The agentic AI security market is young, fragmented, and moving faster than most security teams can track.
In the span of roughly 18 months, a category that barely had a name has produced dedicated startups, prompted acquisitions by the largest security platforms in the world, and landed on the priority lists of CISOs across every major industry. Gartner has named AI Trust, Risk, and Security Management (AI TRiSM) as a top strategic technology trend. OWASP has released a dedicated Top 10 for agentic applications. New vendors are launching from stealth with meaningful funding and serious founding teams.
And yet most organizations evaluating this space are doing so without a clear framework for what they actually need, which vendors address which problems, and where the genuine gaps are.
We are going to try to fix that. As a vendor in this market, we have an obvious interest in this conversation, and we are not going to pretend otherwise. What we can offer is a framework for evaluation that we believe holds up regardless of which vendor you choose, an honest mapping of the landscape including our own strengths and limitations, and a practical process for running your own assessment.
If you are earlier in your research and want to understand the threat surface before evaluating solutions, start with our posts on [what agentic AI security is] and [the specific risks your team needs to account for]. This post assumes you already understand why the problem matters and are ready to evaluate how to address it.
Why this is a new buying decision, not a feature upgrade
The most important framing to establish before any vendor conversation: agentic AI security is not an add-on to your existing stack.
Your current SIEM was built to ingest event logs and correlate them into alerts. Your CASB was built to govern access to cloud applications by human users. Your endpoint detection tools were built to monitor activity on devices operated by people. None of these systems were designed for an environment where non-human actors are operating continuously, autonomously, and with legitimate credentials inside your infrastructure.
The gap is not a matter of configuration. It is architectural. Traditional security tools inspect boundaries and events. Agentic AI security requires inspecting behavior: what an agent is doing, why it is doing it, whether that behavior is consistent with its intended scope, and whether the content and context of its actions suggest manipulation or compromise. That requires a fundamentally different kind of visibility.
There is also a governance dimension that existing tools do not address. Organizations deploying agentic AI face questions that have no analog in traditional security: Which agents are running? Who deployed them? What can they access? Are they behaving as intended? What policies govern their actions? Most enterprises cannot currently answer these questions, not because the answers are hard to find, but because no single tool in their stack is designed to surface them.
ISACA's April 2026 analysis put the situation plainly: most organizations are experimenting with agentic AI autonomy before they have defined their trust boundaries, oversight framework, or accountability structures. The market for agentic AI security exists precisely because that gap needs to close.
The evaluation framework: six criteria that matter
Before walking through any vendor profiles, here is the framework we recommend for evaluating any solution in this space, including ours. These six criteria map to the actual security and governance requirements that agentic deployments create.
1. Agent discovery and inventory. Can the platform find agents that your security team did not know existed? Shadow AI is pervasive: business units deploy agents through low-code platforms, third-party SaaS tools, and direct API integrations without formal IT involvement. A solution that only governs agents you already know about leaves your highest-risk exposure unaddressed. Discovery capability should cover both purpose-built autonomous agents and AI features embedded within business applications.
2. Deployment architecture. How does the platform integrate with your environment? Network-layer deployment, which operates at the gateway level without requiring software installation on endpoints or modifications to individual agent implementations, provides broad coverage with minimal friction and no dependency on developers updating their code. Endpoint-based or SDK-based approaches offer deeper per-agent inspection but require manual configuration, changes for each deployment, and lengthy and cumbersome setup.
3. Inspection depth. What does the platform actually analyze? Solutions that operate on metadata, meaning service names, API call volumes, and access patterns, can identify anomalies at the behavioral level but cannot evaluate the content, context, or intent of agent interactions. Solutions that analyze content, context, and intent can detect policy violations, data exposure, and manipulation attempts that metadata analysis would miss entirely. For organizations in regulated industries or handling sensitive data, inspection depth is often the deciding factor.
4. Runtime policy enforcement. Does the platform enforce policies in real time, or does it log and alert after the fact? Post-hoc logging is valuable for investigation and compliance, but it does not prevent harm. In an environment where agents can execute financial transactions, send external communications, or modify production systems, the ability to intercept and block a policy-violating action before it takes effect is categorically different from being able to document that it happened.
5. Identity and access controls. Does the platform treat agent identities as distinct from user identities, with their own permission scopes and access governance? Agents lack human judgement and accountability, yet they inherit user-level permissions. A platform that enforces least-privilege policies at the agent level, binding each agent to a specific set of permitted actions rather than inheriting the full access of the user it serves, substantially reduces the blast radius of a compromise.
