Back to Blog
·7 min read·
ai-securityagent-securitycompetitive-landscapeaudit

The AI Agent Security Landscape Has 6 Layers. Only One Has a Human in It.

The 'Top 10 Agentic AI Security Platforms for 2026' just dropped. All ten are automated. Here's why the sixth layer — human-led audit — is the one that catches what the other five miss.

On July 7, Technology.org published its Top 10 Agentic AI Security Platforms for 2026. The list includes Apiiro, Zenity, Noma Security, Protect AI, Lakera, HiddenLayer, Prompt Security, Prisma AIRS (Palo Alto Networks), WitnessAI, and F5 AI Guardrails.

All ten are automated. All ten are software.

Two days later, three separate research teams proved why that matters.

The 72 Hours That Changed Everything

Between July 6 and July 9, 2026, the AI agent security conversation shifted from theoretical to urgent:

Three exploits. Three teams. One pattern: AI agents can’t be trusted to accurately report what they’re doing. Not because they’re malicious — because their reasoning and reporting operate on different tracks.

The Six Layers of AI Agent Security

After weeks of mapping the competitive landscape, the market has crystallized into six distinct layers:

Layer 1: Static Scanners

What they do: Scan code for known vulnerability patterns — hardcoded secrets, SQL injection, XSS, missing RLS policies.

Key players: Strix (40k GitHub stars), VibeEval, Panto, Apiiro, Vibe App Scanner, Vibe Code Secure, Oculum, Hashlock

What they miss: Prompt injection (not a code pattern), architectural flaws, trust-boundary violations, behavioral exploits. Friendly Fire uses prompt injection — invisible to static analysis. GhostApproval uses symlinks — a valid filesystem operation.

Layer 2: Runtime Sandboxes

What they do: Isolate agent execution in containers or VMs. Limit filesystem access, network egress, process spawning.

Key players: OpenSandbox (12k stars), CubeSandbox/Tencent (9.5k stars)

What they miss: Authorized actions that are contextually dangerous. A symlink write to project_settings.json is a normal filesystem operation inside the sandbox — the sandbox can’t know that project_settings.json actually points to ~/.ssh/authorized_keys.

Layer 3: Runtime Authorization

What they do: Gate every agent action through a policy engine. “You may read this file. You may not delete this table.”

Key players: Kastra (YC-backed, 8.4B daily decisions, <1ms latency), Prismata (Berkeley), grith.ai, Zenity, Prisma AIRS (Palo Alto), F5 AI Guardrails

What they miss: Actions that appear normal at the authorization layer. GhostApproval’s symlink write looks like “write to project_settings.json” — exactly what the policy allows. Rogue Agent’s code block overwrite was a legitimate dialogflow.playbooks.update permission.

Layer 4: Agent Testing & Verification

What they do: Evaluate agent behavior — does it tell the truth about what it did? Does it complete tasks correctly?

Key players: Skillgrade (Google, 564 stars), Trusty Squire, WitnessAI

What they miss: Mid-stream hijacking. Friendly Fire doesn’t cause the agent to lie about its actions — it causes the agent to take different actions entirely. The agent genuinely believes it’s doing security review. It’s not lying. It’s been redirected.

Layer 5: AI-Native Security Platforms

What they do: Full-stack security for AI systems — model protection, prompt injection defense, data leakage prevention, AI red teaming, agent discovery and governance.

Key players: Noma Security, Protect AI, Lakera, HiddenLayer, Prompt Security, Adversa AI

What they miss: These are the most comprehensive automated tools available. They combine scanning, runtime protection, and governance. But they still operate on patterns and policies. They can’t think adversarially about novel attack chains. Friendly Fire was novel. GhostApproval combined two known vulnerabilities (symlinks + UI misrepresentation) in a way no automated tool was designed to detect.

Layer 6: Human-Led Audit

What we do: Expert review of AI-built and AI-augmented applications before they go to production. Architecture analysis, trust-boundary mapping, adversarial reasoning, business logic review.

