A head of platform security at an EU bank forwarded me Wiz Academy's "Top AI Security Tools for the Cloud" article in May with a single line above it: "Notice anything?" Twelve vendors named. Lakera, Robust Intelligence, Hidden Layer, and Mindgard — the four AI-natives that compete head-on with Wiz's AI-SPM module — were not on the list. He wanted to know whether the omission was a problem with the article or with the vendors. The honest answer is that it is a problem with the genre. Vendor-published comparison pieces will never name competitors who threaten the publishing vendor's roadmap. Competitor takedowns will never be honest about their own gaps. The procurement lead reading either one ends up with the wrong shortlist.
cmdev sells engineering, not vendor licences. We do not resell Lakera, Robust Intelligence, Protect AI, Hidden Layer, CalypsoAI, Mindgard, Lasso, Sphynx, Wiz, Palo Alto, Orca, or CrowdStrike. We have deployed against most of them. We have walked away from three because the price bore no relationship to the value. We have rebuilt the equivalent of two on open source for clients who refused commercial vendors on principle. This is the companion piece to the CSPM honest comparison, applied to the AI-security category that is now the fastest-moving procurement conversation in security.
Key takeaways
- AI security tooling splits into seven categories in 2026: prompt-injection defence, model evaluation and red-teaming, model registry and governance, DSPM for AI, AISPM, adversarial ML defence, and AIBOM. Most enterprises need three or four, not all seven.
- Twelve vendors define the procurement consideration set. AI-native specialists: Lakera, Robust Intelligence, Protect AI, Hidden Layer, CalypsoAI, Mindgard, Lasso, Sphynx. CSPM incumbents extending into AI: Wiz, Palo Alto Prisma AI Security, Orca, CrowdStrike.
- For prompt-injection defence, model evaluation, and AIBOM, open source plus custom engineering is competitive at most scales. For AISPM and DSPM-for-AI, the build case is harder above 50 cloud accounts.
- The 2024-2025 acquisition pattern matters for procurement risk. Robust Intelligence to Cisco, Protect AI to Palo Alto, Lacework to Fortinet. Independents get absorbed; the buyer signing a three-year contract in 2026 should price acquisition risk into the decision.
- Most "AI threat detection" in CSPM-incumbent pitches is anomaly detection rebranded. Most "GenAI for security" is RAG over existing telemetry. The real AI-native controls are concentrated in eight to ten products; the rest is marketing.
The Genre Is the Problem
The vendor-published comparison piece is its own little form of theatre. A vendor writes an article called something like "Top AI Security Tools 2026." They lay out a criteria grid carefully tuned to their own strengths. They name three to six competitors safely outside their roadmap. They quietly omit the four to eight who would actually beat them on the questions the buyer is asking. The Wiz Academy article is the canonical example — DSPM for AI, AI-SPM, runtime protection, all covered without naming Lakera, Robust Intelligence, Hidden Layer, or Mindgard. A procurement lead reading that piece is being handed a shortlist with the most dangerous names already crossed off.
The competitor-takedown genre has the opposite failure mode — sharp where it cuts, silent where it bleeds. The piece a procurement lead actually needs walks every category, names every credible vendor, gives an honest read per vendor, and ends with a recommendation per workload class. This is that piece.
Seven Categories, Not One
AI security tooling in 2026 is best understood as seven separate categories that vendors keep trying to glue together. Reading them as one is how procurement ends up paying for a platform that does three of the seven jobs well and the other four with a sticker.
Think of it the way an industrial kitchen thinks about knives. The chef does not look for "the best knife." She looks for the right blade for the cut. A bread knife slices crusty loaves no chef's knife handles cleanly. A paring knife strips an apple no boning knife touches. The right kitchen has six.
The first category is prompt-injection defence — the layer that sits between the user prompt and the model, watching for injection, jailbreaks, sensitive-data exfiltration, and policy violations. Lakera Guard leads. Robust Intelligence under Cisco is close. NVIDIA NeMo Guardrails is the open-source alternative. Bedrock Guardrails or Azure AI Content Safety, combined with custom rules, is the credible build option for teams with engineering capacity.
The second is model evaluation and red-teaming. Eval suites that run pre-deployment and continuously, surfacing regressions and probing for new vulnerabilities. Open source is genuinely strong — Garak from NVIDIA, PyRIT from Microsoft, Promptfoo for CI/CD. Commercial leaders are Robust Intelligence, Mindgard, and parts of Protect AI. See AI red-teaming: discipline, theatre, vs practice.
The third is model registry and governance — the catalogue surface that tracks which models are in production, what version, what provenance, who approved them, what eval gates they passed. Protect AI Radar is the commercial leader. Most teams in 2026 build this on MLflow integrated with SageMaker, Azure ML, or Vertex AI registries.