6. Coverage velocity. How quickly does the platform add support for new AI applications, models, and protocols? The AI landscape is moving faster than any manual integration roadmap can keep up with. Platforms that rely on manually built connectors for each new AI application will perpetually lag the market. Platforms that automate protocol analysis and application support can maintain coverage as new tools enter enterprise environments without requiring a dedicated integration effort for each one.
Score any solution you evaluate against these six criteria before you look at pricing, case studies, or analyst positioning. The criteria will tell you whether a solution actually addresses your problem. Everything else tells you whether it is a well-run business.
The market map: three categories of vendor
The agentic AI security landscape currently divides into three distinct categories, each with different strengths, different limitations, and different ideal buyers.
Category A: Purpose-built agentic AI security platforms. These vendors were founded specifically to address the agentic AI security and governance problem. They have no legacy architecture to maintain and no existing product line to extend; their entire design is oriented around the requirements of agentic environments. They tend to offer the deepest inspection capabilities and the most purpose-fit governance features, but their ecosystem integrations are narrower than established platforms and their track records are shorter. Lumia Security, Zenity, Evoke, and Mindgard fall into this category.
Category B: Established security platforms extending into agentic AI. CrowdStrike, Palo Alto Networks, and Cloudflare are adding agentic AI security capabilities to existing, broad platforms that already have deep enterprise relationships, proven infrastructure, and extensive integration ecosystems. Their agentic AI features are newer and in some cases less mature than purpose-built alternatives, but organizations already standardized on these platforms have a natural path to coverage without adding a new vendor relationship. The tradeoff is on their comprehensiveness, tacking on AI security as an add-on to their current product and offering.
Category C: AI deployment platforms with embedded security. Enterprise agent platforms like Kore.ai approach security as a governance layer within the deployment infrastructure itself. For organizations deploying agents primarily through these platforms, embedded security features reduce integration complexity. The limitation is that this approach governs only agents built on that specific platform, leaving any agent deployed outside it unaddressed.
Most organizations will end up with solutions from more than one category. A purpose-built agentic security platform may be the right primary tool for discovery, monitoring, and policy enforcement, while an established security platform's AI features handle detection within a broader threat response workflow. The categories are not mutually exclusive; they address different parts of the same problem.
Vendor profiles
What follows is our honest assessment of the major vendors in this space, including ourselves. For each, we have tried to identify the strongest use case, a genuine limitation, and the buyer profile that fits best.
Lumia Security
Lumia is an AI usage control and agentic AI security platform deployed at the network layer. Rather than requiring endpoint agents or per-agent SDK integrations, Lumia operates at the network level, providing visibility and governance across both human employee use of AI and autonomous agent activity from a single deployment point. The core technology is a proprietary Protocol Analysis Engine that analyzes content, context, and intent across AI interactions, not just metadata, enabling policy enforcement based on what is actually happening in an interaction rather than just which application is being used.
Lumia's strongest differentiation is in two areas. The first is inspection depth: the Protocol Analysis Engine goes beyond surface-level monitoring to understand the substance of AI interactions, which matters significantly for organizations in regulated industries, those handling sensitive data, or those that need to detect manipulation attempts that would be invisible to metadata-only approaches. The second is coverage velocity: by automating protocol analysis rather than building manual connectors for each new AI application, Lumia can support new AI tools and modalities as they emerge without requiring a dedicated integration effort.
The platform covers AI threat exposure assessment, real-time policy enforcement, data loss prevention across AI interactions, and governance of AI usage and autonomous agent actions. It supports thousands of AI applications out of the box and integrates within existing network infrastructure without requiring endpoint modifications or changes to agent implementations.
Lumia is backed by an $18 million seed round led by Team8, with former NSA Director Admiral Michael Rogers on the advisory board. The company was founded by Omri Iluz, previously co-founder and CEO of PerimeterX, and Bobi Gilburd, former CTO of Unit 8200. Despite its young age, it has already been recognized by Gartner in their AI security-related reports such as How to Secure Microsoft AI Agents as well as a leading company in analyst firm, SACR’s report, “Unified Agentic Defense Platforms”.
Strongest use case: Enterprises that need broad, agentless coverage across both human AI use and autonomous agents simultaneously; organizations in technology sectors, financial services, technology, and other data-sensitive industries where inspection depth and regulatory alignment are critical requirements.
Honest limitation: Founded in 2024, Lumia is a newer entrant. The ecosystem integration catalog, while broad, is still expanding relative to platforms that have been building enterprise integrations for years. Organizations with complex, highly customized security infrastructure should evaluate integration depth through department rollout stages during their proofs of concept.
