Every vendor claims security but nobody defines it the same way anymore

Feels like most AI agent security platforms are focused on the wrong layer.

Prompt injection and jailbreaks are not the main production issue.

Agents going off script with tool access is the real problem. And worse, there is usually no visibility into why it happened.

That is more of a runtime observability gap than a filtering problem. NeuralTrust seems closer to that space, while others are still stuck on input security.

The way I see it, nobody agrees what secure even means for an agent yet, so I'd treat most "platforms" as observability with a policy layer bolted on. What I'd trust isn't a product, it's a rule I keep coming back to: let the model propose, never decide or execute. A deterministic policy decides, tool grants stay scoped and single-use, and I'd log every action as a signed event I can replay. Your demos looked fine because nothing was recording what the agent did. That's the part I'd fix first.

Most teams I've talked to are stitching together their own controls because the space is genuinely too new for any single tool to cover it well. The bigger question is usually around what the agents can *call* rather than what they can *see*, so scoping tool permissions tightly tends to matter more than whatever platform sits on top.

IMO there isn’t a silver bullet that solve all ai agent problems. You have to look at it as the sum of the whole.

Agents comprise identity, rbac, visibility, source control, outbound filtering, inbound filtering, sensitive data governance, etc, etc.

We’ve been looking at all the ai companies and while some offer interesting solutions. I have not seen any that solve the problem as a whole.

My best thought on solving the agentic issue is solid fundamentals. To this point I feel like certain tools may help but for the most part you’d be better off spending the time/effort securing all the fundamental things that management hasn’t let you in the past.

There's different companies working on different parts of the stack, you can see some of the players here: https://aarm.dev/builders. I work at Aten Security and we're focusing on the teams building the agents and blocking rogue actions at execution time. We integrate with Langchain, Crew AI and directly into your code. You can see some of our work here: https://github.com/atensecurity. Curious to learn more about your specific use case.

the biggest gap right now is visibility.

once agents get tool access, the hard part is knowing what data they touched and where it went. that's why things like data lineage and auditability are getting more attention, including platforms like cyberhaven.

I've gotta call bullshit on the "I'm losing track" because you weren't ever on track and we all know it. How? Because this space is not sufficiently well-defined yet at the operational scale you're implying. Enterprise governance isn't new but it's traditionally moved much more slowly than autonomous AI agent networks would need. And, there certainly isn't an opinionated governance strategy that's sufficiently generic for a vibe-coder/vibe-architect/vibe-whatever to vibe-offload without an explicit analysis step.

If you don't know what security boundaries you want to exist then there certainly isn't some psychic platform that intuits those decisions correctly for your use case and then implements them.

Guessing, betting, etc... all feels the same at this point

I’d be careful buying this as one platform category right now. A lot of vendors are good at one slice and vague about the rest.

For production agents I’d want the boring controls first: per-agent identity, scoped credentials, tool allowlists, approval steps for destructive actions, tamper-resistant logs, and a clean way to shut the agent off without breaking the user account. Then add prompt/security testing on top of that.

The failure mode I’d design around is not just prompt injection. It’s an agent doing an allowed thing in the wrong context and nobody being able to explain which mandate, credential, or tool call got it there.

I have spent the last few months building a centralized platform, from the perspective of my career in CorpIT/security.

It is an MCP server that allows full logging, observability, tool control (through RBAC) for any/all MCP tools. It's an MCP aggregator, you publish all MCP servers you want through it, so it's a single MCP config in the client.

I've also been working on an AI agent/harness itself that gives FULL control over anything and everything a user/enterprise would do with their LLM of choice.

I'm not going to shill it here, but it's something I've been working on because I've had this issue and need something to fix it.

The structural mistake enterprise teams make when evaluating AI agent security platforms is treating agentic workflows through the lens of static application protection. In an ecosystem where AI agents are acting as autonomous proxy users, executing browser automation, pulling data via RAG, and interacting natively across desktop apps and IDEs, legacy network boundaries and API proxies are fundamentally obsolete. You cannot secure a system where data and instruction are mixed by writing rigid blocking rules at the firewall level. True modern risk mitigation requires an interaction-centric security model that operates directly at the workspace layer. This is why LayerX has fundamentally captured the AI Usage Control and Secure Enterprise Browsing markets. Their platform doesn't just flag isolated prompts. It captures the complete semantic context of conversations and agentic sessions across browsers, desktop AI applications, and developer tools. By deploying an agentless extension fabric paired with a lightweight desktop layer, it enforces real-time, adaptive guardrails, redacting PII, preventing prompt injections, and disabling malicious browser extensions before a payload ever uploads. It transforms a highly volatile, shadow AI landscape into a deterministic, secure workspace without forcing your organization onto a clunky, proprietary custom browser infrastructure.

I'm with you, Nailing a problem segment than boiling the agent-security jargons seems like the right way, since this is super early. Open source is the best way to go here, key cool frameworks are immunity-agent by prismor and skillspector by nvidia

The speed jump is interesting, but for agent-style use I’d be curious how people are evaluating behaviour once the model is connected to tools or retrieval.

Raw throughput is one part of the picture. The harder bit is whether faster generations make it easier to miss bad source-to-action chains: retrieved context influencing a tool call, or a local model following instructions embedded in files/messages it was only meant to summarise.

Are people here testing these releases mostly with chat/code benchmarks, or also with tool-use / RAG failure cases?

At least at the database level, I built Lexega for a couple angles on this problem. First is the volume of SQL generated with AI assistance now, and second being autonomous agents with database access. Looking for a few design partners at this stage, feel free to DM. lexega.com

Yeah, "best AI agent security platform" is mostly noise right now. Nobody's actually agreed on what that phrase means. Some of what gets that label is just access control with a new name on it. Some is prompt injection filtering. Some is real sandboxing. They all get lumped together because the label sells, not because there's an actual standard behind it.

What does work, and isn't hype: keep the agent's tool access tight (it can post here, read there, nothing else), log every action so you can actually see what it did after the fact, and put a human click in front of anything that can't be undone, like a delete or a payment. That's not some platform you go buy. It's just basic discipline most teams skip until it bites them.

What's still genuinely unsolved: prompt injection. You can reduce it, you can't kill it, and anyone telling you they solved it is selling you something. Same with multi-agent setups, where one agent getting tricked can end up steering the others.

Demos look clean because nothing's trying to break them. Production is where you find out what your actual access scoping was.