Gartner published a single number this quarter that should reset every CISO's 2026 budget conversation: enterprises spent $49 billion in 2025 on AI-powered security tools — and just $2.8 billion securing the AI itself. That is a 17-to-1 asymmetry between using AI to defend the business and defending the AI the business is now running on. (Software Strategies Blog on Gartner 4Q25)
It would be a manageable problem if AI agents were still a 2027 story. They are not. Gartner now expects 40% of enterprise applications to include task-specific AI agents by the end of 2026, while only about 6% of organizations report an advanced AI security strategy in place. That is an 8-to-1 deployment-to-governance gap, on top of the 17-to-1 spending gap. (Software Strategies Blog)
Into that gap, on May 12, 2026, Fortinet and NVIDIA dropped one of the most aggressive AI-runtime security announcements yet: FortiAIGate, a GPU-accelerated inline AI gateway built on Blackwell, Hopper, Dynamo and Nemotron, designed to sit between every enterprise application and every LLM, MCP server and autonomous agent in the stack. (Fortinet press release)
For CIOs and CISOs, the launch is less interesting as a product than as a forcing function. AI runtime security has just stopped being a "watch this space" category and become a budget line that needs an answer this quarter. Here is what changed, why your current stack almost certainly does not cover it, and a framework to choose a vendor without locking yourself into the wrong control point.
What Fortinet and NVIDIA Actually Shipped
FortiAIGate is a new addition to Fortinet's Security Fabric, but it is engineered specifically for the traffic pattern that legacy DLP, CASB and WAF tools never anticipated: a stream of prompts, embeddings, tool calls and agent-to-agent messages flowing between enterprise applications and one or more LLMs.
The product sits inline between AI applications and AI models. Every input prompt, every model response, and every agent action passes through a policy engine that enforces guardrails on inputs and outputs, blocks prompt injection attempts on LLMs, filters toxic or unauthorized AI-generated content, and prevents data exfiltration through model interactions. It applies the same controls to MCP servers and AI agents, not just chat-style LLM endpoints. (Fortinet press release)
The NVIDIA integration is what separates this from a pure software gateway. FortiAIGate runs on NVIDIA Blackwell GPUs and Hopper architecture, uses NVIDIA Dynamo as its distributed inference-serving framework, and embeds NVIDIA Nemotron safety models as its core classification engine. NVIDIA's Multi-Instance GPU (MIG) technology provides workload isolation so that the security inspection layer does not steal compute from production AI workloads — a quiet but important detail in environments where every GPU hour shows up on the CFO's dashboard.
It is also a validated component of NVIDIA's Enterprise AI Factory reference design, where Fortinet sits alongside Palo Alto Networks Prisma AIRS, Check Point Infinity AI Cloud Protect, F5 BIG-IP Next, Armis Centrix, Red Hat OpenShift, Rafay, Spectro Cloud and Trend Vision One as the nine pre-integrated security and infrastructure layers. (NVIDIA blog on BlueField + Enterprise AI Factory)
Deployment is flexible enough to remove the usual procurement excuse: a GPU-powered appliance for data centers, a virtual appliance, or containers on NVIDIA-Certified Systems, available across on-prem, cloud, hybrid and edge.
Fortinet's John Whittle, COO, framed it as a sovereignty play as much as a security one: "FortiAIGate combines Fortinet's AI-driven Security Fabric with NVIDIA's high-performance computing and AI factories to stop threats, from malicious prompts to data exfiltration, without disrupting AI workflows." NVIDIA's Justin Boitano, VP of Enterprise AI Platforms, made the latency argument explicit, positioning the integration as "zero-trust security and real-time governance" with throughput high enough that security stops being the bottleneck. (Fortinet press release)
What is conspicuously missing from the announcement: pricing, exact GA dates, and published benchmarks. That is a tell about where Fortinet thinks it sits in the buying cycle — early enough that they are still selling the category, not the SKU.