Best fit: CISOs who need to govern the full scope of enterprise AI activity, from AI applications to agentic actions, without requiring changes to how agents are built or deployed.
Zenity
Zenity provides unified agent discovery, governance, and runtime threat protection with particular strength in enterprise SaaS environments. The platform discovers agents across major low-code and no-code platforms, giving security teams visibility into the agents business units have built without IT involvement.
Strongest use case: Large enterprises with significant exposure to shadow AI built on platforms like Microsoft Power Platform, Salesforce, and similar low-code tools.
Honest limitation: Zenity's discovery and governance capabilities are strongest in SaaS agent ecosystems. Network-layer content inspection for AI interactions is less developed compared to purpose-built network security approaches.
Best fit: Enterprise security teams whose primary concern is governing agents built internally on business platforms, rather than controlling AI usage broadly across the organization.
Palo Alto Networks: Prisma AIRS
Prisma AI Runtime Security is Palo Alto's agentic AI security product, sitting within the broader Prisma platform. It provides real-time network and API-level protection for AI applications, with detection capabilities informed by Unit 42 threat research. The acquisition of ProtectAI, completed in July 2025, expanded Prisma AIRS with model vulnerability scanning, automated red teaming, and AI security capabilities from development to runtime.
Strongest use case: Organizations already operating on the Palo Alto platform that want to extend their existing security posture into AI environments without adding a new vendor.
Honest limitation: Agentic AI security is one feature within a large, multi-product platform rather than the core organizational focus. Buyers should evaluate whether the depth of AI-specific capability meets their requirements, independent of the platform's broader strengths.
Best fit: Existing Palo Alto customers whose primary need is to check the box against AI threat detection integrated with their current network security and SOC workflows.
Mindgard
Mindgard is an AI red teaming and continuous security testing platform, founded from research at Lancaster University. Where most agentic AI security vendors focus on runtime protection and governance, Mindgard focuses on offensive security: systematically finding vulnerabilities in AI systems before attackers do. The platform automates adversarial testing against AI models and agents, identifying weaknesses that would otherwise only be discovered when exploited in production.
Strongest use case: Security teams that want offensive-first validation of their AI deployments, either before going to production or as part of a continuous security testing program.
Honest limitation: Mindgard is a testing and assessment tool, not a runtime enforcement platform. It identifies vulnerabilities but does not prevent exploitation during normal operation. Most organizations will need to pair it with a governance and enforcement platform rather than use it as a standalone solution.
Best fit: Security teams with mature AI deployment programs who need rigorous, ongoing validation of their security posture rather than initial discovery and baseline governance.
CrowdStrike: Charlotte AI and the Pangea acquisition
CrowdStrike has been building agentic AI capabilities into the Falcon platform through Charlotte AI, its AI-powered analyst assistant and security operations accelerator. The acquisition of Pangea, an AI security vendor, signals a more direct investment in AI-specific detection and response capabilities. GigaOm rates CrowdStrike as a leader in autonomous SOC solutions, with particular strength in AI-powered detection, unified endpoint protection, and SOAR.
Strongest use case: Organizations operating CrowdStrike's Falcon platform that want AI security capabilities integrated into their existing endpoint and SIEM workflows.
Honest limitation: The AI-specific security capabilities are still maturing post-acquisition, and Charlotte AI is primarily an AI-powered security tool rather than a solution for securing AI agents themselves. Buyers should clarify which problem they are solving: AI-assisted security operations versus security for AI systems.
Best fit: Existing CrowdStrike customers looking to extend their platform's AI capabilities, particularly for SOC use cases.
Cloudflare AI Security Suite
Cloudflare's AI security offering leverages its global network infrastructure to provide shadow AI discovery, agent access control, model abuse prevention, and data exposure prevention at the edge. The approach is architecturally distinctive: because Cloudflare already sits in the network path for many organizations, adding AI governance requires minimal additional deployment complexity.
Strongest use case: Organizations with API-heavy or web-native architectures that are already routing traffic through Cloudflare and want to add AI governance without a separate deployment.
Honest limitation: Cloudflare's AI security capabilities are built on a network infrastructure platform rather than a dedicated AI security architecture. The depth of AI interaction inspection and the sophistication of agent-specific governance are lighter compared to purpose-built AI security platforms.
Best fit: Organizations already in the Cloudflare ecosystem, particularly those prioritizing data exposure prevention and access control over deep behavioral analysis of agent activity.
The decision matrix
The table below maps each vendor against the six evaluation criteria from the framework section. Ratings reflect our assessment based on publicly available information and are intended to help structure your evaluation, not to replace it.
