A head of platform security at an EU bank sent me a copy of Wiz Academy's "Top AI Security Tools for the Cloud" piece in May. It named twelve vendors. It did not name Lakera, Robust Intelligence, Hidden Layer, or Mindgard — the four AI-native specialists that compete directly with Wiz's own AI-SPM module. He asked whether this was a problem with the piece or with the vendors. The honest answer is that it is a problem with the genre. Vendor-published comparison pieces will never name competitors who threaten the publishing vendor's roadmap; competitor takedowns will never be honest about their own gaps.
cmdev sells engineering. We do not resell Lakera, Robust Intelligence, Protect AI, Hidden Layer, CalypsoAI, Mindgard, Lasso, Sphynx, Wiz, Palo Alto, Orca, or CrowdStrike. We have deployed against most of them, walked away from three because the price bore no relationship to the value, and rebuilt the equivalent of two on open source for clients refusing commercial vendors. This is the companion piece to the CSPM honest comparison — same approach, applied to the AI-security category that is now the fastest-moving procurement conversation in security.
Key takeaways
- AI security tooling splits into seven categories in 2026: prompt-injection defence, model evaluation and red-teaming, model registry and governance, DSPM for AI, AISPM, adversarial ML defence, and AIBOM. Most enterprises need three or four, not all seven.
- Twelve vendors define the procurement consideration set. AI-native specialists: Lakera, Robust Intelligence, Protect AI, Hidden Layer, CalypsoAI, Mindgard, Lasso, Sphynx. CSPM incumbents extending into AI: Wiz, Palo Alto Prisma AI Security, Orca, CrowdStrike.
- For prompt-injection defence, model evaluation, and AIBOM, open source plus custom engineering is competitive at most scales. For AISPM and DSPM-for-AI, the build case is harder above 50 cloud accounts.
- The 2024-2025 acquisition pattern matters for procurement risk. Robust Intelligence to Cisco, Protect AI to Palo Alto, Lacework to Fortinet. Independents get absorbed; the buyer signing a three-year contract in 2026 should price acquisition risk into the decision.
- Most "AI threat detection" in CSPM-incumbent pitches is anomaly detection rebranded. Most "GenAI for security" is RAG over existing telemetry. The real AI-native controls are concentrated in eight to ten products; the rest is marketing.
Why every AI security tool comparison piece is useless
The vendor-published genre dominates the category. A vendor writes a piece called "Top AI Security Tools 2026," lays out criteria aligned with its own strengths, names three to six competitors who are not threatening, and omits the four to eight who are. The Wiz Academy piece is the canonical example — DSPM for AI, AI-SPM, runtime protection, all covered without naming Lakera, Robust Intelligence (pre-Cisco), Hidden Layer, or Mindgard. Readers following that piece to procurement will not have a credible shortlist.
The competitor-takedown genre has the opposite problem — accurate on strongest points, silent on weakest. The piece a procurement lead actually needs covers all seven categories, names every credible vendor in each, gives the per-vendor read, and produces a recommendation per workload class. This is that piece.
The seven categories of AI security tooling in 2026
Prompt-injection defence. Sits between the user prompt and the model. Detects prompt-injection, jailbreak attempts, sensitive-data exfiltration, policy violations. Leading vendors: Lakera Guard, Robust Intelligence (Cisco), NVIDIA NeMo Guardrails, plus custom guardrails on Bedrock or Azure AI Content Safety. Category is maturing fast; the build case on Bedrock Guardrails is credible for teams with engineering capacity.
Model evaluation and red-teaming. Pre-deployment and continuous evaluation. Runs eval suites, surfaces regressions, performs automated red-team probing. Leading open source: Garak (NVIDIA), PyRIT (Microsoft), Promptfoo. Commercial leaders: Robust Intelligence, Mindgard, parts of Protect AI. Custom eval-gate enforcement in CI/CD remains the credible build option. See AI red-teaming: discipline, theatre, vs practice.
Model registry and governance. The catalogue and lifecycle surface — what models, what version, what provenance, who approved them, what eval gates they passed. Leading commercial product: Protect AI Radar. Custom MLflow extensions integrated with cloud-provider registries (SageMaker, Azure ML, Vertex AI) remain the dominant build pattern.
DSPM for AI. DSPM extended to data flowing into and out of AI workloads — vector stores, knowledge bases, training data, model response egress. Leading vendors: Wiz, Cyera, Sentra, Securiti, Borneo. The AI extension is a tag layer over existing classification. See DSPM meets RAG.