The fourth is DSPM extended to AI data — the vector stores, knowledge bases, training data, and model-response egress paths. Wiz, Cyera, Sentra, Securiti, and Borneo are the names. The AI extension is mostly a tag layer over the existing classification engine, which is itself a non-trivial classifier. See DSPM meets RAG.
The fifth is AISPM and AI-APP — posture management for the AI control plane in the cloud. Wiz, Palo Alto Prisma AI Security, Orca, and CrowdStrike all play here. None of them yet covers the full eight-control surface laid out in AI Workload Posture Management. "AI Application Posture" is, in most decks, AISPM rebranded.
The sixth is adversarial ML defence — attacks on the model itself, including extraction, inversion, membership inference, evasion, and poisoning. Hidden Layer, CalypsoAI, and Lasso are the names. This is the niche category. Most enterprises do not need it. The buyers are organisations training custom foundation models, exposing model APIs publicly, or operating under explicit adversarial robustness regulation.
The seventh is AIBOM and the AI supply chain — provenance, signing, and the dependency surface for weights, prompts, eval suites, training data, RAG sources, and agent tooling. Protect AI under Palo Alto is the leading commercial vendor. Snyk fits existing Snyk customers. Custom CycloneDX-AI pipelines are the dominant build pattern. See AI Bill of Materials.
The Vendors, One at a Time
Lakera is the leading prompt-injection defence product. Lakera Guard sits between the application and the model, runs a curated detection suite, and decides in single-digit milliseconds. Detection coverage is the deepest in the category — Lakera maintains a jailbreak corpus a homemade guardrail cannot replicate. It is strong on multi-model deployments. Pricing is per-call and expensive at scale, and false positives on long-context agentic workflows still bite. Lakera is the right tool for customer-facing generative AI in regulated environments. It is overkill for internal tooling where Bedrock Guardrails plus custom rules already covers the threat model.
Robust Intelligence — now Cisco — was the category-defining vendor for model evaluation and continuous red-teaming before the acquisition in 2024. AI Firewall is the runtime layer; AI Validation is pre-deployment. Detection breadth on jailbreak corpora is class-leading. Post-acquisition, pricing has become opaque and engineering velocity has shifted into Cisco's broader roadmap. It is the right tool for enterprises with an existing Cisco relationship. It is the wrong tool for teams who want independence from Cisco's prioritisation.
Protect AI under Palo Alto was the leading model registry and supply-chain product before the acquisition in 2025. Radar is the inventory layer, Recon the red-team layer, Guardian the runtime layer. The breadth across registry, eval, supply chain, and runtime is unusual in the category. It is being absorbed into Prisma AI Security — the standalone licence still exists, but the Palo Alto roadmap dominates. It fits existing Palo Alto customers and discomforts buyers who care about lock-in.
Hidden Layer is the leading adversarial ML defence vendor. AISec Platform covers model scanning, runtime detection against extraction, inversion, and evasion, and incident response. The depth here is genuinely differentiated — Hidden Layer's research output names novel attack classes the CSPM incumbents do not address. It is genuinely niche. The buyer is the organisation training custom foundation models, exposing model APIs publicly, or operating under explicit adversarial robustness regulation. It is the wrong tool for an organisation consuming foundation models through Bedrock or Azure OpenAI without training.
CalypsoAI is runtime AI security focused on the enterprise GenAI control plane — model proxying, content moderation, DLP, and policy enforcement against employee and customer LLM use. The differentiation is the AI gateway pattern. It is less developed on eval-gate and supply chain than Robust Intelligence or Protect AI. The right tool for organisations standardising on AI-gateway architecture.
Mindgard is the leading independent AI red-teaming specialist. Continuous automated red-teaming, with detection breadth on prompt-injection, jailbreaks, and training-data extraction. Earlier deployment maturity than Robust Intelligence pre-acquisition. Acquisition risk is real — Mindgard is the kind of asset Cisco or Palo Alto would buy within the next eighteen months.
Lasso Security is runtime AI security focused on shadow AI discovery — surfacing tools the security team did not know were deployed and enforcing policy against employee LLM use. It overlaps significantly with AISPM and secure-web-gateway categories. It fits organisations early in AI security maturity who need an inventory layer first.
Sphynx is model risk management extending into AI governance. It produces MRM artefacts mapped to SR 11-7, EU AI Act Article 9, and the NIST AI RMF. It is not a runtime tool — the buyer is the MRM function inside a bank, not the security team. The right tool for regulated financial services with explicit MRM obligations.
Wiz is the leading CSPM extending into AI-SPM. Coverage spans Bedrock, Azure OpenAI, Vertex AI, and SageMaker. The graph visualisation is the best in the category, and the graph wins procurement meetings. Depth on application-layer controls — eval-gate enforcement, prompt-cache integrity, training-data lineage — lags the AI-natives. The Wiz Academy omission of Lakera, Robust Intelligence, Hidden Layer, and Mindgard is the structural signal that the roadmap does not yet read what those vendors read. Pricing scales with cloud spend; AI-SPM adds a multiplier. It fits existing Wiz customers. It is the wrong starting point for an enterprise standing up AI security from scratch.
