Analysis
This research does not constitute an exhaustive list of vendors in any given technology area, but rather is designed to highlight interesting, new and innovative vendors, products and services. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
This research does not constitute an exhaustive list of vendors in any given technology area, but rather is designed to highlight interesting, new, and innovative vendors, products, and services. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
What You Need to Know
Enterprises continue their efforts to consume and build AI applications. They need to implement specialized privacy, quality, reliability, and security controls across all phases of the AI technology life cycle.
Technology innovations are happening in key areas of AI security across the secure software development life cycle (SSDLC) with a portfolio of products:
AI security testing: Testing automation is often performed during development, with a strong focus on adversarial testing of AI applications to support red teams.
AI runtime defense: Protection and policy at runtime. While these tools go beyond security controls to include moderation, the primary objective of security teams is to prevent attacks with these tools.
AI security posture management (AI SPM): Discovery and monitoring of AI infrastructure security challenges (AI SPM).
AI usage control: Organizations adopting third-party AI applications or witnessing their existing enterprise applications adding AI features should evaluate the value of specialized AI security tools. These tools perform discovery and provide more granular policies against existing technologies, such as security service edge (SSE) (see CISOs Must Bring Shadow AI Into the Light).
Noma Security
Analysis by: Avivah Litan, Jeremy D’Hoinne, Dennis Xu
Why Cool: Noma Security provides broad and deep AI security and governance, and has more recently expanded its coverage to securing agentic AI. Noma Security offers a platform covering the entire AI application security life cycle, including unified discovery, posture management, runtime protection, supply chain security, and compliance. It supports AIBOM for transparency aligned with regulations and standards such as the EU AI Act and NIST. The Noma Security platform includes several capabilities:
Emerging AI agent security features (both code-based, like LangChain, and no-code, like Microsoft Copilot or Salesforce Agentforce), with contextual analysis to minimize false positives.
AI attack surface discovery (AI platforms, cloud services, source code, MLOps, agents), providing visibility into shadow AI and risks like sensitive data training or code execution.
Real-time blocking with adaptive runtime controls, supporting passive logs and in-line modes via API/SDK/proxy, enabling proactive defense without workflow disruption.
Compliance Support assistant that facilitates adherence to standards like ISO/IEC 42001, with features like supply chain scanning for model vulnerabilities and offensive security testing services.
Challenges: the Noma Security platform relies on third-party platform APIs for telemetry, which can be partial or unusable, limiting real-time insights in nonpartnered ecosystems and forcing after-the-fact analysis. Noma Security AI agent security journey remains recent and to date lacks advanced multiagent system orchestration, comprehensive ethics, fairness, and intellectual property (IP) risk controls, which could lower appeal in mature markets.
Who Should Care:
CISOs, CIOs, AI leaders, AI/ML engineers, and compliance officers in enterprises heavily investing in AI, particularly those in regulated sectors where security gaps could lead to breaches or fines, should evaluate Noma Security. Global enterprise firms adopting agentic AI (e.g., via Microsoft Copilot or Databricks) or facing shadow AI risks should care, as should startups using AI who need scalable governance.
Enkrypt AI
Analysis by: Dennis Xu
Why Cool: Enkrypt AI is cool because it is one of the first providers to support the voice modality in its offensive security testing and runtime control products. The vendor’s real-time voice guardrail is a critical pillar of its AI security platform, enabling the safe and secure adoption of voice-based AI agents. For example, when a customer service AI agent accepts inbound client calls directly, the real-time voice guardrail can identify and block malicious voice instructions.
Enkrypt AI allows organizations to ingest policy or regulation artifacts, whether it’s a common regulation or an industry-specific policy framework. Its guardrail can evaluate GenAI application input and output text, audio, and images against the ingested policy to identify and block content that violates uploaded policies or regulations. Its security testing product can generate tests to ensure compliance requirements are met.
Real-time voice guardrails require low-latency end-to-end voice models that take voice as input and a verdict to pass or block as output.
Many other AI security startups offer voice guardrails by running voice commands through speech-to-text conversion first, then feeding the extracted text through existing text-based guardrails to identify and block undesired input, such as prompt injection instructions. Such conversion adds latency to the flow, which is typically a barrier for real-time processing.
Enkrypt AI is one of the few AI security startups that produced an LLM safety leaderboard to measure the safety and security levels of hundreds of foundational language models. The leaderboard helps organizations select the right model based on its performance versus risk comparison ratio.
Challenges: Not all industries will adopt voice-based agents. If the adoption of voice-based AI agents is not fast enough to create enough momentum for Enkrypt AI, their investment in the development of voice guardrails will not pay off. They will lose a key differentiator in other evaluations. AI security is an increasingly crowded and competitive market. A large group of early-stage startups competes against each other and with incumbent security vendors that are adding AI security features.
