The Mushroom Market: A Field Guide to Agentic AI Security

Industry Insights
Blog

Key Takeaways

The agentic AI security market is confused not because vendors are cynical, but because there are three legitimate ways to cut it, and most vendors blur all three in the same breath.
The cut that actually clarifies the market is not where the agent runs. It is who built it and who is responsible for securing it: engineering-built AI, IT-managed AI, and business-built AI are three different problems with three different owners.
Business-built agents spun up by non-developers on Copilot Studio, Agentforce, and ChatGPT Enterprise are the orphaned category in agentic AI security: no SDLC, no AppSec review, and no clear owner in the security org.
Gartner projects that through 2026, at least 80% of unauthorized AI transactions will come from internal causes including oversharing and excessive access, not adversarial attack. The dominant agentic AI risk is already inside your walls.
The failure mode across most agentic AI security tools is stopping at posture visibility: a report telling you where you are exposed, which then becomes your problem to act on. Enforcement and remediation are where most vendors quietly stop.

At Opsin, transparency is a core value. Internally, almost everything we know is shared by default. This memo is that value pointed outward: the view we've formed after hundreds of conversations with CISOs and security teams trying to secure AI. I'd rather argue it in public than keep it in a deck.

Here's what we keep hearing: every vendor in agentic AI security sounds identical. Same words: “runtime,” “guardrails,” “agentic,” “posture,” “Zero Trust for AI.” Same promises. One CISO summed it up better than I could: “This is a mushroom market." Things sprout overnight, in the dark, and nobody’s sure which ones are safe to eat.

It isn’t only buyers who feel this. Cisco’s own security leadership has written that “AI security” has become an overloaded bucket: when a CISO says it, they might mean protecting AI from attackers, using AI to catch attackers, stopping data from leaking into AI tools, or stopping AI from producing harmful output. The honest answer to “which one?” is usually all of the above. Which is the whole problem. Trade press covering the category has reached the same verdict: the pitches have converged to the point where messaging no longer differentiates anyone.

So this piece tries to do three things: explain why everyone sounds the same, offer a cleaner way to cut the market, and hand you, if you're the one buying, a rubric to tell these tools apart.

Why every Agentic Security vendor sounds the same

The confusion isn’t mostly vendors being cynical. It's that there are several legitimate ways to slice this market, and people blur them in the same breath.

You can cut it by control layer — identity, data, model, network, application. Most analysts do; Gartner’s AI TRiSM and Forrester’s AEGIS are both, underneath, control-layer models.

You can cut it by lifecycle stage — securing AI as it’s built, deployed, and run. Red-teaming a model before launch and policing it at runtime are different businesses.

And you can cut it by where the agent runs — on a laptop, inside a cloud platform, behind your app. This is the one everybody reaches for first, because it’s the most concrete.

When a vendor describes themselves on one of these and you're judging them on another, of course it sounds like mush.

But here’s the cut that finally made the market legible for me, and it's the one I’d build the whole conversation around: where the agent runs is a proxy. The principle underneath it is ownership who built the agent, and who’s on the hook to secure it. Slice the market that way and it stops being a mushroom patch. It becomes three very different problems with three very different owners.

The cut that actually matters: who built it, and who's on the hook

Engineering-built AI IT-managed AI Business-built AI
Typical builder Engineering IT Business users (non-developers)
What it looks like Customer-facing bots, internal AI apps, coding agents (Cursor, Claude Code) Endpoint and browser agents IT deploys and manages Agents built on enterprise AI platforms: Copilot Studio, Agentforce, Gemini, ChatGPT Enterprise, ServiceNow
Secured today by SDLC, AppSec review, runtime / LLM firewalls Endpoint and infrastructure security Very little
The real gap Prompt injection, runtime attacks, harmful output Device and endpoint controls, shadow AI Identity, permissions, data governance, oversharing and excessive access
Who plays here Lakera (Check Point), Protect AI (Palo Alto), Robust Intelligence (Cisco) CrowdStrike, SentinelOne, Zscaler, Netskope Opsin, Varonis, Cyera, Microsoft Purview

Two of these three have a home.

  • Developer-built AI is owned by engineering. It goes through an SDLC, gets an AppSec review, and there’s a maturing set of runtime and LLM-firewall tools to defend it. That’s the world the prompt-injection companies live in.
  • IT-managed AI is owned by IT and protected the way IT protects everything else: at the endpoint and on the network.

