In the first three weeks of April 2026, three different vendors shipped three different answers to the same enterprise question: how do you secure AI agents after they're in production? Microsoft released an open-source governance toolkit on April 2. Ammune.AI launched a commercial runtime platform on April 22. Palo Alto Networks announced a native Prisma AIRS integration with Google Cloud's Gemini Enterprise Agent Platform on the same day. None of these are model-level or prompt-level defenses. All three sit at the runtime layer—between the agent and the tools, APIs, and data it touches at execution time.

That's not coincidence. It's the birth of a new procurement category: AI Agent Runtime Security.

For CIOs already fielding RFPs on agent platforms, this creates a forcing function. The agents you greenlit last quarter—whether Copilot Studio, Salesforce Agentforce, Google Agentspace, or something your own engineers built on LangGraph—are now operating at scale without a dedicated runtime security layer. Gartner's 2026 CIO and Technology Executive Survey says 17% of organizations have deployed AI agents, and more than 60% expect to within two years. Gartner also predicts that over 50% of enterprises will use AI security platforms by 2028. The category is forming in real time. This article maps what changed in April, why runtime matters more than prompt hardening, and the three procurement paths CIOs need to evaluate before committing.

What Shipped in April

April 2: Microsoft Agent Governance Toolkit

On April 2, Microsoft's Open Source program office published the Agent Governance Toolkit to GitHub under MIT license. It's not a SaaS product. It's seven packages that together form a runtime control plane for agents:

• Agent OS — a policy engine supporting YAML, OPA Rego, and Cedar, benchmarked at sub-millisecond p99 latency
• Agent Mesh — cryptographic identity for agents using decentralized identifiers (DIDs) with Ed25519 signatures and a 0–1000 dynamic trust score
• Agent Runtime — execution rings, saga-style orchestration for multi-step workflows, and emergency kill switches
• Agent SRE — SLOs, error budgets, circuit breakers, chaos engineering hooks
• Agent Compliance — automated governance verification mapped to EU AI Act, HIPAA, and SOC 2
• Agent Marketplace — plugin lifecycle with Ed25519 signing
• Agent Lightning — policy-enforced reinforcement learning for post-deployment agent tuning

The design goal is explicit: address all ten risks in the OWASP Agentic AI Top 10—goal hijacking, tool misuse, identity abuse, memory poisoning, cascading failures, rogue agents—at the runtime layer, without requiring agent code rewrites. Imran Siddique, Principal Group Engineering Manager at Microsoft and the toolkit's creator, framed the motivation bluntly: "The question isn't whether we need governance for these systems, but whether we'll build it proactively, before incidents force our hand, or reactively, after them."

For AI engineering leaders, the interesting part isn't the code—it's the shape. Microsoft is signaling that runtime governance belongs outside the agent framework, as a cross-cutting layer. That's a different architecture from baking safety into prompts or fine-tuned refusals.

Photo by Tima Miroshnichenko on Pexels

April 22: Ammune.AI Exits Stealth

Twenty days later, Ammune.AI launched what it calls "the first AI Agent Runtime Security platform for enterprise." Category-creating language is always a marketing move, but the technical claim is substantive. Ammune doesn't try to inspect prompts or filter model outputs. It sits out-of-band on enterprise APIs and does four things:

1. Automatic discovery of AI agents calling enterprise APIs—including unknown and shadow agents that weren't deployed through official channels
2. Behavioral mapping of agent access patterns: which endpoints, which sequences, which parameter distributions
3. Real-time threat detection and mitigation when an agent's behavior deviates from its learned baseline
4. Full API visibility, including shadow and zombie endpoints that predate formal governance

CEO Yisrael Gross summarized the premise in a way that will land with anyone who has debugged a misbehaving agent: "AI agents are becoming the new users of enterprise systems. They don't break systems—they use them correctly at scale." That last phrase is the whole pitch. Traditional API security assumes misuse means malformed requests. Agent misuse means valid requests made in unexpected combinations, sequences, or volumes. You can't regex your way out of it.

Ammune supports cloud, hybrid, on-premise, and fully air-gapped deployments. The target market is banking, government, and critical infrastructure—regulated sectors where data residency and operational isolation are mandatory. No pricing published. No named customers yet.