Why This Matters: Two Risk Curves That Just Crossed
Technical Implications (CIO/CISO)
The architectural problem with AI runtime security is that the most dangerous traffic in your stack is now traffic your existing controls cannot inspect. A prompt is not a file. A tool call is not an HTTP request to a known SaaS app. Agent-to-agent messages do not show up in your CASB. The OWASP Top 10 for LLM Applications now lists prompt injection at #1, and Wiz Research has tracked a 340% year-over-year increase in documented prompt injection attempts against enterprise AI systems in Q4 2025, with successful attacks rising 190%. (SQ Magazine on prompt injection statistics)
Once an agent is compromised, dwell time is brutal. An estimated 67% of successful prompt injection attacks in analyzed enterprise deployments went undetected for more than 72 hours — well past the window where containment is easy. Real-world enterprise testing shows over 60% of prompt injection attempts succeed at least partially, and prompt manipulation is involved in over 30% of AI-related breaches reported through 2026, with data exfiltration in up to 40% of successful AI-related attacks. (Tek Ninjas defense playbook)
The architecture answer is a runtime control plane that is co-located with the AI traffic itself: between the application and the model, between agent and tool, between agent and agent. Fortinet's bet — shared by Palo Alto with the Portkey acquisition, by Zscaler with the SPLX acquisition, and by every cloud hyperscaler now bolting guardrails directly into their AI platforms — is that the AI gateway becomes the new perimeter for enterprise AI.
Business Implications (CFO/CRO/Board)
The financial argument used to be theoretical. It is not anymore. AI-related incidents, including prompt injection, contributed to over $4.4 billion in global breach costs in 2025, and enterprises deploying AI agents experienced up to 2x higher incident response costs when prompt injection was involved. The US average breach cost has hit a record $10.22 million, 2.3x the global average. (SQ Magazine)
The strategic argument is even louder. Gartner's 4Q25 forecast projects the AI-amplified security market reaching $160 billion by 2029, up from $49 billion in 2025, and predicts over 50% of enterprises will use AI security platforms by 2028. Gartner has placed AI Security Platforms (AISPs) in "The Vanguard" tier of its Top Strategic Technology Trends for 2026 — sitting alongside Preemptive Cybersecurity and Digital Provenance as the technologies that determine which enterprises retain trust and which lose it. (Software Strategies Blog, PointGuard AI on Gartner AISPs)
The CFO question is not "should we fund this." It is "do we fund the runtime control point we control, or do we let the cloud hyperscaler bundle it into our consumption bill at a margin we cannot negotiate?" That is the real decision FortiAIGate, Prisma AIRS, Zscaler AI Guard, and the rest of the field are competing over.
Market Context: A Five-Layer Vendor War
The AI runtime security market in May 2026 is not one market. It is five overlapping categories, each with a different architectural assumption about where the control point belongs. The competitive field, mapped by Futurum's analysis of Palo Alto's Portkey acquisition, looks like this. (Futurum Group on Prisma AIRS + Portkey)
Layer 1 — Hardware-accelerated AI security platforms: Fortinet (FortiAIGate + NVIDIA), with appliance economics and GPU-co-located inspection. Designed for sovereign and high-throughput deployments where latency budgets are non-negotiable.
Layer 2 — Network security incumbents extending into AI: Palo Alto Networks (Prisma AIRS + Portkey, acquired April 30, 2026), Zscaler (with the SPLX acquisition giving it AI Asset Discovery, automated red teaming with 5,000+ purpose-built attack simulations, and runtime guardrails), CrowdStrike, Cisco, Netskope, Proofpoint. These vendors are extending zero-trust and SASE narratives into AI traffic. (Zscaler on SPLX acquisition)
Layer 3 — Cloud hyperscaler native guardrails: Microsoft (Entra-integrated prompt injection protection in Global Secure Access, plus Azure AI Content Safety), AWS Bedrock Guardrails, Google Cloud Model Armor. These are the structural headwind that every third-party gateway play has to overcome — they are "free enough" inside the consumption bill that procurement may take the path of least resistance. (Microsoft Learn on prompt injection protection)
Layer 4 — API gateway vendors adding AI: Kong, Cloudflare ($7/user/month tier with AI gateway capability), F5. Strong on routing, telemetry and rate limiting — weaker on deep semantic threat detection.
Layer 5 — AI-native startups: Lakera, Knostic, Morph, ShareAI, OpenRoute, and a long tail of LLM-firewall specialists. Best-of-breed on prompt injection classification, but with the usual integration and run-rate risk of a startup-only control point.