And then there's the third category:

  • Agents that business users build themselves on enterprise AI platforms. A sales-ops manager wiring up an Agentforce flow. An analyst standing up a Copilot Studio agent over a SharePoint site. Someone spinning a custom GPT against a folder of contracts. No SDLC. No AppSec review. No engineering involvement at all. It's an orphan. Nobody clearly owns securing it, and it's the category with the most direct line to your enterprise identities, your permissions, and your data.

That’s not a runtime-location problem. It's a governance gap created by the democratization of AI development: for the first time, the person building a powerful, data-connected agent is often not a developer and never touches a security review.

Why the security gap is agent orphans

It’s worth being precise about why the tools you already own don't cover this. AppSec secures code your engineers write. Endpoint security secures devices. Neither was built for the situation that defines business-built AI: a non-developer granting an agent their own (often over-broad) access to enterprise data, through a platform’s native interface, with no code and no review in the loop.

To control the situation, security needs identity-aware and data-aware context: who can this agent act as, what can it reach, and should it be able to? Yet, that's a layer: data and identity governance for AI — that sits between the AppSec stack and the endpoint stack, owned by neither. That’s the orphan.

What the data says the real agent risk is

If you have budget for one thing, the evidence says it shouldn’t be prompt injection. Gartner projects that through 2026, at least 80% of unauthorized AI transactions will come from internal causes — oversharing, unacceptable use, AI behaving in ways it shouldn’t — rather than malicious attacks. Not 80% traced to a clever adversary. 80% from inside your own walls.

The field data agrees. A 2026 Cloud Security Alliance survey found that 82% of organizations already have AI agents running that they didn’t know about, and nearly two-thirds had hit an agent-related incident in the past year — 61% of them reporting data exposure as the result. OWASP now lists sensitive-information disclosure and excessive agency as categories separate from prompt injection, because they are separate problems — and the disclosure ones are far more common.

Read those numbers against the three categories above and the picture is hard to miss. The dominant risk isn't the adversary attacking your developer-built app. It’s the orphaned, business-built agent quietly oversharing data it was handed too much access to. The highest-probability risk sits squarely in the category nobody in security owns.

And this category doesn’t just lack an owner; it moves too fast to police by hand. The old path to enterprise software ran through stages: a business user filed a request, engineering built it, security reviewed it, and only then did it launch. Slow, but security got its checkpoint. Today that same business user stands up an agent in fifteen minutes:  inside the platform, no ticket, no review and does it again next week. No security team can manually inspect every one of those before it goes live. The checkpoint wasn’t removed; the build simply outran it. That’s the real case for automation here: at the speed and volume these agents are actually created, continuous, automated enforcement isn’t a convenience. It’s the only thing that scales.

Where Opsin sits (the opinionated part)

I’ll be transparent about my bias: the orphan is the category Opsin was built for. We secure the agents your business users are building on enterprise AI platforms: Copilot, Copilot Studio, ChatGPT Enterprise, Gemini, Claude for Work, Agentforce by continuously finding and fixing the oversharing and excessive access those agents inherit, before you turn them on and continuously after.

The failure mode I see most across this market is tools that stop at posture: a report telling you you’re exposed, which then becomes your problem to act on. The harder, more valuable job is turning that intent into enforcement: catching oversharing as it happens, remediating it, and keeping the gap closed as access sprawls and new agents appear. That’s the work we chose.

You don’t have to take my word that this category matters. Take Gartner’s and CSA’s. But you should pressure-test whether any vendor, us included, actually does what it claims. Which brings me to the part that’s useful no matter what you buy.

How to actually evaluate these tools

If you’re staring at twenty decks that sound the same, stop comparing feature lists. Compare on these eight dimensions instead:

  1. Coverage. Which AI surfaces does it actually touch, and can it see the agents your business users are spinning up on Copilot Studio, Agentforce, custom GPTs, and ServiceNow the day they appear, not the quarter after?
  2. Depth of data context. Can it tell what data is sensitive and tie it to who can access it? Test the classification on your own data, not the vendor’s demo set: published accuracy numbers are measured on ideal data.
  3. Identity awareness. Can it attribute an action to both the human and the agent (the non-human identity) and reason about excessive privilege?
  4. Enforcement vs. visibility. Does it block at the point of action: the prompt, the response, the tool call or just generate a report you now have to act on?
  5. Remediation. When it finds a problem, can it fix it, revoke access, correct a permission, route to the data owner, or does it only alert? This is where most tools quietly stop.
  6. Integration footprint. Does it fit your SIEM/SOAR/ticketing stack? Is it API-based, an agent, or network-inline and what does that cost you in latency and deployment pain?
  7. Outcomes, not features. Make the vendor state a measurable operational outcome: investigation time cut, violations reduced not a list of capabilities. The structure of their answer tells you more than their messaging.
  8. Honesty about blind spots. Every tool has them. The vendors worth trusting will name theirs without being cornered into it.

