The AI-APP slide deck a procurement lead sent me last week had the same shape as the AISPM deck six months earlier and the AIWPM deck twelve months before that. A unified protection platform for AI applications, architecture diagram rendered as concentric rings — model, infrastructure, guardrails, agents, tools, training data. The rule packs underneath, when I asked, were the same packs the vendor had shipped under CSPM in 2024, rebadged as AI-SPM in 2025, and now selling as the model layer of AI Application Protection Platform in mid-2026. The question the CFO will eventually ask is whether anything material changed.
The honest answer is that some of it did, and most of it did not. AI-APP contains two or three genuinely new control surfaces, and a long tail of CSPM scoped to model registries with a tag layer renamed. The innovators are smaller AI-native players. The renamings are the incumbents — Wiz, Palo Alto, CrowdStrike, Orca, Snyk — racing to plant a flag before the specialists eat their lunch.
Key takeaways
- AI-APP is the umbrella category Wiz, Palo Alto, CrowdStrike, Orca, and Snyk are converging on — end-to-end protection of the AI application stack, sold as a single platform.
- Three controls are genuinely new: model-aware runtime detection (prompt injection caught at the inference path), agent identity and tool authorisation, and training-data lineage.
- Most of the rest is CSPM scoped to model registries with a tag layer renamed — AI asset inventory, model-registry configuration scanning, and compliance posture mapped to NIST AI RMF or EU AI Act.
- AI-APP sits closest to AIWPM. AI-native vendors (Lakera, Robust Intelligence, Protect AI) cover the inference-path controls the incumbents do not yet read with depth.
- Greenfield AI deployments lean AI-native plus existing CSPM; existing enterprise stacks adding AI workloads lean CSPM-incumbent extending into AI; air-gapped or sovereign deployments build in-house.
The new category claim
Wiz, Palo Alto Networks, CrowdStrike, Orca Security, and Snyk are each pitching some variant of AI Application Protection Platform in the first half of 2026. The platform covers the model layer (foundation models, fine-tunes, versions), the infrastructure layer (cloud resources, vector stores, embedding pipelines), the guardrails layer (Bedrock Guardrails, Azure AI Content Safety, Vertex AI Safety filters), the agents layer (autonomous workflows, tool calls), and the training-data layer (AIBOM, dataset provenance).
The pitch is structurally seductive. The four-acronym stack — CSPM, DSPM, AIWPM, AISPM, mapped in the acronym-map piece — leaves seams nobody owns end-to-end. A unified AI-APP would solve a real procurement problem: one platform, no gaps, one compliance dashboard for EU AI Act Article 12 and Article 53 evidence.
Nobody currently ships that platform. What ships is a stitched-together collection of capabilities, the strongest of which sit at opposite ends of the vendor field, sold under a single SKU that hides the weak links.
What is genuinely new
Three controls under the AI-APP umbrella are genuinely new. They did not exist as productised capabilities in the CSPM lineage, and they matter on a production AI workload.
Model-aware runtime detection
Prompt injection has historically been caught at the application input — a regex on the user message, a moderation call, a Guardrails configuration blocking denied topics. The class of attack that bypasses input filtering — indirect injection through retrieved documents, multi-turn jailbreaks, encoded payloads, adversarial suffix attacks — is invisible there.
Model-aware runtime detection moves the inspection point onto the inference path. The control reads the model's reasoning trace, tool call sequence, and output distribution, and flags anomalous patterns against the workload's known-good behaviour profile. The signal differs from a Guardrails block; the latter is a policy decision, the former is a behavioural anomaly. Lakera Guard and Robust Intelligence built versions of this before the CSPM incumbents had a roadmap. Wiz announced a preview in early 2026; Palo Alto's version sits in Cortex Cloud's AI runtime module. AI-native specialists currently lead on detection accuracy.
Agent identity and tool authorisation
The IAM-for-AI-agents pattern — covered in agent identity and delegation — recognises that an agent is a new kind of principal. It inherits permissions from a service identity, executes tools that touch data, and has an effective action surface equal to the intersection of identity permissions and tool configuration. When the action surface is broader than the principal was authorised for, the gap is exploitable through prompt manipulation.
AI-APP products are starting to ship this as a posture surface. The platform discovers agents, maps tool registrations, computes the effective action surface, and flags drift beyond the approved baseline. CSPM had no concept of an agent's tool registration. Vendors shipping earliest — Cisco's Robust Intelligence acquisition, Protect AI's Layer, parts of Wiz's AI-SPM — typically have prior agent-framework depth.
Training-data lineage
The AIBOM pattern — covered in AI bill of materials — is the third genuinely new surface. The control is provenance: every fine-tuned model in production traces back to a documented dataset, preprocessing pipeline, and approval. Article 53 of the EU AI Act is the regulatory expression.