The Gartner-level signal underneath the noise is unambiguous: AI Security Platforms are the consolidation point. By 2028, the analyst expects over half of enterprises to standardize on one. The decision in front of every CIO right now is which layer wins the integration mandate.
Framework #1 — AI Runtime Security Vendor Decision Matrix
Use this matrix to filter the five-layer field down to a shortlist of two or three. The four dimensions reflect what actually drives a 24-month deployment outcome, not what shows up on a marketing slide.
Dimension 1 — Latency budget per request
- <50ms tolerance, high-volume inference: Hardware-accelerated platforms (FortiAIGate on NVIDIA Blackwell, Prisma AIRS on co-located inspection). Software-only gateways add 80-200ms per inspected request, which kills agentic workflows that chain 6-10 calls.
- 50-200ms tolerance: Network security incumbents (Zscaler AI Guard, Palo Alto Prisma AIRS) or cloud-native guardrails.
- >200ms tolerance, low-volume chat: API gateways (Cloudflare, Kong) or AI-native startups (Lakera, Knostic).
Dimension 2 — Data sovereignty / deployment model
- Air-gapped, sovereign, regulated (EU, financial services, defense, healthcare): FortiAIGate (self-hosted GPU appliance with Nemotron safety models running on your infra), or Zscaler / Palo Alto with on-prem options.
- Hybrid (some on-prem, mostly cloud): Palo Alto Prisma AIRS, Zscaler AI Guard, Cloudflare.
- Cloud-only, single hyperscaler: Microsoft Entra + Azure AI Content Safety, AWS Bedrock Guardrails, Google Model Armor. Lowest friction, highest lock-in.
Dimension 3 — Existing security stack alignment
- Fortinet-centric (FortiGate, FortiSASE): FortiAIGate, full Security Fabric integration.
- Palo Alto-centric (Prisma Access, Cortex): Prisma AIRS + Portkey.
- Zscaler-centric (Zero Trust Exchange): Zscaler AI Guard with SPLX.
- Microsoft-centric (Entra, Defender, Purview): Microsoft native.
- Best-of-breed shop: AI-native startup + AI gateway combination, on top of whatever SASE you already run.
Dimension 4 — Agentic complexity
- Single-LLM chatbot deployments: Cloud-native guardrails are usually sufficient.
- Agentic workflows with MCP, tool use, and multi-step reasoning: Hardware-accelerated or network-incumbent platforms with explicit MCP coverage. FortiAIGate, Prisma AIRS and Zscaler AI Guard all now claim MCP-aware enforcement; cloud-native guardrails lag.
- Agent-to-agent / multi-agent systems: Only the platforms that have actually shipped agent identity + policy enforcement at the inter-agent layer should be on the shortlist.
How to use it: Score your top three candidates on each of the four dimensions, weight by criticality (typical weighting: latency 25%, sovereignty 25%, stack alignment 30%, agentic complexity 20%), and shortlist the top two for a paid 60-day PoC with real production traffic, not synthetic prompts.
Framework #2 — 90-Day AI Runtime Security Deployment Roadmap
Most AI security projects die in the same place: a CISO buys a platform, IT sponsors a pilot, the business never sees governance enforced on traffic they care about, and the contract quietly does not get renewed. This 90-day roadmap is designed to avoid that pattern.
Week 1-2 — Discovery and inventory
- Run an AI asset discovery scan (Zscaler AI Guard, Lakera Red, or a hyperscaler-native tool) against public AI app traffic, model endpoints, RAG pipelines, code repositories and any MCP servers in private deployments.
- Inventory every shadow agent. Industry data suggests 82% of enterprises have AI agents running that are unknown to security, and token-scoped attacks tied to shadow agents accounted for a non-trivial share of 2025 incidents. Treat anything you cannot identify as compromised by default.
- Establish a baseline: how many AI calls per day, top 10 applications, top 5 models in use, top 3 MCP servers, top 3 agent frameworks.
Week 3-4 — Threat modeling and policy design
- Map your top 10 AI use cases to OWASP LLM Top 10 risk categories (prompt injection at #1, sensitive information disclosure, supply chain, etc.).
- For each use case, define an allowed-prompt policy, an allowed-tools policy, an allowed-data-egress policy, and an audit-log retention policy.
- Sign off cross-functional: legal, privacy, AppSec, the business unit owner. If any of those four is not on the policy sign-off, the policy will not survive contact with production.