AISPM and AI-APP. Posture management for the cloud-resident AI control plane. Inventories AI workloads, evaluates against posture rules, flags drift. Leading vendors: Wiz, Palo Alto Prisma AI Security, Orca, CrowdStrike. None covers the full eight-control surface in AI Workload Posture Management. "AI Application Posture" is mostly AISPM rebranded.
Adversarial ML defence. Attacks against the model itself — extraction, inversion, membership inference, evasion, poisoning. Leading vendors: Hidden Layer, CalypsoAI, Lasso. Niche; most enterprises will not need it. Exceptions: training custom foundation models, exposing model APIs publicly, explicit adversarial robustness regulation.
AIBOM and supply chain. Provenance, signature, dependency surface for AI artefacts — weights, prompts, evals, training data, RAG sources, agent tooling. Leading commercial vendor: Protect AI (Palo Alto). Snyk's AI-BOM suits existing Snyk customers. Custom CycloneDX-AI pipelines are the dominant build pattern. See AI Bill of Materials.
The per-vendor honest read
Lakera
The leading prompt-injection defence product. Lakera Guard sits between the application and the model, runs a curated detection suite, and produces decisions in single-digit milliseconds. Detection coverage is the deepest in the category — Lakera maintains a jailbreak corpus build-it-yourself guardrails cannot match. Strong on multi-model deployments. Pricing is per-call and expensive at scale; false positives on long-context agentic workflows still bite. Fits customer-facing generative AI in regulated environments. Not necessary for internal tooling where Bedrock Guardrails plus custom rules covers the threat model.
Robust Intelligence (Cisco)
The category-defining vendor in model evaluation and continuous red-teaming, acquired by Cisco in 2024. AI Firewall is the runtime layer; AI Validation is pre-deployment. Detection breadth on jailbreak corpora is class-leading. Post-acquisition, pricing has become opaque and engineering velocity has shifted. Fits enterprises with existing Cisco relationships. Less attractive where independence from Cisco's roadmap matters.
Protect AI (Palo Alto)
The leading model registry and supply-chain product before Palo Alto acquired it in 2025. Radar is inventory; Recon is red-team; Guardian is runtime. Breadth across registry, eval, supply chain, and runtime is unusual in the category. Being absorbed into Prisma AI Security — the standalone licence still exists but the Palo Alto roadmap dominates. Fits existing Palo Alto customers. Less attractive where lock-in is a concern.
Hidden Layer
The leading adversarial ML defence vendor. AISec Platform covers model scanning, runtime detection (extraction, inversion, evasion), and incident response. Depth on adversarial ML is genuinely differentiated — research output names novel attack classes the CSPM incumbents do not address. Genuinely niche; the buyer is the organisation training custom foundation models, exposing model APIs publicly, or under explicit adversarial robustness regulation. Wrong tool for an organisation consuming foundation models through Bedrock or Azure OpenAI without training.
CalypsoAI
Runtime AI security focused on the enterprise GenAI control plane — model proxying, content moderation, DLP, policy enforcement against employee and customer LLM use. Differentiated on the "AI gateway" pattern. Less developed on eval-gate and supply chain than Robust Intelligence or Protect AI. Fits organisations standardising on AI-gateway architecture.
Mindgard
The leading independent AI red-teaming specialist. Continuous automated red-teaming with detection breadth on prompt-injection, jailbreak, training-data extraction. Earlier deployment maturity than Robust Intelligence. Acquisition risk is real — Mindgard is the kind of asset Cisco or Palo Alto would buy.
Lasso Security
Runtime AI security focused on shadow AI discovery and policy enforcement against employee LLM use. Surfaces tools the security team did not know were deployed. Overlaps significantly with AISPM and secure-web-gateway categories. Fits organisations early in AI security maturity needing an inventory layer first.
Sphynx
Model risk management extending into AI governance. Produces MRM artefacts that map to SR 11-7, EU AI Act Article 9, and the NIST AI RMF. Not a runtime tool — the buyer is the MRM function inside a bank, not the security team. Fits regulated financial services with explicit MRM obligations.
Wiz
The leading CSPM extending into AI-SPM. Covers Bedrock, Azure OpenAI, Vertex AI, and SageMaker. Graph visualisation is the best in the category. Depth on application-layer controls (eval-gate enforcement, prompt-cache integrity, training-data lineage) lags the AI-native specialists — the Wiz Academy omission of Lakera, Robust Intelligence, Hidden Layer, and Mindgard is the structural signal that the roadmap does not yet address what those vendors do. Pricing scales with cloud spend; AI-SPM adds a multiplier. Fits existing Wiz customers. Wrong starting point for an enterprise standing up AI security from scratch.
