In the two weeks before RSAC 2026 (March 23–27), the agent security market went from “emerging category” to “established industry.” We’ve tracked 25+ product launches, funding rounds, and major announcements — more agent security activity in 14 days than the entire previous year combined.
Here’s the definitive map of what shipped and what it means.
The Agent Security Stack
What emerged isn’t a collection of point solutions. It’s a coherent stack — each layer addressing a distinct security challenge that AI agents create.
Layer 1: Runtime Security
Where agents execute. The foundation everything else depends on.
| Product | Company | What It Does |
|---|---|---|
| Secure-by-Design Blueprint | CrowdStrike × NVIDIA | Falcon security embedded in OpenShell agent runtime |
| Vellox Suite | Booz Allen Hamilton | 5-product agentic cyber defense (malware, detection, adversary emulation, compliance, remediation) |
| Agent Pulse | Singulr AI | Runtime governance for autonomous agents and MCP servers |
Layer 2: Identity & Access
Who is this agent? What can it access? For how long?
| Product | Company | What It Does |
|---|---|---|
| Agentic Access Management | Oasis Security ($120M) | Least-privilege for all machine identities; single policy layer |
| Identity for AI | Ping Identity | Single control plane for agent lifecycle and guardrails |
| Agent Identity Controls | Okta (Apr 30) | Shadow agent discovery, kill switch, MCP registry |
| Agent Identity Governance | SailPoint × AWS | Multi-year deal for agent identity on Bedrock |
| Agent Ready | Deutsche Telekom | Telco-scale digital identities for agents |
| Know Your Agent (KYA) | F5 × Skyfire | JWT-based agent identity at CDN edge |
| Next-Gen Identity | CrowdStrike (via Blueprint) | Dynamic identity management for local agents |
Layer 3: Credential Management
Securing the secrets agents use to authenticate.
| Product | Company | What It Does |
|---|---|---|
| Unified Access | 1Password | Single vault for human + agent credentials; Anthropic/OpenAI/GitHub partnerships |
| AI Access Management | ConductorOne | 3K+ MCP servers, <60s self-service provisioning, credential vaulting |
Layer 4: Governance & Policy
Organizational controls for agent behavior at scale.
| Product | Company | What It Does |
|---|---|---|
| Agent 365 | Microsoft (May 1 GA) | Enterprise control plane for agents; bundled in M365 E7 |
| AgentPulse | AvePoint | Shadow AI agent discovery and governance |
| AMP | Portal26 | Agent governance with ROI measurement |
| UnifAI | Lineaje | Autonomous AI policy orchestrator |
| Agent Privilege Guard | Apono | Intent-Based Access Controls, zero standing privileges |
| AGA | Entro Security | Shadow AI discovery, MCP policy enforcement |
Layer 5: Data Security
Preventing sensitive data from leaking through agent workflows.
| Product | Company | What It Does |
|---|---|---|
| ACS 2.0 | Bonfy | Cross-channel data security for AI agents; MCP guardrails |
| Purview for Copilot | Microsoft | DLP for AI prompts; blocks PII/credit cards in grounding |
| AI Gateway | Airia | Enterprise OpenClaw security with HIPAA compliance |
| 1Secure | Netwrix | Inherited permissions visibility for agent data access |
Layer 6: Observability & Detection
Seeing what agents are doing across the environment.
| Product | Company | What It Does |
|---|---|---|
| NGINX Agentic Observability | F5 | MCP traffic inspection in the data path |
| Agentic Security Graph | Salt Security | LLM→MCP→API unified risk mapping |
| Shadow AI Detection | Microsoft Entra | Network-layer discovery of unknown AI apps |
| Security Dashboard for AI | Microsoft Defender | Unified AI risk visibility for CISOs |
Layer 7: Offensive Testing
Finding vulnerabilities before attackers do.
| Product | Company | What It Does |
|---|---|---|
| Autonomous Pen Testing | Xbow ($120M) | AI agent swarms, #1 on HackerOne |
| Vellox Striker | Booz Allen | AI adversary emulation for agent systems |
| RunSybil | RunSybil ($40M) | AI agents automating offensive security |
Layer 8: Threat Intelligence & Research
Understanding the threat landscape.
| Report/Product | Source | Key Finding |
|---|---|---|
| 2026 AI Threat Landscape | HiddenLayer | 1 in 8 breaches linked to agentic systems |
| 2026 Secure Access Report | Microsoft Entra | 97% had identity incidents; 70% AI-related |
| AI Speed Threat Report | Booz Allen | Breakout times under 30 minutes |
| OWASP Agentic Expansion | OWASP | Red team taxonomy, MCP guide, CTF hackathon |
What the Map Reveals
1. Agent security is a stack, not a product
No single vendor covers every layer. Microsoft comes closest (identity + governance + data + observability) but still doesn’t address runtime security or offensive testing. This means enterprises will need to assemble multi-vendor agent security stacks — creating integration challenges and potential gaps.
2. MCP is the new firewall boundary
The Model Context Protocol appears across nearly every layer — as a control point for access (ConductorOne), observation (F5), data security (Bonfy), and governance (Entro, Singulr). MCP has become the de facto standard for agent-to-tool communication, and securing it is now a first-class concern.
3. Identity is the most crowded layer
Seven companies launched agent identity products in two weeks. The pattern: agents need their own identity lifecycle — credentials, permissions, policies, audit trails — separate from the humans who deploy them. The 82-to-1 machine-to-human identity ratio (Palo Alto Networks) explains why.
4. Defense contractors entered the market
Booz Allen’s Vellox suite signals that agent security has crossed the threshold from startup territory to defense-industrial complex territory. When $12B defense contractors start shipping agentic security products, the market has been validated.
5. The data shows it’s already too late for some
Microsoft’s 97% incident rate, HiddenLayer’s 1-in-8 breach rate, IBM’s finding that 97% of compromised orgs had zero AI access controls — the empirical evidence says agents are being deployed faster than they’re being secured, and breaches are already happening.
The Gaps That Remain
Despite 25+ launches, several areas are underserved:
- Agent-to-agent security — most products focus on agent-to-human or agent-to-tool; agent-to-agent communication patterns are largely unaddressed
- Supply chain verification — who built this agent? What’s in its training data? Is its SOUL.md trustworthy?
- Cross-cloud agent governance — agents that span AWS, Azure, and GCP need unified controls, but most products are single-cloud
- Open-source agent security — enterprise products dominate; open-source OpenClaw users have fewer options
- Regulatory compliance automation — compliance tools exist (Vellox Navigator, Airia) but sector-specific frameworks (HIPAA, SOX, PCI) for agents are still early
What Comes Next
RSAC 2026 will add another wave of announcements. But the pre-show launches have already defined the market structure. Agent security isn’t a single product category — it’s an entire stack, parallel to the traditional security stack, built specifically for systems that think, decide, and act autonomously.
The question isn’t whether enterprises will invest in agent security. The data says they must. The question is which layers they prioritize first, and whether they can assemble a coherent stack before the next major agent-related breach forces their hand.
RSAC 2026 runs March 23–27, 2026, in San Francisco. This map covers announcements through March 21, 2026.