Palo Alto Prisma AI Security carries the deepest compliance-framework coverage in the category. It inherits the Prisma Cloud heritage and adds the AI-native depth from the Protect AI acquisition. Breadth across discovery, posture, eval, supply chain, and runtime is the broadest of any single vendor. The console is heavy, the deployment complex, the integration tax real. Module-based pricing. The right tool for a Tier 1 bank with NDPA, CBN CSAT, EU AI Act, and SR 11-7 obligations across AWS, Azure, and on-prem AI. The wrong tool for a fifty-person AI-product company.
Orca Security is the agentless CNAPP extending into AI-SPM. Strong on multi-cloud parity, weaker on detection depth than Wiz or CrowdStrike. The AI-SPM module is less developed than Wiz or Palo Alto — coverage at the time of writing is inventory and basic configuration analysis. It fits multi-cloud Orca customers where agentless matters operationally.
CrowdStrike Falcon Cloud Security is endpoint-led CNAPP extending into AI workload protection. Falcon AI surfaces runtime threats using the same telemetry pipeline as the endpoint product. Strong on detection depth, weaker on posture and compliance breadth. Attractive for existing Falcon shops, uncompetitive standalone.
Build versus buy by category
| Category | Build viability | When to buy |
|---|---|---|
| Prompt-injection defence | Strong on Bedrock Guardrails or NeMo Guardrails plus custom rules | Customer-facing AI where false-negative cost is high |
| Model evaluation and red-teaming | Strong on Garak, PyRIT, Promptfoo plus custom eval suites | Continuous red-teaming at scale; regulated MRM obligations |
| Model registry and governance | Strong on MLflow plus cloud-native registries | Multi-cloud estates above 50 models under management |
| DSPM for AI | Hard above 50 cloud accounts | Most enterprises buy this; classification work is hard |
| AISPM | Hard above 50 cloud accounts | Most enterprises buy this |
| Adversarial ML defence | Weak; specialised research domain | Training custom models or exposing model APIs publicly |
| AI bill of materials | Strong on CycloneDX-AI | Existing Snyk customers; explicit AIBOM obligations |
The pattern across the table is consistent. Where the open source is mature and the threat model is well understood, the build case wins at most scales. Where the data classification or multi-cloud inventory work is genuinely hard, the commercial vendors earn their margin.
The matrix nobody publishes
| Workload class | Best fit | Why |
|---|---|---|
| Greenfield AI, mid-market, no existing CSPM | Lakera + Garak + custom AISPM build | AI-native specialists for application layer; build for posture |
| Existing Wiz customer adding AI | Wiz AI-SPM + Lakera or Bedrock Guardrails | Path of least procurement resistance plus application-layer gap fill |
| Existing Palo Alto customer adding AI | Prisma AI Security plus portfolio | Bundled story is genuinely strong |
| Regulated financial, residency-strict | Prisma AI Security + Sphynx | Compliance-framework depth plus MRM artefacts |
| Regulated healthcare, HIPAA + EU AI Act | Prisma AI Security + Hidden Layer | Compliance depth plus adversarial robustness |
| Government / sovereign deployment | Cloud-native + Garak + CycloneDX-AI | Commercial vendor sovereignty risks rule out most options |
| Open-source-only, no commercial vendor | Garak + PyRIT + Promptfoo + NeMo + MLflow + CycloneDX-AI | Build path is credible; open source covers most of the surface |
| AI-product company, customer-facing at scale | Lakera + Robust Intelligence or Mindgard + custom AISPM | Application-layer threat model dominates; CSPM tools insufficient |
The Pattern That Keeps Eating the Independents
Lacework was eaten by Fortinet in 2024. Robust Intelligence by Cisco in 2024. Protect AI by Palo Alto in 2025. The pattern is now so consistent it has rhythm — an AI-native independent proves a category, the broader security platforms absorb it within twenty-four to thirty-six months of category maturity, and the acquiring vendor's roadmap dominates within eighteen to twenty-four months after that. Buyers signing three-year contracts with independents in 2026 are signing into that pattern whether they price it in or not.
Lakera, Hidden Layer, CalypsoAI, Mindgard, and Lasso are all plausible targets within the contract horizon a procurement lead is signing today. This is not an argument against signing with the independents — the application-layer depth they bring is real, and the CSPM-extended tools have not caught up. It is an argument for negotiating like the acquisition is coming. Shorter durations. Exit clauses. Escrow for the runtime components. A build-fallback architecture that does not collapse the day the vendor is acquired, the pricing changes, or the product is quietly sunset into a larger SKU.