Run a POC in your own environment. Ask each vendor what they can’t do. The good ones will have an answer ready.

The platform wave is already here

One more thing to price in: this market is consolidating fast, and the point categories are being absorbed into platforms as we speak. In barely a year, Palo Alto bought Protect AI, Cisco bought Robust Intelligence and then Astrix, Check Point bought Lakera, SentinelOne bought Prompt Security, Crowdstrike bought Pangea, and Cato bought Aim Security.

The lesson for buyers isn’t “wait for the platforms.” It’s that platforms acquire the easy layers first: the firewall, the scanner, the developer-built world and the hard one last: identity-aware, data-aware governance of the business-built agents sprawling across messy enterprise SaaS. That’s the orphan, and it’s the layer I’d be slowest to assume my platform vendor has already solved. Re-check that assumption every quarter. The day Microsoft, Palo Alto, or CrowdStrike genuinely closes that gap for Copilot and Agentforce natively is the day the math changes.

Microsoft can govern Microsoft but it won’t close the governance gap when organizations are deploying Microsoft AND Salesforce, ServiceNow, Google, OpenAI, Anthropic, and whatever comes next.  

The point

The market is confused because we’ve let it be: several surface cuts mashed into one vocabulary, until everything sounds the same and nothing sounds true. The way out is a sharper question. Not where does the agent run, but who built it, and who's responsible for securing it. Ask that, and three different problems with three different owners fall out, and one of them, the business-built orphan, is both the most exposed and the least defended.

We’re opinionated about that. We should be. Opsin lives in the orphaned category. But the rubric above works no matter where you land. Use it. And if a vendor can’t tell you, in one sentence, which of the three they secure and what they don’t, that’s your answer.

Which category do you think is most under-served and who in your org actually owns securing it? I’d genuinely like to know. That’s the kind of disagreement that makes this market a little less of a mushroom patch.

Table of Contents

LinkedIn Bio >

FAQ

No items found.
About the Author
James Pham
James Pham is the Co-Founder and CEO of Opsin, with a background in machine learning, data security, and product development. He previously led ML-driven security products at Abnormal Security and holds an MBA from MIT, where he focused on data analytics and AI.
LinkedIn Bio >

The Mushroom Market: A Field Guide to Agentic AI Security

At Opsin, transparency is a core value. Internally, almost everything we know is shared by default. This memo is that value pointed outward: the view we've formed after hundreds of conversations with CISOs and security teams trying to secure AI. I'd rather argue it in public than keep it in a deck.

Here's what we keep hearing: every vendor in agentic AI security sounds identical. Same words: “runtime,” “guardrails,” “agentic,” “posture,” “Zero Trust for AI.” Same promises. One CISO summed it up better than I could: “This is a mushroom market." Things sprout overnight, in the dark, and nobody’s sure which ones are safe to eat.

It isn’t only buyers who feel this. Cisco’s own security leadership has written that “AI security” has become an overloaded bucket: when a CISO says it, they might mean protecting AI from attackers, using AI to catch attackers, stopping data from leaking into AI tools, or stopping AI from producing harmful output. The honest answer to “which one?” is usually all of the above. Which is the whole problem. Trade press covering the category has reached the same verdict: the pitches have converged to the point where messaging no longer differentiates anyone.

So this piece tries to do three things: explain why everyone sounds the same, offer a cleaner way to cut the market, and hand you, if you're the one buying, a rubric to tell these tools apart.

Why every Agentic Security vendor sounds the same

The confusion isn’t mostly vendors being cynical. It's that there are several legitimate ways to slice this market, and people blur them in the same breath.

You can cut it by control layer — identity, data, model, network, application. Most analysts do; Gartner’s AI TRiSM and Forrester’s AEGIS are both, underneath, control-layer models.

You can cut it by lifecycle stage — securing AI as it’s built, deployed, and run. Red-teaming a model before launch and policing it at runtime are different businesses.