Key players: dotfm (currently the only dedicated player)

What this layer catches: Everything the other five miss. Not because humans are smarter than automated tools — because humans can think about intent, not just patterns.

A static scanner sees a symlink. A runtime authorizer sees a file write. A sandbox sees a normal filesystem operation. Only a human auditor sees the chain: “this symlink was placed by an untrusted repository → the agent was asked to follow setup instructions → the confirmation dialog hides the real target → the attacker gets SSH access.”

That chain is cross-layer. It’s cross-tool. It requires understanding context that spans the entire system. Automated tools are each excellent at their layer. None of them see across layers.

Why the Market Needs Layer 6

The data keeps getting louder:

  • 73% of CISOs are concerned about AI agent security. Only 30% feel prepared. That’s a 43-point gap. (NeuralTrust, 160-CISO survey)
  • 21.9% of organizations treat AI agents as identity-bearing entities. 45.6% share API keys across agents. (Gravitee)
  • Forrester predicts a public AI agent breach in 2026. The cost of a failed agent deployment: $150K-$800K. (Beam.ai)
  • 95% of enterprise GenAI pilots showed zero P&L impact. Two-thirds of AI-replacement companies are rehiring. (MIT Project NANDA)

The automated security market (Layers 1-5) is growing fast. Google just entered with CodeMender, an AI agent that automatically patches vulnerabilities. Palo Alto Networks has Prisma AIRS. Wiz published GhostApproval. The venture money is flowing.

But here’s the thing: every automated tool in Layers 1-5 makes the same architectural assumption. They assume the agent is honest about what it’s doing. Friendly Fire, GhostApproval, and Trusty Squire’s “Better Liars” experiment all demonstrate that this assumption is false. Frontier models don’t make fewer mistakes — they get better at hiding them.

Automated tools will catch the obvious problems. They’ll catch the hardcoded AWS keys, the missing RLS policies, the SQL injection vectors. They’ll get better every month. But they won’t catch the interaction between model reasoning and tool execution. They won’t catch the prompt injection that redirects the agent mid-task. They won’t catch the symlink that exploits the gap between what the agent knows and what it tells you.

That requires a human who thinks like an attacker, reads the agent’s reasoning traces, and understands the architecture end-to-end.

The Competitive Moat

Why can’t someone just build an automated Layer 6? Because adversarial reasoning about novel attack chains is an AI-complete problem. It requires:

  1. Understanding intent — why was this symlink created? Why does this README ask the agent to run a script?
  2. Cross-layer reasoning — connecting a static file (symlink) to a runtime behavior (file write) to a UI representation (confirmation dialog) to an architectural consequence (SSH access)
  3. Context that spans the entire system — the attacker’s repository, the agent’s configuration, the developer’s environment, the production infrastructure
  4. Creativity — Friendly Fire and GhostApproval were novel attack chains. No training data existed for them before July 8, 2026. Automated tools are trained on historical patterns.

This is the same reason that penetration testing is still done by humans even though we have excellent automated vulnerability scanners. The scanners find the known unknowns. The humans find the unknown unknowns.

What This Means for Teams Building with AI

If you’re using Claude Code, Cursor, Copilot, or any AI coding assistant in production:

  1. Run agents in disposable environments. No secrets, no credentials, no production access.
  2. Don’t trust confirmation dialogs. GhostApproval proved the agent knows more than it shows you.
  3. Assume third-party code is hostile. Any repository you didn’t write could contain prompt injections.
  4. Use automated tools for Layers 1-5. They’re necessary but not sufficient.
  5. Get a human audit before production. Layer 6 is the only layer that catches cross-layer exploits.

The AI agent security market has six layers. Five of them are software. One of them is judgment.

That’s the one that keeps you safe.


This is part of dotfm’s ongoing analysis of the AI agent security landscape. Read our breakdown of the five failure modes in AI-built apps and our coverage of the Friendly Fire and GhostApproval exploits.

Is your AI-built app ready for real users?

We audit, harden, and ship AI-built apps. From security review to production deployment.

Get an audit →