What to Cross Out in the Slide Deck
Three patterns recur in vendor pitches and warrant a red pen.
"AI threat detection" across CSPM-incumbent pitches is mostly anomaly detection rebranded against AI workload telemetry. The signal looks like the signal the SOC has always seen, with an AI label. The real AI-native threat detection — prompt-injection signatures, model-extraction patterns, jailbreak corpora — sits with the AI-natives, not the incumbents.
"GenAI for security" in most pitches is RAG over the vendor's existing telemetry. Useful, but not the differentiated AI capability the pitch implies — it is the security product with a chat window. "AI-SOC" wrapping from CrowdStrike, Palo Alto, and Microsoft is the same pattern applied to the SOC analyst workflow.
The "Top X per cent of Fortune 500 adoption" claim is self-reported and unverifiable. Analyst quadrant placement is paid into. "Starts at" pricing is the entry tier of the entry tier — realistic enterprise pricing is five to ten times the headline number once the modules add up.
The Verdict, By Workload Class
For greenfield AI with no existing CSPM, the honest stack is Lakera for prompt-injection, Garak running in CI/CD for red-teaming, and custom AISPM rules against the cloud provider's model registry. The trade-off is that it requires AI-platform engineering capacity in-house.
For an existing Wiz customer adding AI, it is Wiz AI-SPM with Lakera or Bedrock Guardrails layered on top. The trade-off is the AI-SPM multiplier on the Wiz licence, and the discipline not to assume Wiz covers application-layer controls just because the dashboard claims it does.
For an existing Palo Alto customer adding AI, it is Prisma AI Security as the primary platform. The trade-off is the deployment weight and the deepening commitment to the Palo Alto relationship.
For a Tier 1 regulated bank operating multi-cloud across multiple frameworks, it is Prisma AI Security plus Sphynx for the MRM artefacts. The trade-off is that the custom-build alternative takes eighteen to twenty-four months to deliver equivalent depth.
For a sovereign or government AI deployment, it is a custom build on cloud-native plus open source. Commercial alternatives carry sovereignty risk the procurement officer cannot accept. The trade-off is sustained engineering investment for as long as the deployment runs.
For an AI-product company at scale, the stack is Lakera plus Robust Intelligence or Mindgard plus a custom AISPM layer. The trade-off is integration tax across three vendors. The threat model — customer-facing AI, public model exposure, rapid product evolution — justifies it.
None of these is the recommendation any vendor would write. That is the point of the piece.
FAQs
Why does Wiz Academy not name Lakera, Robust Intelligence, Hidden Layer, or Mindgard?
Because they compete with Wiz's AI-SPM module on application-layer controls Wiz has not yet shipped. Vendor-published comparison pieces omit competitors who threaten the publishing vendor's roadmap. The omission is structural, not accidental — treat any vendor-published comparison list as incomplete by design.
Is the AI security category genuinely separate from CSPM?
For application-layer controls — prompt-injection defence, model evaluation, adversarial ML defence — yes. The CSPM incumbents do not yet credibly address these; the AI-native specialists do. For infrastructure-layer controls — AISPM, DSPM-for-AI — the CSPM incumbents are credible and the AI-native specialists are extending in. The category will likely converge over 24-36 months.
What is the right shortlist for a procurement process starting today?
For an enterprise standing up AI security from scratch in mid-2026: Lakera for prompt-injection, Garak or Promptfoo plus custom eval-gate enforcement for red-teaming, MLflow plus cloud-native registries for governance, Wiz or Prisma AI Security for AISPM and DSPM-for-AI, Hidden Layer only if adversarial ML is in the threat model, custom CycloneDX-AI for AIBOM.
How worried should we be about vendor acquisition risk?
Worried enough to read the contract carefully. Lacework, Robust Intelligence, and Protect AI were all independent in 2023 and acquired within 24 months. Negotiate shorter durations, exit clauses, escrow for runtime components, and a build-fallback architecture that does not collapse if the vendor is acquired or sunset.
Companion content
- AISPM, AIWPM, DSPM, CSPM: The Acronym Map
- AI Workload Posture Management: The CSPM Gap
- AI Red-Teaming: Discipline, Theatre, vs Practice
- CSPM Vendor Comparison 2026: The Honest Version
- DSPM Meets RAG: Data Classification in the Knowledge Base Era
- AI Bill of Materials: AIBOM and SBOM for AI Systems
How to engage
If you are running an AI security tooling procurement and want a vendor-neutral read on which combination fits your environment — including the build-versus-buy calculation per category against your actual AI footprint — talk to us at creativeminds.dev/contact. The Phase 0 diagnostic runs the seven categories above against your real AI estate, models the pricing each vendor will quote against your real model count and traffic volume, and produces a procurement-ready recommendation. We do not resell any of the vendors named here; the recommendation is the deliverable.