And you can cut it by where the agent runs — on a laptop, inside a cloud platform, behind your app. This is the one everybody reaches for first, because it’s the most concrete.

When a vendor describes themselves on one of these and you're judging them on another, of course it sounds like mush.

But here’s the cut that finally made the market legible for me, and it's the one I’d build the whole conversation around: where the agent runs is a proxy. The principle underneath it is ownership who built the agent, and who’s on the hook to secure it. Slice the market that way and it stops being a mushroom patch. It becomes three very different problems with three very different owners.

The cut that actually matters: who built it, and who's on the hook

Engineering-built AI IT-managed AI Business-built AI
Typical builder Engineering IT Business users (non-developers)
What it looks like Customer-facing bots, internal AI apps, coding agents (Cursor, Claude Code) Endpoint and browser agents IT deploys and manages Agents built on enterprise AI platforms: Copilot Studio, Agentforce, Gemini, ChatGPT Enterprise, ServiceNow
Secured today by SDLC, AppSec review, runtime / LLM firewalls Endpoint and infrastructure security Very little
The real gap Prompt injection, runtime attacks, harmful output Device and endpoint controls, shadow AI Identity, permissions, data governance, oversharing and excessive access
Who plays here Lakera (Check Point), Protect AI (Palo Alto), Robust Intelligence (Cisco) CrowdStrike, SentinelOne, Zscaler, Netskope Opsin, Varonis, Cyera, Microsoft Purview

Two of these three have a home.

  • Developer-built AI is owned by engineering. It goes through an SDLC, gets an AppSec review, and there’s a maturing set of runtime and LLM-firewall tools to defend it. That’s the world the prompt-injection companies live in.
  • IT-managed AI is owned by IT and protected the way IT protects everything else: at the endpoint and on the network.

And then there's the third category:

  • Agents that business users build themselves on enterprise AI platforms. A sales-ops manager wiring up an Agentforce flow. An analyst standing up a Copilot Studio agent over a SharePoint site. Someone spinning a custom GPT against a folder of contracts. No SDLC. No AppSec review. No engineering involvement at all. It's an orphan. Nobody clearly owns securing it, and it's the category with the most direct line to your enterprise identities, your permissions, and your data.

That’s not a runtime-location problem. It's a governance gap created by the democratization of AI development: for the first time, the person building a powerful, data-connected agent is often not a developer and never touches a security review.

Why the security gap is agent orphans

It’s worth being precise about why the tools you already own don't cover this. AppSec secures code your engineers write. Endpoint security secures devices. Neither was built for the situation that defines business-built AI: a non-developer granting an agent their own (often over-broad) access to enterprise data, through a platform’s native interface, with no code and no review in the loop.

To control the situation, security needs identity-aware and data-aware context: who can this agent act as, what can it reach, and should it be able to? Yet, that's a layer: data and identity governance for AI — that sits between the AppSec stack and the endpoint stack, owned by neither. That’s the orphan.

What the data says the real agent risk is

If you have budget for one thing, the evidence says it shouldn’t be prompt injection. Gartner projects that through 2026, at least 80% of unauthorized AI transactions will come from internal causes — oversharing, unacceptable use, AI behaving in ways it shouldn’t — rather than malicious attacks. Not 80% traced to a clever adversary. 80% from inside your own walls.

The field data agrees. A 2026 Cloud Security Alliance survey found that 82% of organizations already have AI agents running that they didn’t know about, and nearly two-thirds had hit an agent-related incident in the past year — 61% of them reporting data exposure as the result. OWASP now lists sensitive-information disclosure and excessive agency as categories separate from prompt injection, because they are separate problems — and the disclosure ones are far more common.

Read those numbers against the three categories above and the picture is hard to miss. The dominant risk isn't the adversary attacking your developer-built app. It’s the orphaned, business-built agent quietly oversharing data it was handed too much access to. The highest-probability risk sits squarely in the category nobody in security owns.

And this category doesn’t just lack an owner; it moves too fast to police by hand. The old path to enterprise software ran through stages: a business user filed a request, engineering built it, security reviewed it, and only then did it launch. Slow, but security got its checkpoint. Today that same business user stands up an agent in fifteen minutes:  inside the platform, no ticket, no review and does it again next week. No security team can manually inspect every one of those before it goes live. The checkpoint wasn’t removed; the build simply outran it. That’s the real case for automation here: at the speed and volume these agents are actually created, continuous, automated enforcement isn’t a convenience. It’s the only thing that scales.