Palo Alto Prisma AI Security
The deepest compliance-framework coverage in the AI-security category. Inherits the Prisma Cloud heritage and adds the AI-native depth from the Protect AI acquisition. Breadth across discovery, posture, eval, supply chain, and runtime is the broadest of any single vendor. Heavy console, complex deployment, real integration tax. Module-based pricing. Right tool for a Tier 1 bank with NDPA, CBN CSAT, EU AI Act, and SR 11-7 obligations across AWS, Azure, and on-prem AI. Wrong tool for a 50-person AI-product company.
Orca Security
Agentless CNAPP extending into AI-SPM. Strong on multi-cloud parity, weaker on detection depth than Wiz or CrowdStrike. AI-SPM module less developed than Wiz or Palo Alto — mid-2026 coverage is inventory plus basic configuration analysis. Fits multi-cloud Orca customers where agentless matters.
CrowdStrike Falcon Cloud Security
Endpoint-led CNAPP extending into AI workload protection. Falcon AI surfaces runtime threats using the same telemetry pipeline as the endpoint product. Strong on detection depth, weaker on posture and compliance breadth. Attractive for existing Falcon shops, uncompetitive standalone.
Build versus buy by category
| Category | Build viability | When to buy |
|---|---|---|
| Prompt-injection defence | Strong on Bedrock Guardrails or NeMo Guardrails plus custom rules | Customer-facing AI where false-negative cost is high |
| Model evaluation and red-teaming | Strong on Garak, PyRIT, Promptfoo plus custom eval suites | Continuous red-teaming at scale; regulated MRM obligations |
| Model registry and governance | Strong on MLflow plus cloud-native registries | Multi-cloud estates above 50 models under management |
| DSPM for AI | Hard above 50 cloud accounts | Most enterprises buy this; classification work is hard |
| AISPM | Hard above 50 cloud accounts | Most enterprises buy this |
| Adversarial ML defence | Weak; specialised research domain | Training custom models or exposing model APIs publicly |
| AI bill of materials | Strong on CycloneDX-AI | Existing Snyk customers; explicit AIBOM obligations |
The pattern is consistent: categories where the open source is mature and the threat model is well understood are where the build case wins at most scales. Categories where data classification or multi-cloud inventory work is genuinely hard are where the commercial vendors win.
The matrix nobody publishes
| Workload class | Best fit | Why |
|---|---|---|
| Greenfield AI, mid-market, no existing CSPM | Lakera + Garak + custom AISPM build | AI-native specialists for application layer; build for posture |
| Existing Wiz customer adding AI | Wiz AI-SPM + Lakera or Bedrock Guardrails | Path of least procurement resistance plus application-layer gap fill |
| Existing Palo Alto customer adding AI | Prisma AI Security plus portfolio | Bundled story is genuinely strong |
| Regulated financial, residency-strict | Prisma AI Security + Sphynx | Compliance-framework depth plus MRM artefacts |
| Regulated healthcare, HIPAA + EU AI Act | Prisma AI Security + Hidden Layer | Compliance depth plus adversarial robustness |
| Government / sovereign deployment | Cloud-native + Garak + CycloneDX-AI | Commercial vendor sovereignty risks rule out most options |
| Open-source-only, no commercial vendor | Garak + PyRIT + Promptfoo + NeMo + MLflow + CycloneDX-AI | Build path is credible; open source covers most of the surface |
| AI-product company, customer-facing at scale | Lakera + Robust Intelligence or Mindgard + custom AISPM | Application-layer threat model dominates; CSPM tools insufficient |
The 2024-2026 acquisition pattern matters
Lacework went to Fortinet in 2024. Robust Intelligence went to Cisco in 2024. Protect AI went to Palo Alto in 2025. Independent AI-native vendors that prove the category are absorbed by the broader security platforms within 24-36 months of category maturity. Buyers who sign three-year contracts with independents in 2026 should price acquisition risk into the decision — Lakera, Hidden Layer, CalypsoAI, Mindgard, and Lasso are all plausible targets within the contract horizon. The acquiring vendor's roadmap dominates within 18-24 months.
This is not an argument against signing with the independents — the application-layer depth they bring is real and the CSPM-extended tools have not caught up. It is an argument for negotiating with acquisition in mind: shorter durations, exit clauses, escrow for runtime components, and a build-fallback architecture that does not collapse if the vendor is acquired or sunset.