A few important notes on how to use this table. First, "partial" means the capability exists but with meaningful limitations relative to a full implementation. Second, no single vendor is strongest across all six criteria: the right choice depends on which criteria matter most to your specific environment and risk profile. Third, this table reflects the state of these products as of early 2026. This market is moving quickly and vendor capabilities are evolving fast; verify current capabilities directly with vendors during your evaluation.
What CISOs actually care about, and where vendors fall short
The CSO Online 2025 Security Priorities Study, which collected responses from more than 640 senior security executives globally, asked CISOs to rank the factors they weighted most heavily when selecting AI security vendors.
Product innovation was the top factor, but not by as large a margin as vendor marketing would suggest. The second most important factor was vendor reputation and breach history. The third was business value, followed by cost, integration overhead, and peer adoption.
The practical implication is that the vendors with the most aggressive marketing in this space are not necessarily the ones that CISOs are selecting. Established reputation and demonstrable business value are weighted heavily, which partially explains why enterprises with existing relationships with CrowdStrike, Palo Alto, and Cloudflare are often inclined to extend those relationships rather than add a new vendor, even when purpose-built alternatives offer deeper AI-specific capability.
There are several things vendors in this space commonly oversell. Runtime protection without discovery is a solution to a subset of the problem: if you do not know which agents are running, governing the ones you do know about is insufficient. Metadata-based analysis presented as deep inspection is a meaningful gap for organizations in regulated industries, where content-level visibility may be a compliance requirement. Coverage claims that depend on manual integration work often obscure the lag between new AI tools entering enterprise environments and actual protection being in place.
The questions worth asking any vendor, including us, during an evaluation: How does your platform discover agents that were not deployed through formal IT processes? What does your analysis actually inspect, and how is that analysis performed? What happens when a new AI application enters our environment before your platform has built an integration for it? Can you demonstrate the difference between a baseline interaction and a policy violation in a live environment?
How to run your own evaluation
Regardless of which vendor you are considering, the following four-step process will give you a more reliable basis for a decision than any analyst report or vendor demo.
Step 1: Inventory what you already have. Before evaluating any solution, understand the scope of the problem. Run a discovery exercise, using whatever tooling is available, to identify how many agents are currently deployed in your environment, who deployed them, what permissions they hold, and which systems they can access. The gap between what your IT organization formally knows about and what is actually running will tell you how serious your shadow AI exposure is, and will inform how much weight to put on discovery capability in your vendor evaluation.
Step 2: Threat model your highest-risk workflows. Use the OWASP Top 10 for Agentic Applications as a structured framework to identify which threats are most relevant to your environment. An agent with access to financial systems has a different risk profile than an agent that summarizes internal documents. Prioritize the workflows where a compromise would have the highest business impact, and evaluate vendors specifically on their ability to address those scenarios.
Step 3: Score shortlisted vendors against the six criteria. Take the evaluation framework from earlier in this post and score each vendor you are seriously considering. Be specific: ask for demonstrations of each capability against your actual use cases, not hypothetical scenarios. The vendors whose capabilities hold up under scrutiny of your specific requirements are the ones worth advancing to a proof of concept.
Step 4: Run a proof of concept against your riskiest workflow. A proof of concept conducted against a real, representative agent workflow will tell you more than any amount of documentation or demos. Specifically, measure inspection latency and its impact on agent performance, the quality and actionability of the policy enforcement controls, how the platform handles a new AI application that enters your environment mid-trial, and the operational overhead required to maintain and tune the system over time.
The organizations that run this process carefully will make better decisions than those who select based on analyst positioning or existing vendor relationships alone. The stakes justify the effort.
The honest summary
No vendor in this market solves every part of the agentic AI security problem today. The category is too new, the threat surface is still being defined, and every vendor, including Lumia, has gaps relative to the full scope of what a mature agentic security program requires.
What separates the organizations that are building real security posture in this area from those that are not is not which vendor they selected. It is whether they have done the foundational work: inventorying their agents, threat modeling their workflows, assessing the risk exposure, and putting governance in place before scale makes those problems exponentially harder to address.
The solutions exist to help with all of that. The question is whether your organization is treating agentic AI security as the architectural priority it actually is, or as a checkbox to revisit when something goes wrong.
If you are building a program and want to understand how Lumia specifically addresses your environment, we are happy to walk through it. If you are still earlier in the process, start with understanding the threat surface: [The top agentic AI security risks your team isn't accounting for yet] and [What is agentic AI security] cover the foundation.
This post was written by the Lumia Security team. Lumia is an AI security and governance platform for employees and their AI agents. Learn more at lumia.security.