Where Opsin sits (the opinionated part)

I’ll be transparent about my bias: the orphan is the category Opsin was built for. We secure the agents your business users are building on enterprise AI platforms: Copilot, Copilot Studio, ChatGPT Enterprise, Gemini, Claude for Work, Agentforce by continuously finding and fixing the oversharing and excessive access those agents inherit, before you turn them on and continuously after.

The failure mode I see most across this market is tools that stop at posture: a report telling you you’re exposed, which then becomes your problem to act on. The harder, more valuable job is turning that intent into enforcement: catching oversharing as it happens, remediating it, and keeping the gap closed as access sprawls and new agents appear. That’s the work we chose.

You don’t have to take my word that this category matters. Take Gartner’s and CSA’s. But you should pressure-test whether any vendor, us included, actually does what it claims. Which brings me to the part that’s useful no matter what you buy.

How to actually evaluate these tools

If you’re staring at twenty decks that sound the same, stop comparing feature lists. Compare on these eight dimensions instead:

  1. Coverage. Which AI surfaces does it actually touch, and can it see the agents your business users are spinning up on Copilot Studio, Agentforce, custom GPTs, and ServiceNow the day they appear, not the quarter after?
  2. Depth of data context. Can it tell what data is sensitive and tie it to who can access it? Test the classification on your own data, not the vendor’s demo set: published accuracy numbers are measured on ideal data.
  3. Identity awareness. Can it attribute an action to both the human and the agent (the non-human identity) and reason about excessive privilege?
  4. Enforcement vs. visibility. Does it block at the point of action: the prompt, the response, the tool call or just generate a report you now have to act on?
  5. Remediation. When it finds a problem, can it fix it, revoke access, correct a permission, route to the data owner, or does it only alert? This is where most tools quietly stop.
  6. Integration footprint. Does it fit your SIEM/SOAR/ticketing stack? Is it API-based, an agent, or network-inline and what does that cost you in latency and deployment pain?
  7. Outcomes, not features. Make the vendor state a measurable operational outcome: investigation time cut, violations reduced not a list of capabilities. The structure of their answer tells you more than their messaging.
  8. Honesty about blind spots. Every tool has them. The vendors worth trusting will name theirs without being cornered into it.

Run a POC in your own environment. Ask each vendor what they can’t do. The good ones will have an answer ready.

The platform wave is already here

One more thing to price in: this market is consolidating fast, and the point categories are being absorbed into platforms as we speak. In barely a year, Palo Alto bought Protect AI, Cisco bought Robust Intelligence and then Astrix, Check Point bought Lakera, SentinelOne bought Prompt Security, Crowdstrike bought Pangea, and Cato bought Aim Security.

The lesson for buyers isn’t “wait for the platforms.” It’s that platforms acquire the easy layers first: the firewall, the scanner, the developer-built world and the hard one last: identity-aware, data-aware governance of the business-built agents sprawling across messy enterprise SaaS. That’s the orphan, and it’s the layer I’d be slowest to assume my platform vendor has already solved. Re-check that assumption every quarter. The day Microsoft, Palo Alto, or CrowdStrike genuinely closes that gap for Copilot and Agentforce natively is the day the math changes.

Microsoft can govern Microsoft but it won’t close the governance gap when organizations are deploying Microsoft AND Salesforce, ServiceNow, Google, OpenAI, Anthropic, and whatever comes next.  

The point

The market is confused because we’ve let it be: several surface cuts mashed into one vocabulary, until everything sounds the same and nothing sounds true. The way out is a sharper question. Not where does the agent run, but who built it, and who's responsible for securing it. Ask that, and three different problems with three different owners fall out, and one of them, the business-built orphan, is both the most exposed and the least defended.

We’re opinionated about that. We should be. Opsin lives in the orphaned category. But the rubric above works no matter where you land. Use it. And if a vendor can’t tell you, in one sentence, which of the three they secure and what they don’t, that’s your answer.

Which category do you think is most under-served and who in your org actually owns securing it? I’d genuinely like to know. That’s the kind of disagreement that makes this market a little less of a mushroom patch.

Get Your Copy
Your Name*
Job Title*
Business Email*
Your copy
is ready!
Please check for errors and try again.

See, secure, and scale AI

Get your free AI agent risk assessment.
Results in 24 hours.
Start Your Free Risk Assessment →