggest bottleneck for everything from fixing middle-of-the-night breaks to rolling out market-moving features. But simply opening up floodgates to overpermissioning access rights is not a valid option, so what's an appsec team to do?  This classic dilemma is exactly what Robinhood Markets recently faced as it sought to help developers work quickly without compromising security. The firm's access approval process was hampering both incident response and innovation. "We saw real friction during critical incidents or debugging sessions where every minute matters," explains Shreyas Sriram, security engineer in the application security group at Robinhood. "The delay in getting approvals (also) acted as a brake in our innovation cycle. We wanted security to move at the speed of a startup, not a bank." Related:For Enterprises, Security Remains Agentic AI's Biggest Challenge Sriram led the team that stepped up with a highly collaborative security engineering project that yielded Secure Enhanced Remote Approval (SERA). The platform orchestrates passkey-based access approvals from any device, without the friction of VPNs or managed laptops. Implemented earlier this year, SERA cut down approval time by 20% for Robinhood developers and incident responders alike. The project offers up a prime example of the kind of security engineering work that can fast-track high-velocity development and pave the way for secure, AI-assisted engineering.  The Problem: Approvals Took Too Long At Robinhood, the approval process for granting access to systems had been seesawing between ease of use and robust security for a while. There was an initial experiment in which the company used Slack to facilitate low-friction approvals, but it wasn't providing sufficient identity verification to meet the firm's risk appetite. So Robinhood set a mandate requiring all access approvals to be executed on company-managed devices, typically through the approver's corporate laptop.   While that sounds reasonable in theory, Robinhood had broken free from the typical "9-to-5" work cycle. Engineering teams working across different time zones supported "a platform that never sleeps," says Sriram; products offering 24/7/365 cryptocurrency trading (buy, sell, and trade digital assets round-the-clock without weekends or holiday closures) don't run on bank hours. Related:OWASP GenAI Security Project Gets Update, New Tools Matrix "When you operate a global 24/7 platform, incidents don't happen on a schedule," Srimram says. "If an engineer is blocked from fixing a production issue for even 15 minutes because an approver is hunting for a laptop, that is a direct risk to our customer experience." From an everyday development standpoint, the requirement to use managed devices didn't align with Robinhood's DNA as a modern, mobile organization. Global leads and engineers chafed at the idea that a team couldn't get quick access to new cloud resources or data environments just because an approver was away from their desk. This requirement prevented developers from rapidly "ship and learn" as they moved from ideas to proof-of-concept.  "Our engineers shared that being tethered to a physical laptop was becoming a hurdle," Sriram says. The Project: Removing Friction Was Just the Start That feedback served as an engineering gauntlet for the application security team, which saw it as a worthy challenge. At first, they considering plugging in a solution into the access management application, but as they started working on various proofs-of-concept, the appsec team realized they could do a whole lot more than just reducing friction in the approvals process. Expanding the scope would allow the company to solve the immediate problem while also building a foundation for future innovations, Sriramhe says. Related:Chainguard Unveils Factory 2.0 to Automate Hardening the Software Supply Chain "[It] quickly evolved into a much more ambitious goal: creating a new, secure access pattern for the entire firm," he says. "We pivoted to building a standalone platform that any internal service could leverage." To make that happen, the appsec team had to collaborate closely with both the cryptography and infrastructure teams. The cryptography team was in charge of designing the public key infrastructure (PKI) infrastructure, and the infrastructure worked with the security engineers to navigate the complex networking that was required to make the platform work securely across both managed and unmanaged devices.  "We operated as a unified strike team, meeting regularly to unblock one another and iterate on POCs," Sriram says. The effort was a high-priority engineering initiative, but it was done concurrently with everyone else's workload. Sriram was primary lead while managing other application security work, and networking and cryptography supported u while maintaining their own workstreams.   The coalition put the platform through its paces with a full formal design review, extensive pen testing, and a strict production-readiness review (PRR). AI helped accelerate the grunt work of bootstrapping code, setting up boilerplate infrastructure, and synthesizing crypto protocols. This gave the human engineers the headspace to focus on the architecture and quickly iterate.  Ultimately, the combined teams delivered the project in four months. SERA Delivers Security, Ease of Use, Flexibility Throughout the development process, Sriram says that everyone remained "obsessed over the user journey," ensuring that the secure path was also the path of least resistance for developers. When developers started testing out the system, they were surprised by how easily and quickly it worked.  "I remember an engineering leader scheduled 15 minutes to onboard; he was finished, tested, and ready in under two minutes. His reaction — 'Wait, is that all?' — is the gold standard for our team," he says. "The feedback has been incredibly rewarding because it confirms we hit the mark on usable security." Since the launch of Secure Enhanced Remote Approval, Sriram says several teams have reached out to learn how to integrate their services with the platform. Because the SERA team anticipated reusing the platform for operational tasks beyond access management, the possibilities are opening up. "We now view SERA as an 'Approval-as-a-Service' platform that can support any high-stakes internal action," he says. "We are currently working with a couple of teams to refine and concretize their specific use cases to determine where we can provide the most operational velocity next." Tips Security Peers Can Adopt in Their Projects The shape of the project and the outcomes from SERA offer lessons that can be applied to a wide variety of security work. Sriram offers the following tips for his security peers: Build bureaucracy-free culture: The rapid collaboration for the SERA project was fueled by strong existing relationships that crossed org-chart boundaries, Sriram says. Because the application security team regularly worked with the cryptography and infrastructure teams, coordinating with them was straightforward. And because security and engineering work together regularly, the trust and communication were already in place. "Because we had their trust, we could identify problems early and pivot quickly," he says. Challenge assumptions: The cross-functional collaboration meant "this wasn't a project where people just said 'OK,'" Sriram says. Partners in cryptography and infrastructure pushed back on early designs, forcing him to think long-term about how the work could yield "a reusable platform rather than a one-off fix." Use AI effectively: "Our success was supercharged by Robinhood's mature infrastructure and our internal adoption of AI," says Sriram. He chalks up the rapidity of the rollout to his team's ability to use AI.  The things the teams learned during the project will also be applied to future AI-enhanced security engineering. Sriram says that keeping documentation in sync during rapid iteration for SERA was one of the biggest challenges. His team is realizing AI can help with that, too. "We are now looking at ways to have AI automatically update our README.md and system architecture docs in real-time as the code changes," he says. Make security "cheap": The ultimate goal for SERA was to make security "cheap" for engineers to adopt, says Sriram. Instead of forcing developers to change their workflow, the appsec team created a solution that fits their workflow while still maintaining high security standards.  "In an era where AI is accelerating how fast we iterate, security cannot afford to be a bottleneck," he says. Don't miss the Dark Reading Confidential podcast episode, Do CISOs Need a Code of Ethics? with industry expert Robert "RSnake" Hansen. Kickbacks, no-show jobs, "dirty" VCs, and shelfware — Hansen explains why he thinks it's time for a CISO code of ethics. It could ensure cybersecurity bosses aren't engaged in self-dealing that could risk enterprise, and even national, security.  Listen now! Read more about: CISO Corner About the Author Ericka Chickowski Contributing Writer, Dark Reading An award-winning freelance reporter with nearly two decades of experience covering B2B cybersecurity, Ericka Chickowski has tackled every angle of security and risk for Dark Reading since 2009. Her coverage has spanned the full range of cyber topics important to every kind of cybersecurity stakeholder, including cybersecurity practitioners, CISOs, security-minded business managers, and security-aware board directors. She specializes in going deep on topics, breaking down how the technology trends affect real people, and how risk impacts the bottom line. Some special areas of focus include: adversarial AI; AI risk and resilience; AI and agentic governance; application security (AppSec); governance, risk, and compliance (GRC); cloud security; network security; software supply chain risk; cyberinsurance; DevSecOps; enterprise risk management; and CISO career development. In addition to Dark Reading, Ericka has written for many different IT and business publications over the years. Her byline has appeared in dozens of trade and consumer magazines, including Baseline, Consumer Digest, Channel Insider, CIO Insight, CSOOnline.com,  DevOps.com, eWeek, Entrepreneur, Forbes, InformationWeek, SC Magazine, and SecurityBoulevard. She regularly contributes independent stories about AppSec and supply chain risk to the ReversingLabs Blog. She was one of the founding contributing editors for DevOps.com and has deep expertise in digital transformation and development best practices. This helps inform her stories on software risks and business resilience. Ericka is also a prolific executive ghost writer, with experience helping cybersecurity and IT leaders bring their ideas to life. She's helped them craft important position pieces for respected publications like the Financial Times and The Wall Street Journal.  Prior to beginning her freelance career, Ericka served in a number of editorial staff roles, including West Coast Bureau Chief for SC Magazine. Before that position, she was editor-in-chief for a cluster of regional technology and lifestyle magazines in the Seattle area, as well as a beat reporter for a regional business newspaper. She holds a bachelor's degree in English from the University of Washington. Her work is well-regarded and has won multiple awards from the Society of Professional Journalists.   Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports The total economic impact™ of Snyk How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 Access More Research Webinars Building a Risk Based Vulnerability Management Program Threat Hunting That Gets Big Results Despite Small Budgets Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication Advanced Persistent Threats: A Practical Guide to Detection and Response More Webinars You May Also Like APPLICATION SECURITY Supply Chain Attack Secretly Installs OpenClaw for Cline Users by Rob Wright FEB 19, 2026 APPLICATION SECURITY Chinese Hackers Hijack Notepad++ Updates for 6 Months by Jai Vijayan FEB 02, 2026 APPLICATION SECURITY Trump Administration Rescinds Biden-Era Software Guidance by Alexander Culafi JAN 29, 2026 APPLICATION SECURITY Microsoft Fixes Exploited Zero Day in Light Patch Tuesday by Jai Vijayan, Contributing Writer DEC 09, 2025 Latest Articles in DR Technology IDENTITY & ACCESS MANAGEMENT SECURITY Cisco Adds NHI to Security Stack With Astrix, WideField Acquisitions JUN 26, 2026 CYBERSECURITY OPERATIONS Segmentation Works for OT If Operators Are Paying Attention JUN 11, 2026 CYBER RISK Bugcrowd Launches EU Data Residency Option For Evolving Data Sovereignty Needs JUN 4, 2026 APPLICATION SECURITY For Enterprises, Security Remains Agentic AI's Biggest Challenge MAY 26, 2026 Read More DR Technology