Six months ago, the AI runtime control category didn’t really exist. Today there are at least eight vendors, three open-source projects, two ongoing industry standards efforts, and a Q3 2026 AWS Marketplace category dedicated to the space. This post is an attempt to take stock: what the category actually is, who’s building, what the technical bets look like, and where it’s heading over the next 18 months.
It’s written for security engineers, AI/ML platform leads, and CISOs who need to decide whether to buy now, build now, or wait. The honest answer for most teams is “buy starter, build the gaps yourself.” The longer version follows.
What “AI runtime control” actually means
The label “AI runtime control” covers products that sit between an AI agent and the systems it acts on, evaluate every action the agent attempts, and decide whether to allow, deny, modify, or escalate. The semantic position is similar to a runtime policy engine (Open Policy Agent), an API gateway (Kong), or a service mesh (Istio), but operating on agent-action semantics: tool calls, MCP servers, A2A messages, intents.
The category exists because two earlier categories failed to address the AI agent problem:
- Prompt-engineering safety (system prompts that say “be safe”) doesn’t survive contact with adversarial inputs or with models that get clever about reinterpreting their instructions.
- Output classification (a second LLM that reads the first LLM’s output and grades it) inherits all the problems of the LLMs it tries to govern, plus latency and cost overhead, plus the inconsistency that comes with non-deterministic evaluation.
What worked for traditional software (firewalls, IAM, audit logs, deterministic policy engines) had no obvious equivalent for agents until the runtime control category emerged. Eight vendors are now trying to fill that gap.
The 2026 vendor map
The category has a small number of well-funded plays and a long tail of early-stage entrants. Approximate state as of May 2026:
| Vendor | Founded | Funding stage | Primary differentiation |
|---|---|---|---|
| Zenity | 2022 | Series B | First-mover, deep Microsoft Copilot focus |
| Prisma AIRS (Palo Alto Networks) | 2024 spin | Inside PANW | Network-security-first frame, bundled with PANW Cortex |
| Noma Security | 2024 | Series A | ML lifecycle scope (training + runtime) |
| Capsule Security | 2024 | Seed | Identity-first, cryptographic agent identity |
| Lakera Guard | 2022 | Series A | API-first, LLM-prompt-injection focus |
| Vaikora (Data443) | 2026 (Q1) | Inside Data443 | Deterministic policy + open-source gateway |
| HiddenLayer | 2022 | Series A | Model security + runtime |
| Robust Intelligence | 2020 | Series C | Pre-Cisco-acquisition, broad ML risk |
This map will keep moving. New entrants are showing up every 4-6 weeks and at least three of the listed vendors will probably consolidate or pivot in the next 12 months.
Where each vendor is making its biggest technical bet
Worth understanding because the bets don’t all bet on the same thing.
Zenity bets on Microsoft Copilot Studio integration depth. They were first to ship for Copilot, have the most reference customers in Microsoft-shop enterprises, and are tightly coupled to the Microsoft Graph permission model. If your AI agents run inside Copilot Studio and you’re a Microsoft shop, Zenity is the path of least resistance.
Prisma AIRS bets on the existing Palo Alto Networks footprint. Their pitch is “you already trust PANW for network security, add AI security to the same contract.” They’re investing in the integration with Cortex XSIAM (PANW’s security operations product) and the Cortex Cloud product. If you’re already a PANW customer with a Cortex deployment, AIRS is a sales-easy add.
Noma bets on covering the full ML lifecycle (training data, model deployment, runtime) rather than just runtime. Their thesis is that runtime-only solutions miss the upstream problems (poisoned training data, weak model integrity). If you have a large ML/AI engineering org and want one vendor across the lifecycle, Noma is positioned for that.
Capsule Security bets on cryptographic agent identity. Every agent gets a cryptographic identity that travels with it across system boundaries, so policy can be enforced on the agent’s actual identity rather than on its current session. Niche but technically interesting. The bet pays off if the industry standardizes on a similar identity model.
Lakera Guard bets on API-first prompt-injection defense. Easy to drop into existing applications via an HTTP endpoint, focused on filtering inputs and outputs of LLM calls. The bet is that most teams will adopt LLM security at the API layer first, then add deeper controls later. If you just need a quick filter in front of OpenAI calls, Lakera is the simplest answer.