April 22: Palo Alto Prisma AIRS + Google Cloud

Same day, at Google Cloud Next 2026 in Las Vegas, Palo Alto Networks announced a native integration between Prisma AIRS and Google's newly general-available Gemini Enterprise Agent Platform. Prisma AIRS is Palo Alto's AI security platform. The Gemini integration specifically hardens the "agent-to-tool" interface—the point where an agent decides to call an external system.

Published capabilities:

• Blocks over 30 adversarial prompt injection and jailbreak techniques using 1,000+ predefined patterns
• ML-powered Enterprise DLP to prevent sensitive data exposure during agent execution
• Natural-language safety policy authoring with eight toxic-content categories
• Contextual grounding to prevent outputs that contradict internal RAG data
• Credential leakage monitoring across live agent execution
• Drag-and-drop deployment through Google Cloud's Application Design Center

This is the incumbent network security vendor move. Palo Alto isn't trying to invent a new architecture. It's absorbing agent security into the same Prisma control plane enterprises already buy for SASE and cloud workload protection. For a CISO who's already running Prisma, adding AIRS for agents is a line-item on the next renewal.

Why the Runtime Layer, and Why Now

The easy way to read these launches is: "agent security is a thing, vendors are selling products." The more useful read is architectural. Ask why all three ship at the runtime layer instead of the prompt or model layer, and you get to the interesting answer.

Two weeks before Ammune launched, Capsule Security exited stealth with $7M and two coordinated zero-day disclosures: ShareLeak (CVE-2026-21520) in Microsoft Copilot Studio and PipeLeak in Salesforce Agentforce. Both were indirect prompt injection vulnerabilities. The sting in the disclosure wasn't the specific bugs. It was this observation about ShareLeak: Microsoft's own safety mechanisms flagged the malicious payload as suspicious during testing—and the data exfiltrated anyway.

That's the failure mode that drives the runtime shift. Model-level and prompt-level defenses are probabilistic. They reduce attack surface but can't guarantee elimination. Once an attacker is inside the agent's reasoning loop, downstream actions—tool calls, API requests, database writes—happen at machine speed. The only reliable chokepoint is the runtime boundary between the agent and the systems it touches. That's where you can enforce deterministic policy: which tools, which parameters, which rate limits, which user identities are allowed to be invoked by which agents under which conditions.

Microsoft's toolkit treats runtime as a policy engine. Ammune treats it as behavioral anomaly detection. Palo Alto treats it as a DLP and prompt-filtering control point. These are three architectural philosophies converging on the same layer.

For AI engineers, the takeaway is that prompt engineering for safety is a ceiling, not a floor. You build safer prompts and you put deterministic controls on what the agent can do with them. Runtime security is the floor.

Three Procurement Paths for CIOs

Putting aside the vendor pitches, CIOs face three distinct procurement paths. Each has a different operating model and a different total cost.

Path 1: Open-Source Toolkit, Internal Ownership

Adopt Microsoft's Agent Governance Toolkit (or a comparable open-source framework) and stand it up as an internal platform team deliverable.

When it fits: You have a mature internal platform engineering function, you're building agents in-house on Azure or multi-cloud, and you want deep control over policy logic and integration with existing identity and compliance stacks. Financial services and large tech companies with dedicated AI platform teams fit this mold.

Cost reality: No license fee. Real cost is 2–4 engineers for stand-up, ongoing operation, and policy authoring. Factor in 6–9 months to production-ready. The toolkit addresses OWASP Agentic Top 10 out of the box, but you own the integration work with your identity provider, SIEM, and compliance tooling.

Risk: Internal ownership means internal accountability when something goes wrong. You inherit the on-call burden.

Path 2: Dedicated Runtime Security Platform (Ammune.AI and Emerging Peers)

Buy a dedicated AI Agent Runtime Security platform. Ammune is one of the first to claim the category, but expect Capsule Security, Zenity, and others to compete here within the next two quarters.

When it fits: You have shadow AI agents already in your environment (you almost certainly do), you need behavioral visibility before you can write policy, and you don't have the internal bandwidth to operate an open-source toolkit. Regulated industries that need air-gapped deployments benefit from Ammune's specific positioning.

Cost reality: Commercial pricing isn't public, but category peers typically land in $150K–$500K/year for mid-market enterprise deployments, scaling from there. Deployment timelines are shorter—weeks, not quarters—because the platform is out-of-band and doesn't require changes to existing agent code.