AI-APP products are starting to surface AIBOM as a posture object. Microsoft Defender for Cloud's AI Bill of Materials, Wiz's AI-SPM lineage view, and Snyk's AI supply-chain module are the clearest examples. The depth is shallow — most implementations cover metadata and stop at the dataset version, without reading the preprocessing pipeline or approval chain — but the control surface is real and is not what CSPM read before.
What is renamed CSPM
A meaningful portion of every AI-APP deck describes capabilities that existed under CSPM, were rebranded to AI-SPM in 2025, and are now rebranded again as components of AI-APP.
Configuration scanning of model registries. Reading whether Bedrock invocation logging is on, whether Guardrails match an approved baseline, whether Azure OpenAI has an attached content filter, whether the Vertex AI endpoint enforces a private connection. These are CSPM controls scoped to model-related resources — exactly what a CSPM with a Bedrock rule pack already did two years ago. If the demo can be entirely shown by walking through the CSPM rule library scoped to Bedrock resources, the AI-APP layer is a tag, not a product.
AI asset inventory. Every AI-APP product ships an "AI asset inventory" view listing foundation models in use, deployed endpoints, fine-tuned variants, and hosting resources. This is CSPM asset discovery with a label. A CSPM has been ingesting bedrock:ListFoundationModels, Azure OpenAI listings, and Vertex AI registry queries since each provider shipped the API. Filtering existing inventory to AI-related resources is a fifteen-engineer-week project, not a new product. Several vendors charge a separate SKU for it.
Compliance posture mapped to NIST AI RMF or EU AI Act. The vendor takes the existing compliance-mapping engine that produces ISO 27001 and SOC 2 assertions, adds NIST AI RMF and EU AI Act control sets, and produces a dashboard labelled "AI compliance posture." The mechanism is identical to the CSPM compliance engine. The mappings are often shallow — many map one CSPM rule (Bedrock invocation logging enabled) to one AI Act article (Article 12 logging) and call it done, without addressing the six-month minimum retention or the tamper-evidence requirement Article 12 implicitly demands.
The four-way map
AI-APP, framed honestly, is closest to AIWPM. Both cover AI workload runtime configuration. AI-APP extends AIWPM by adding model-aware runtime detection and the agent identity surface (AIWPM treated agent identity as a single posture control, not a deep behavioural surface).
It overlaps AISPM on lifecycle — model inventory, training-data lineage, prompt registry sit in both. The distinction is mostly emphasis. It overlaps CSPM on the cloud control plane half of the AIWPM surface — egress posture, guardrail-configuration rules, audit-trail completeness. A CSPM already covering these gains a new dashboard view, not a new control.
It overlaps DSPM least, and the seam is the most consequential. Retrieval-time access policy at the vector store — the control that determines whether the chunked corpus respects the source ACL on a query-by-query basis — is barely covered by AI-APP and most often left to engineering. The DSPM-and-RAG five-gate piece sets out the architecture that closes the seam. AI-APP marketing tends to claim coverage through "knowledge base discovery" features that are inventory views, not policy enforcement.
The honest buyer's question
For a greenfield AI deployment, the platform value is in the new controls. AI-native vendors lead. The sensible pattern is AI-native specialist for inference-path controls, plus existing CSPM for infrastructure. AI-APP from a CSPM incumbent is rarely the right primary choice — the incumbent's strongest capability is the surface the team already has covered.
For an existing enterprise stack adding AI workloads, the calculus flips. The CSPM incumbent's AI-APP extension is the path of least resistance and is defensible — the new controls are useful additions and the integration tax is lower than introducing a new vendor.
For air-gapped or sovereign AI deployments — Bedrock in a region with no public egress, on-prem inference, government workloads that cannot share telemetry — neither category is practical. The vendor platforms depend on telemetry pipelines the air-gapped posture forbids. Build the eval and audit chain in-house using the principal-of-record pattern, the AIBOM pattern, and a custom eval suite running inside the trust boundary.
The vendor honest read
The five incumbents share a profile: CSPM heritage extended with model-registry scanning plus an early prompt-injection signature list, marketed as end-to-end AI application protection. Wiz leads on dashboard and graph visualisation. Palo Alto leads on compliance breadth and Cortex XSOAR integration. CrowdStrike leads on runtime detection depth. Orca leads on agentless deployment. Snyk leads on the application-code surface.
The AI-native specialists — Lakera, Robust Intelligence (now Cisco), Protect AI, HiddenLayer, Calypso AI — cover the inference-path controls the incumbents do not yet read with depth. Lakera Guard is deepest on prompt-injection detection. Robust Intelligence covers a broader model-evaluation surface. Protect AI's Layer focuses on supply-chain controls. HiddenLayer focuses on runtime model security. Calypso AI focuses on governance.
The two categories are not yet substitutes. An AI-native specialist plus an existing CSPM covers most of the AI-APP surface on a greenfield workload. A CSPM incumbent's AI-APP module covers most of the surface where AI is incremental to an existing footprint. The platform-of-choice claim is currently marketing, not product reality.