Vaikora bets on deterministic policy enforcement at the agent action layer plus an open-source gateway as the credibility play. The thesis: in regulated industries (financial services, healthcare, defense), the only acceptable AI safety control is one that produces deterministic, auditable, reproducible decisions. The open-source vaikora-llm-gateway exists so engineering teams can evaluate the core engine without procurement. If you’re in a regulated industry and need audit-grade evidence, Vaikora is the natural fit.
HiddenLayer bets on model security (adversarial robustness, model integrity) plus runtime, leaning more academic. They have strong relationships with DoD and intelligence community customers. If your primary concern is model attacks rather than agent behavior, HiddenLayer’s research depth is a real asset.
Robust Intelligence bets on broad ML risk coverage. Was acquired by Cisco in 2024 and is now positioned inside Cisco’s broader security portfolio. If you’re a Cisco-shop enterprise, this is the integrated path. They’re broader than AI runtime control specifically (they cover model risk, fairness, drift).
What’s still unsolved
The category looks dense from a vendor map but most products are still figuring out a few hard problems.
Latency budget vs policy depth
Every product faces the same tradeoff: rich policy evaluation takes time, but the agent’s user is waiting for a response. P99 latency budgets for typical agent workflows are 50-200ms total. The policy layer can claim 5-30ms of that before users notice. Achieving non-trivial policy decisions inside 30ms requires architectural choices most products are still iterating on.
The technical bets vary: in-process engines (lowest latency, hardest to update), sidecar engines (deployable, moderate latency), remote engines (easiest deployment, highest latency). No consensus has emerged on which wins, and the answer probably varies by use case.
Rule authorship and management
Writing policy rules is harder than writing code. The person who knows the threats (security team) usually isn’t the person who knows the agent’s internals (engineering team), and the auditor who needs to review the rules is a third role. Every vendor is building some kind of rule editor, rule library, and rule lifecycle management. Most are still rough.
Compare to network firewalls, where rule management UIs have had 25 years to mature. AI policy is approximately where firewalls were in 2000. Expect a lot of UX iteration.
Audit log standards
The big regulated-industry customers (banks, hospitals, defense contractors) need audit logs in formats their existing SIEMs already consume. Splunk, Elastic, Microsoft Sentinel, IBM QRadar, Chronicle. Every vendor exports something, but the data models vary. Industry-standard schemas for AI action logs (similar to how the network industry agreed on syslog) don’t exist yet. Probably will within 18 months.
Cross-runtime portability
Most enterprises use multiple AI agent runtimes. OpenAI Assistants for some workflows, Claude tool calling for others, LangGraph for orchestration, custom code for the critical paths. Policy rules written for one runtime usually don’t port to another. The product that solves this gets a big lift, but it requires standards work that hasn’t happened yet.
Where the category is heading, 18 months out
Five concrete predictions:
1. Open-source policy engines win the developer’s mind, commercial products win the buyer’s budget. This pattern is well-established in adjacent categories (Kubernetes, observability, data infrastructure) and is already starting in AI runtime control. The MIT-licensed vaikora-llm-gateway, Open Policy Agent’s AI extensions, and a couple of nascent projects will accumulate engineering trust over the next year. Commercial products will continue to differentiate on the management surface, the audit log retention, the SOC 2 / HIPAA evidence packs, and the deep integrations with specific runtimes.
2. Connector marketplaces are the dominant distribution channel. AWS Marketplace launched an “AI Agents and Tools” category in Q3 2026. Microsoft is following with similar in Azure Marketplace. Google Cloud is figuring out their version. By mid-2027 most AI runtime control deployments will originate from a marketplace transaction, not a direct sales motion. Vendors that ship strong marketplace listings (free trials, transparent pricing, fast deploy) will outperform vendors with traditional enterprise sales motions.
3. Audit-grade evidence becomes the procurement gate in regulated industries. SOC 2 auditors and financial regulators are starting to ask specific questions about AI agent governance. By Q2 2027, “show me the audit trail of every AI-initiated wire transfer for the last 12 months” will be a standard examination question. Vendors that can produce this evidence on demand will win regulated-industry deals; vendors that can’t will not be on the shortlist.
