Agent-security landscape — July 2026 snapshot¶
Field survey behind the AI-native-security path's big-swing spec, answering one question: does a full agent control plane already exist? Verified against live vendor pages, repos, and specs on 2026-07-08. This is the fastest-rotting page in the repo — treat anything below as a hypothesis after ~one quarter, and re-verify before building or interviewing on it.
The rubric¶
The control plane the big swing describes has five components:
- (a) Identity — per-agent identity with least-privilege grants
- (b) Brokering — all agent→agent and agent→tool traffic through a policy enforcement point
- (c) Policy + detector — policy-as-code plus an intent/risk detector in the message path
- (d) Taint — untrusted content tagged at ingress, provenance tracked across hops
- (e) Intervention, measured — allow/warn/block/confirm at the moment of risk, with audit and published precision/recall
Bottom line¶
No single system — commercial, OSS, or hyperscaler — ships the full combination as of July 2026. Every element exists somewhere, always disjoint:
- Inter-agent channel policy ships in Microsoft's Agent Governance Toolkit (OSS, public preview) and agentgateway (Linux Foundation); partially in AWS AgentCore Gateway + Policy.
- Taint tracking ships only intra-agent: Microsoft FIDES (experimental middleware), Invariant/Snyk dataflow rules (single trace; OSS repos stalling), pipelock (single session). Cross-hop multi-agent provenance exists only in research (PCAS, SAGA, the unmaintained CaMeL).
- Published detection quality exists only for stateless per-prompt classifiers (Meta PromptGuard 2, Lakera) that have no concept of agent topology.
The structural reason nobody has fused them: the topology-aware systems are deterministic enforcers with nothing probabilistic to measure, and the systems with published numbers are stateless classifiers. (b) + (d) + (e-with-metrics) in one control plane is genuine whitespace — which is exactly what the capstone's big-swing version targets at demo scale.
Commercial — AI runtime security¶
| Who | Has | Lacks |
|---|---|---|
| Palo Alto Prisma AIRS (absorbed Protect AI) | Inline prompt/tool-call interception (agent→tool), 29+ injection categories | A2A brokering (preview), taint, published P/R |
| Cisco AI Defense (+ Duo agent identity, + Astrix, closed 2026-06-29) | Agent NHIs + JIT creds, gateway interception of LLM/MCP calls, agent-specific detections | Taint, commercial A2A inspection, metrics; parts still "in development" |
| Zenity | Genuinely inline allow/block/modify pre-execution via per-platform hooks | Identity, taint, metrics; A2A is marketing language |
| Check Point / Lakera | Inline guard on prompts/outputs/MCP I/O. Only major vendor with published numbers — but an independent eval found recall 0.50 vs. marketing claims; read both | Identity, taint, A2A |
| SentinelOne / Prompt Security | MCP gateway reverse proxy, runtime injection blocking | Identity, taint, A2A, metrics |
| HiddenLayer | Tool-call inspection, session-reconstruction forensics (sees A2A, doesn't broker it) | Identity, taint, metrics |
Newer entrants (Noma, WitnessAI, Operant, Straiker, Pillar, Token Security, Natoma) each cover one or two components partially; none do taint or A2A message policy; none publish real P/R.
Commercial — identity & authorization¶
| Who | Has | Lacks |
|---|---|---|
| Microsoft Entra Agent ID (GA ~May 2026) | Strongest shipped (a): agents as first-class directory objects, conditional access at token issuance | Content-path brokering (lives in Defender agent runtime protection — preview), taint, metrics; API-key traffic bypasses it |
| Okta/Auth0 for AI Agents | Token Vault, fine-grained authz, CIBA async human-confirm (GA) | Inline PEP, A2A, taint; Cross App Access still unshipped |
| Aembit | MCP Identity Gateway = genuine inline PEP with credential exchange | Content inspection entirely (deterministic by design), A2A, taint |
| Oasis Security | Ephemeral per-session agent identities; the only shipped LLM intent-analysis inside an authz path | Broad brokering, A2A, taint, accuracy numbers for its own LLM |
Also: Descope, Permit.io (real OPA policy-as-code + MCP proxy, but its detection claims are undocumented), Arcade.dev (inline hooks, BYO detection), WorkOS.
Hyperscaler platforms¶
- AWS Bedrock AgentCore + Policy (GA Mar 2026) — Cedar policy-as-code over gateway-fronted tools and A2A traffic; deterministic, no detector, no taint. Documented examples are agent→tool.
- Microsoft Agent Governance Toolkit (OSS, public preview) — the one shipping inter-agent channel-policy system: Agent Mesh, inter-agent trust protocol, SPIFFE/DID identity, mesh-wide policy. No taint, no detector metrics, pre-GA.
- Microsoft FIDES (experimental, Agent Framework middleware) — the one shipping taint system: integrity/ confidentiality labels propagate through tool calls. Intra-agent only; not integrated with the Governance Toolkit.
- Google Agent Gateway + Model Armor — announced at Next '26; A2A enforcement is announcement-stage.
The closest thing to the full combination is Microsoft's AGT + FIDES — two unintegrated pre-GA products with no detector metrics.
Open source you can actually run¶
- agentgateway (Linux Foundation, Rust) — broadest OSS PEP: brokers agent→LLM, agent→tool (MCP), and agent→agent (A2A) with CEL policy, JWT/OAuth identity. No own detector, no taint.
- Meta LlamaFirewall (paper) — PromptGuard 2 + AlignmentCheck + CodeShield, the only project with real published numbers (97.5% recall @ 1% FPR; AgentDojo attack success 17.6%→1.75%). In-process library, not a broker.
- Invariant Labs (→ Snyk) — policy-as-code over traces with dataflow rules, the closest OSS to taint — but single-agent, and the OSS repos are stalling post-acquisition.
- IBM ContextForge — federates MCP servers and A2A agents through one governed endpoint; very active. No detector, no taint.
- Research artifacts worth reading, not running: SAGA (inter-agent access control via crypto tokens, NDSS 2026), CaMeL (capability/data-flow defense; explicitly unmaintained).
Standards — what's defined and what isn't¶
- A2A spec v1.0 (Apr 2026) — signed agent cards, per-skill OAuth scopes, mTLS. Authorization is agent-local by design: no protocol-level who-may-talk-to-whom policy, no taint.
- MCP authorization (rev 2025-11-25; next rev at RC) — OAuth 2.1, audience binding, token passthrough forbidden. No agent-as-principal identity, no PDP, no taint.
- OWASP Agentic Security Initiative — agentic Top 10 (Dec 2025): names insecure inter-agent comms, but prescribes channel encryption, not channel policy. No taint mechanism.
- NIST AI Agent Standards Initiative (Feb 2026) — RFI stage; no draft SP yet.
- OpenID AuthZEN + agent-era drafts — the only standardized PEP↔PDP brokering of MCP tool calls; nothing on A2A channels or taint.
Even on paper, no standard defines channel authorization between agents or taint semantics. The gap isn't just unshipped product — it's undefined territory.
Consolidation ledger (why this category is real)¶
Protect AI → Palo Alto (2025) · Lakera → Check Point (~$300M, Sep 2025) · Prompt Security → SentinelOne (~$180M, Sep 2025) · Invariant Labs → Snyk (Jun 2025) · Astrix → Cisco (~$400M, closed Jun 2026) · Oasis ↔ Cyera (talks reported Jul 2026, unsigned). Acquirers are paying for exactly the intersection this path trains: people who can build agents, break them, and measure the difference.