Risk: Category is new. Early buyers take the vendor-viability bet. Require financial stability disclosures, escrow clauses, and a clear acquisition-scenario plan in the contract.

Path 3: Incumbent Security Vendor Integration (Palo Alto, Zscaler, Cloudflare, and Peers)

Add agent runtime security as a module on top of the security platform you already run. Palo Alto Prisma AIRS is the cleanest example today, but Zscaler, Cloudflare, and Check Point all have announced or adjacent roadmaps.

When it fits: You're already deep in one network/cloud security vendor's control plane, your procurement motion favors consolidation, and your AI estate is primarily hyperscaler-native (Google Agentspace, Copilot Studio, AWS Bedrock Agents).

Cost reality: Usually a line-item uplift on an existing enterprise agreement. Lower incremental cost. Faster procurement because it goes through the existing security vendor review rather than a new-vendor onboarding process.

Risk: Incumbent platforms optimize for breadth over depth. You may get "good enough" runtime controls for hyperscaler-native agents and weaker coverage for custom-built or OSS-framework agents. If your engineering teams are building on LangGraph, CrewAI, or other OSS agent frameworks, verify coverage explicitly.

For most enterprises, the pragmatic answer isn't a single path—it's Path 3 for hyperscaler-native agents, Path 1 or Path 2 for the custom-built ones your engineering teams are deploying. The question to answer in your next security architecture review is: who owns runtime enforcement for each agent class in our environment? If the answer is "nobody," that's the gap this category exists to fill.

What to Ask Vendors This Quarter

Regardless of path, here's a short list of questions that separate real runtime security from relabeled prompt filtering:

1. Does the product sit in-band, out-of-band, or both? Out-of-band gives you discovery and visibility without a performance tax. In-band gives you enforcement. You likely want both, with clear latency budgets for in-band controls.

2. How does it identify agents as distinct from human users? Static API keys don't count. Look for cryptographic agent identity (DIDs, SPIFFE, or equivalent) and support for delegated user identity propagation.

3. What's the policy model for tool access? Allowlists of tools aren't sufficient. You need parameter-level policies, conditional logic based on data classification, and the ability to say "this agent can call this tool only when invoked by users in these roles with these data contexts."

4. How does it handle shadow agents? Discovery of agents that weren't deployed through your sanctioned path is the single most important feature for enterprises that already have 6+ months of agent deployment history. If the vendor can't tell you about shadow agents, it can't help you with the ones you don't know about.

5. What's the coverage for OSS agent frameworks? Hyperscaler-native coverage is table stakes. LangGraph, CrewAI, AutoGen, and Semantic Kernel coverage is where real differentiation shows up.

6. What's the blast radius of a failure in the security layer itself? If the runtime policy engine fails open, you have an availability win and a security loss. If it fails closed, you have a security win and an availability loss. Vendors who haven't thought through this answer rigorously haven't thought about production.

The Bottom Line

In the last month, AI Agent Runtime Security moved from a phrase in Gartner Hype Cycle footnotes to a category with live products, open-source frameworks, and incumbent-vendor modules—all shipping at the runtime layer because that's where deterministic enforcement actually lives. The Capsule Security disclosures made the stakes concrete: even vendor-built agents with vendor-built safety mechanisms leak. Microsoft, Ammune, and Palo Alto are each betting that runtime is where enterprises will spend their next AI security dollar.

For CIOs, the decision isn't whether to add runtime agent security—the Gartner-forecast 60% two-year adoption curve means it's coming on your roadmap either way. The decision is which path fits your architecture and operating model, and how to sequence it so you're not renewing a three-year contract in 2027 with a vendor that got outflanked by the category leader in 2028. Evaluate before the budget cycle closes.

Start with discovery. You can't secure what you can't see, and shadow agents are already in your environment. Whether you run the Microsoft toolkit, a dedicated platform, or an incumbent module, the first useful output is an inventory of agents calling your APIs. Everything else—policy, enforcement, compliance evidence—builds on that baseline.

---

Want to calculate your own AI ROI? Try our AI ROI Calculator — takes 60 seconds and shows projected savings, payback period, and 3-year ROI.

Continue Reading

• Scotiabank Cuts Manual Work 70% With Scotia Intelligence AI
• [$40B/Year: Anthropic's Google Lock-In Reshapes AI Strategy](/article/anthropic-google-200b-cloud-lock-in)
• ServiceNow's Universal Agent Control Plane Play