4. Two of the eight current vendors will be acquired. The standalone AI security vendor model has a finite shelf life. Cisco, Palo Alto, CrowdStrike, SentinelOne, Microsoft, and Google all have AI runtime control teams either built or being built internally. They’ll buy rather than build the parts they can’t catch up on. Zenity and HiddenLayer are the most likely targets given their installed base and Microsoft / DoD relationships respectively. Watch the announcements between H2 2026 and Q2 2027.
5. The category bifurcates into “developer infrastructure” and “enterprise control plane.” Developers will adopt open-source runtime engines via package managers (npm, pip, cargo) and run them in-process with their agents. Enterprise security teams will buy commercial control planes that aggregate evidence across hundreds of agents, generate compliance reports, and integrate with existing SIEM/SOAR. The same vendor can serve both but the products will diverge.
What this means for buyers right now
If you’re a CISO, AI/ML platform lead, or engineering director deciding whether to act in 2026:
Do not wait. The cost of being early in this category is low (free open-source options, marketplace-priced commercial products under $50K/year for small deployments). The cost of being late is the same regulators and auditors asking the same questions while you have no evidence to give them.
Start with the open-source piece. If your engineers can spend a weekend evaluating a runtime engine, that weekend is worth more than a six-week procurement cycle for a commercial product. Pick the open-source project that closest matches your runtime (vaikora-llm-gateway, OPA’s AI extensions, or Lakera’s open-source bits) and deploy it in observe mode.
Layer the commercial product on top. Once you’ve validated the open-source piece, the commercial product gives you the management console, the audit log retention, the starter rule sets for your industry, and the SOC 2 evidence pack. The procurement conversation gets easier when you can point at an actually-deployed open-source baseline.
Treat your first ruleset as version 0.1. You will not get the rules right on the first try. Plan for quarterly review with security, engineering, and compliance leads. Plan for rule version control. Plan for being wrong about which actions are most risky and updating the rules as you learn.
Watch the AWS Marketplace AI Agents and Tools category. When this category launches in Q3 2026, the listings will become the procurement-easy path for most buyers. Vendors that are listed will get traction faster than those that aren’t, and you’ll see new entrants on a monthly basis.
How Vaikora fits the picture
Disclosure: this post is published by Data443, makers of Vaikora. The framing above is intended to be objective; the placement of Vaikora in the vendor map is alongside the seven other vendors, not above them.
Vaikora’s specific bets are deterministic policy enforcement (covered in Post 1 of this series), the open-source vaikora-llm-gateway on GitHub as the credibility play, and audit-grade evidence packs for regulated industries (covered in the OWASP LLM Top 10 mapping post). If those match your buying priorities, see the Vaikora flagship page for the full product overview, or book a demo at vaikora.com. If they don’t, one of the other seven vendors above will be a better fit, and the most important thing is that you pick one and deploy it.
Frequently asked questions
Is AI runtime control the same as AI security?
No. AI security is the broader category that includes model robustness, training data integrity, supply chain hardening, and runtime control. AI runtime control is specifically the layer that sits between the agent and its actions. Most enterprises need both, from one or several vendors.
Is this market crowded or empty?
Eight vendors with serious traction, ten or twenty in early stage. Adjacent markets at the same maturity level (network security in 2002, cloud security in 2014) had similar fragmentation before they consolidated to 3-5 dominant vendors over 5-7 years. Expect the same pattern here.
How do I evaluate a vendor in this category?
Start with the threat model. Write down the five most important risks for your specific agent deployments. Then ask each vendor to demonstrate how their product addresses each risk, with specific rule examples and audit log samples. Vendors that can’t demonstrate concrete coverage are doing more marketing than engineering.
Should I build instead of buy?
For small teams (<5 ML engineers), no. The complexity of doing this well exceeds what most small teams can sustain. For large teams (>20 ML engineers), maybe, but only if you have a clear differentiation case (highly custom runtime, extreme latency requirements, classified environment). For most teams in between, buy + customize.
What’s the typical contract size?
Open-source: free, your only cost is engineering time. Commercial entry tier: $20K-$80K per year for small deployments. Mid-market: $80K-$300K. Enterprise: $300K-$1M+ with custom integration work. Marketplace-listed self-serve tiers usually start under $20K and scale by usage.