Week 5-8 — Inline pilot in a single business unit
- Deploy your shortlisted vendor inline for one business unit, one production AI use case, real traffic. Not a sandbox.
- Required pilot success criteria: <100ms p99 added latency, <1% false-positive block rate, >95% catch rate on a curated 100-prompt red-team set, full audit trail in your existing SIEM, agent-level policy enforcement on at least one MCP server.
- Run automated red-teaming against the deployment continuously. Zscaler/SPLX, Lakera Red and Anthropic's published prompt-injection metrics all publish methodology you can adopt rather than invent.
Week 9-12 — Scale-out and governance integration
- Expand to the next 3-5 use cases, with the same policy framework.
- Wire alerts into the SOC, with a documented runbook for the top 5 prompt-injection patterns.
- Negotiate the production contract from a position of evidence. The discount available after a successful 60-day inline PoC is typically 20-35% off list, especially in a category where every vendor is fighting for category-defining logos right now.
Common failure modes and the fix:
- Failure: Pilot picks a low-risk chatbot use case → cannot justify expansion. Fix: pilot on the highest-throughput agentic workflow you have, not the safest one.
- Failure: Policy is owned by security only → business bypasses controls. Fix: every policy needs a business-unit signer on it.
- Failure: Latency blows the budget → users route around the gateway. Fix: pick the deployment model in Framework #1 Dimension 1 before signing.
- Failure: No baseline → cannot prove value at renewal. Fix: capture the Week 1-2 inventory in a frozen artifact.
- Failure: Red team uses synthetic prompts → catches nothing real. Fix: use Anthropic's published prompt-injection benchmark and Zscaler/SPLX's 5,000+ scenarios as a floor, not a ceiling.
Case Study: How a Real Agent Was Hijacked in Late 2025
The most useful case study from the last twelve months did not come from a marketing slide. It came from incident analysis on ServiceNow's Now Assist in late 2025. (Tek Ninjas defense playbook)
The attack was a "second-order" prompt injection. An attacker fed a low-privilege agent a malformed request containing instructions disguised as data. The low-privilege agent passed that data, intact, to a higher-privilege agent as part of a normal multi-agent workflow. The higher-privilege agent — which trusted its peer as if it were an internal system — read the embedded instructions as legitimate, and exported case files to an external URL.
This is the canonical failure mode of agentic systems, and it tells you exactly where the control point has to sit: between agents, not just between users and models. No DLP product in the world inspects inter-agent traffic by default. No CASB sees an MCP call. The new gateways — FortiAIGate, Prisma AIRS + Portkey, Zscaler AI Guard, Cloudflare AI Gateway — are converging on the same architectural answer because there is no other place to enforce the policy.
The lesson for buyers is uncomfortable: the most expensive part of an AI security incident is not the breach. It is the 72-plus hours of undetected dwell time that comes before anyone notices. Sixty-seven percent of successful prompt injection attacks went undetected for more than three days. If your stack cannot generate a signal in the first hour, your runtime security is not runtime security. It is forensic security.
What to Do This Quarter
For the CIO: Run an AI asset discovery scan in the next 30 days. If you cannot tell the CEO how many AI agents are running in production, you cannot run an AI security strategy. Once you have an inventory, score the top three runtime security vendors on Framework #1 and run a 60-day inline pilot on the highest-throughput agentic use case you own.
For the CISO: Pick your control point. The decision is not "do we buy AI security." It is "do we own the runtime control plane, or do we rent it from the hyperscaler?" Owning it means a FortiAIGate / Prisma AIRS / Zscaler AI Guard / equivalent platform. Renting it means accepting that every model migration becomes a security migration. There is no third option.
For the CFO: Reframe the line item. AI security is not a 2027 budget; it is a 2026 budget. The 17-to-1 spending asymmetry that Gartner just published is the gap between where boards already expect you to be and where most enterprises actually are. Closing it costs less today than it will after the first board-reportable AI incident, which Gartner's deployment-to-governance ratio suggests is closer than most CFOs are pricing in.
For the board: Ask one question at the next risk committee meeting: "Show me the runtime security control point for our AI agents." If the answer is a slide titled "we use OpenAI's safety features," the answer is the problem.