Who Should Care:
Organizations developing AI agents, especially those that can take actions based on a client’s voice, image, or text input commands, should evaluate Enkrypt AI’s multimodal guardrail to identify and block malicious or undesired instructions, including voice commands. Organizations evaluating foundational language models to support their AI project could reference Enkrypt AI’s LLM safety leaderboard, together with safety leaderboards from other sources, to select the model with the right safety and security level.
Prompt Security
Analysis by: Jeremy D’Hoinne, Avivah Litan
Why Cool: Prompt Security is cool because it provides an intent-based policy engine across the employees, developers, and custom-built enterprise applications use cases. This allows the vendor to offer depth of security and scalable solutions to meet the more stringent requirements of organizations with more mature GenAI initiatives:
It offers many deployment options, including endpoint agents, web proxy, and browser extension integrations to ensure broad discovery of shadow AI from employees. It also supports on-premises deployment of its analytics servers for higher sensitivity use cases.
It can detect misuses, data leakage, inaccurate or inappropriate content, security, and data privacy issues, enabling admins to create content moderation and security policies.
It covers more than 10,000 AI sites with its discovery capabilities and offers granular controls for the most prevalent applications, such as ChatGPT enterprise, AI code assistants, and AI code editors, such as GitHub Copilot and Cursor. It goes beyond blocking traffic with features such as content redaction.
The vendor’s recent AI security testing service helps security teams assess the resistance of AI applications against adversarial attacks to fine-tune the security policies deployed at runtime.
The vendor recently released real-time monitoring, control, and protection for MCP (Model Context Protocol) interactions, enabling discovery of MCP usage, posture via risk scoring (e.g., evaluating 13,000+ MCP servers on GitHub), runtime threat blocking, and compliance through policy enforcement and audit logging.
With SentinelOne’s 5 August 2025 announcement that it is acquiring Prompt Security, Prompt gains access to SentinelOne’s global infrastructure, client base, and resources, enabling it to scale much faster.
Challenges: Prompt Security needs to continue to provide enough depth to beat growing competition. As organizations evolve their AI applications into AI agents, Prompt Security will need to extend the scope of its intent-based policy engine to improve coverage of attacks on tool invocation. Its agentic AI Security functions are currently limited in scope to MCP. It primarily focuses on protecting MCP servers, which doesn’t address broader threats on AI agents, such as erratic and misaligned agent behavior, hallucinations, data compromise, or ethical missteps.
Prompt Security may be culturally challenged by having to adapt to the administrative processes of SentinelOne, a larger, publicly traded company. This could slow down innovation and decision making and lead to talent turnover, as is common in tech acquisitions.
Who Should Care: Cybersecurity leaders in charge of monitoring employees using third-party GenAI applications and securing custom-built AI applications and agents should evaluate how Prompt Security can support their use cases.
Miggo
Analysis by: Bart Willemsen
Why Cool: Miggo Security is cool because it promises to detect and respond to security flaws in applications connected to the system in a matter of minutes. Their AI-augmented vulnerability detection covers not only known vulnerabilities, but can also find new attack patterns through analysis of runtime operations. An application can be connected to the platform regardless of where it runs (e.g., cloud or on-premises). Agentless integration to traces, profiles, and configurations, including Kubernetes, is coupled with runtime sensors that look for threats and vulnerabilities. Exposing the risk includes a probability estimate of the attacker’s path and is augmented by a detailed analysis of the exposure. Potentially included AI components to the application are discovered and registered in the process, and similarly analyzed for exploits. Miggo WAF Copilot enables quick autoremediation by adding a WAF rule, adjusting API security settings, etc. The runtime observation includes non-AI components and is treated the same way. The application map is completed within the first 24 hours of deployment of the platform.
Any potential AI attack path found is prioritized for exposure mitigation to prevent data breaches before it is exploited. Runtime detection capabilities allow the rapid treatment of zero-days and unknown unknowns. In addition to the ad hoc analyses, a continuously expanding database is maintained with every newly found weakness, added to with an OSINT-based inventory of known vulnerabilities worldwide.
Challenges: Miggo Security’s first challenge is of an ethical nature: Newly discovered 0-days are not readily shared with the general public, either directly or via central resources like CISA. Instead, they’re periodically launching parts of the database to the public, as a form of giving back, following an internal governance process led by the vendor’s ethics committee. Knowing, though, that the release of this information isn’t controlled for what can and cannot be exploited, when the same platform isn’t installed to immediately remediate. Finding and disclosing 0-days is an ongoing strategic set of choices. Second, they need to continuously demonstrate the value added in comparison to other runtime application security technologies. To use AI in securing AI is a terrain of constant innovation, and to take a leading position will be difficult in the long term. Also, a promise of ‘finding every vulnerability’ is only as strong as the ongoing quality of detection and exposure, and path prediction. What is potentially not found, but not known, remains a blind spot.
Who Should Care: Cybersecurity leaders who face a complex application landscape and increased presence and usage of AI technology organizationwide should investigate Miggo’s platform. In general, organizations that struggle in keeping up with threat detection and exposure remediation will be interested in Miggo Security’s approach.