The procurement reality
Most enterprises buying AI-APP today are paying CSPM-plus-fifteen-per-cent for branding. The module sits as a premium SKU on top of the existing CNAPP licence, adding 12 to 22 per cent to annual contract value, for a capability set where most rule packs already existed under the CNAPP base.
The next twelve months will sort the genuine platforms from the renamings. The signal to watch is whether the vendor invests in model-aware runtime detection and agent identity, or whether the roadmap remains dominated by model-registry rule packs. Vendors acquiring AI-native specialists — Cisco buying Robust Intelligence is the most consequential — are signalling the former.
What cmdev recommends
Greenfield AI deployment: AI-native specialists for inference-path controls, plus existing CSPM for infrastructure. Outperforms any single AI-APP platform on the controls that matter and costs less than the incumbent's AI-APP premium plus the CNAPP base.
Existing enterprise stack adding AI workloads: the CSPM incumbent's AI-APP extension. Lower integration tax, team already operates the platform, new controls are additive. Supplement with an AI-native specialist if the workload's risk profile justifies it.
Air-gapped or sovereign deployment: build the eval and audit chain in-house. Platform vendors cannot meaningfully serve a strict sovereign posture; the attempt compromises the boundary.
What to ignore
Three claims show up repeatedly in AI-APP marketing decks and warrant scepticism.
The "X per cent AI risk reduction" claim is unmeasurable. The numerator and denominator are both undefined. No vendor publishes a methodology that survives ten minutes of scrutiny. Treat the number as decoration.
The "AI-SOC" wrapping — that AI-APP powers a new kind of SOC dedicated to AI workloads — is mostly a SOC analyst with a different dashboard. The work is the same alert-triage work; the alerts have AI-specific labels.
The AI Bill of Materials checkbox is, in most implementations, a stub. The platform lists foundation models in use, claims AIBOM coverage, and stops short of dataset provenance, preprocessing pipeline, and approval chain. Demand to see the vendor's AIBOM for a fine-tuned model with real preprocessing — most demos cannot produce it.
The honest verdict
AI-APP as a category will consolidate by end of 2027. The incumbents will close the depth gap on inference-path controls. The AI-native specialists will either be acquired or broaden to compete on infrastructure. The four-acronym stack will collapse into two procurement decisions, one branded AI-APP and one retaining a DSPM-derived name.
Until then, buy the components that matter and decline the platform premium. The three controls that are genuinely new — model-aware runtime detection, agent identity, training-data lineage — are worth investing in regardless of which vendor ships them. The rest is CSPM rebadged. Pay for the new surface; refuse to pay twice for what the existing CNAPP already covers.
FAQs
Is AI-APP a real category or marketing?
Both. Three controls are genuinely new — model-aware runtime detection, agent identity and tool authorisation, and training-data lineage. The rest is CSPM scoped to model registries with a tag layer renamed. Pay for the new surface; refuse the AI-APP premium for capabilities the existing CNAPP already delivers.
Should we buy AI-APP from our existing CSPM vendor or from an AI-native specialist?
Workload-class dependent. Greenfield: AI-native specialists (Lakera, Robust Intelligence, Protect AI) plus existing CSPM. Existing enterprise stack adding AI: the CSPM incumbent's AI-APP extension — the integration tax is lower. Air-gapped or sovereign: neither — build in-house using the principal-of-record and AIBOM patterns.
How does AI-APP relate to AISPM and AIWPM?
AI-APP is closest to AIWPM with additional surfaces bolted on. AIWPM covers the AI workload's runtime configuration as set out in the AIWPM piece. AI-APP extends AIWPM by adding model-aware runtime detection and agent identity, and overlaps AISPM on lifecycle. The acronym-map piece sets out the four-surface stack.
What is the price premium for AI-APP over base CNAPP?
Across the incumbents, the AI-APP module adds 12 to 22 per cent to annual contract value, for a capability set where most rule packs already existed under the CNAPP base. Force the vendor to itemise which capabilities are AI-APP-exclusive and which are existing CNAPP rule packs rebranded.
Will AI-APP consolidate the four-acronym posture stack?
Partially, by end of 2027. Incumbents will close the depth gap on inference-path controls — Cisco's acquisition of Robust Intelligence is an early signal. The AI-native specialists will either be acquired or broaden. Until then, the platform-of-choice claim is marketing.
Companion content
- AISPM vs AIWPM vs DSPM vs CSPM: The Acronym Map
- Cloud Security Posture Management in 2026: The Honest Vendor Comparison
- AI Workload Posture Management: The CSPM Gap
- DSPM Meets RAG: Data Classification in the Knowledge Base Era
- AI Bill of Materials: SBOM for AI Systems
- IAM for AI Agents: Delegation and Principal Scoping
How to engage
If a vendor is selling you AI-APP as a unified platform and you want a structurally honest read on which capabilities are genuinely new and which are CSPM rebadged, talk to us at creativeminds.dev/contact. cmdev does not resell any of the vendors discussed.