Here’s the core problem Token Security is solving: two AI agents with identical permissions can behave completely differently depending on what they’re trying to accomplish. Static access controls — the kind enterprises have relied on for decades — weren’t designed for systems that are non-deterministic, goal-oriented, and autonomous.

Token Security, an RSAC 2026 Innovation Sandbox Award Finalist, just shipped intent-based AI agent security — a new enforcement model that governs what agents can do based on what they’re supposed to do.

Why Permissions Alone Break for Agents

Traditional access management assumes: give an identity the right permissions, and you’ve contained the risk. That works when the identity is a human with predictable behavior patterns, or a service account running the same script every day.

AI agents break this model in three ways:

  1. Non-deterministic execution. The same agent with the same prompt can take different actions each run. Static policies can’t anticipate the variance.
  2. Goal-oriented behavior. Agents pursue objectives, not commands. A “research agent” with database read access might decide to write results somewhere unexpected if that serves its goal.
  3. Permission inheritance from creators. When an enterprise employee deploys an agent, that agent often inherits the employee’s full access scope — even when it only needs a fraction of those permissions for its intended purpose.

CEO Itamar Apelblat put it directly: “Prompt filtering and guardrails were not designed to fully contain the security risks introduced by autonomous AI agents.”

What Intent-Based Security Does

Token Security’s platform operationalizes intent through five capabilities:

1. Continuous Agent Discovery Finds AI agents across the enterprise — their owners, their access patterns, and their credentials. This matters because shadow AI is now at 76% and rising.

2. Intent Understanding Analyzes both declared intent (what the agent’s creator says it should do) and observed intent (what the agent actually does). The gap between these two is where security incidents live.

3. Dynamic Least-Privilege Enforcement Creates access policies aligned to defined intent — not static roles. If an agent’s purpose is “summarize customer support tickets,” it gets read access to the ticket system and nothing else.

4. Constraint Monitoring Flags actions that fall outside established intent boundaries. An agent designed for summarization that starts making API calls to billing systems triggers an alert.

5. Lifecycle Governance Prevents access drift and orphaned agents — the agentic equivalent of stale service accounts that accumulate permissions over years.

The Competitive Landscape

Token Security enters a crowded RSAC 2026 pre-wave that already includes:

What differentiates Token Security is the explicit focus on intent as a security primitive — not just “what can this agent access” but “what is this agent trying to accomplish, and does its access match that purpose?”

CTO Ido Shlomo framed the risk: “AI agents shouldn’t inherit the full permissions of the humans who create them. When they do, organizations lose visibility and control over what those systems can access and execute.”

The Innovation Sandbox Factor

Being named an RSAC Innovation Sandbox finalist puts Token Security on the industry’s most visible launchpad. Previous winners include Wiz (now a $12B+ acquisition target) and CrowdStrike. The competition takes place Monday, March 23 — the opening day of RSAC 2026.

The timing is deliberate. With 25+ agent security products launching in a two-week window, RSAC 2026 is the moment the industry acknowledges that agent security is not a niche — it’s a category.

Token Security’s intent-based capabilities are available immediately. Demo at booth South Hall 1969 during the conference.

Sources: GlobeNewsWire · Token Security · SecurityBrief