What to ignore in the vendor pitches
"AI threat detection" across CSPM-incumbent pitches is mostly anomaly detection rebranded against AI workload telemetry. Real AI-native threat detection — prompt-injection signatures, model-extraction patterns, jailbreak corpora — is concentrated in the AI-native specialists.
"GenAI for security" in most pitches is RAG over the vendor's existing telemetry. Useful, but not the differentiated AI capability the pitch implies — it is the security product with a chat interface. "AI-SOC" wrapping from CrowdStrike, Palo Alto, and Microsoft is the same RAG pattern applied to the SOC analyst workflow.
The "Top X% of Fortune 500 adoption" claim is self-reported and unverifiable; analyst quadrant placement is paid into; "starts at $X" pricing is the entry tier — realistic enterprise pricing is 5-10x once the modules add up.
The verdict
Per workload class, the honest cmdev recommendation:
- Greenfield AI, no existing CSPM: Lakera for prompt-injection, Garak in CI/CD for red-teaming, custom AISPM rules against the cloud-provider model registry. Trade-off: requires AI-platform engineering capacity.
- Existing Wiz customer adding AI: Wiz AI-SPM plus Lakera or Bedrock Guardrails. Trade-off: budget for the AI-SPM multiplier; do not assume Wiz covers application-layer controls.
- Existing Palo Alto customer adding AI: Prisma AI Security. Trade-off: heavy deployment, you commit to a Palo Alto relationship.
- Tier 1 regulated bank, multi-cloud, multi-framework: Prisma AI Security plus Sphynx for MRM artefacts. Trade-off: the alternative custom build takes 18-24 months.
- Sovereign or government AI deployment: Custom build on cloud-native plus open source. Trade-off: sustained engineering investment required; commercial alternatives carry sovereignty risk.
- AI-product company at scale: Lakera plus Robust Intelligence or Mindgard plus custom AISPM. Trade-off: integration tax across three vendors; the threat model justifies it.
None of these is the recommendation any vendor would write. That is the point of the piece.
FAQs
Why does Wiz Academy not name Lakera, Robust Intelligence, Hidden Layer, or Mindgard?
Because they compete with Wiz's AI-SPM module on application-layer controls Wiz has not yet shipped. Vendor-published comparison pieces omit competitors who threaten the publishing vendor's roadmap. The omission is structural, not accidental — treat any vendor-published comparison list as incomplete by design.
Is the AI security category genuinely separate from CSPM?
For application-layer controls — prompt-injection defence, model evaluation, adversarial ML defence — yes. The CSPM incumbents do not yet credibly address these; the AI-native specialists do. For infrastructure-layer controls — AISPM, DSPM-for-AI — the CSPM incumbents are credible and the AI-native specialists are extending in. The category will likely converge over 24-36 months.
What is the right shortlist for a procurement process starting today?
For an enterprise standing up AI security from scratch in mid-2026: Lakera for prompt-injection, Garak or Promptfoo plus custom eval-gate enforcement for red-teaming, MLflow plus cloud-native registries for governance, Wiz or Prisma AI Security for AISPM and DSPM-for-AI, Hidden Layer only if adversarial ML is in the threat model, custom CycloneDX-AI for AIBOM.
How worried should we be about vendor acquisition risk?
Worried enough to read the contract carefully. Lacework, Robust Intelligence, and Protect AI were all independent in 2023 and acquired within 24 months. Negotiate shorter durations, exit clauses, escrow for runtime components, and a build-fallback architecture that does not collapse if the vendor is acquired or sunset.
Companion content
- AISPM, AIWPM, DSPM, CSPM: The Acronym Map
- AI Workload Posture Management: The CSPM Gap
- AI Red-Teaming: Discipline, Theatre, vs Practice
- CSPM Vendor Comparison 2026: The Honest Version
- DSPM Meets RAG: Data Classification in the Knowledge Base Era
- AI Bill of Materials: AIBOM and SBOM for AI Systems
How to engage
If you are running an AI security tooling procurement and want a vendor-neutral read on which combination fits your environment — including the build-versus-buy calculation per category against your actual AI footprint — talk to us at creativeminds.dev/contact. The Phase 0 diagnostic runs the seven categories above against your real AI estate, models the pricing each vendor will quote against your real model count and traffic volume, and produces a procurement-ready recommendation. We do not resell any of the vendors named here; the recommendation is the deliverable.