CISOs Have Budget for AI Security. The Missing Layer is the Control Loop.

Securing AI is the single biggest reason CISO budgets are going up, and one of the least mature operational categories in the security stack.

That's the headline finding from a survey we ran this spring, polling 45 enterprise security leaders, with 76% of them CISO- or CSO-level, about how AI is changing their threat model, their budget, and their roadmap. The data tells a clear story: buyers are ready, budget is allocated, and the underlying architecture category has not consolidated.

Agent Runtime Governance Is the Wedge

Any investor can tell you that security for AI is a category, but determining which lane within that category can produce a platform-scale company takes clicking a layer further into what buyers are looking for, and what they don't even know they need yet. Here's our bet:

We believe the wedge is agent runtime governance: identity, authorization, observability, and policy enforcement for non-human actors operating autonomously inside enterprise environments. That's where the most concrete unmet need shows up in the survey, with 58% of CISOs duct-taping legacy IAM onto NHIs and 56% who can't count them. It's where the open-text "what we wish existed" answers converged on a single described product. This is the first major enterprise security category in over a decade where the underlying primitives are not extensible from workforce IAM, cloud security, or traditional endpoint telemetry.

This matters for a structural reason. Agent governance sits closest to the authorization boundary and the execution loop. Companies that own identity, delegated authority, runtime policy, and tool-call mediation can expand upward into prompt security, model governance, and AI-aware DLP. The reverse is structurally harder because detection-layer companies do not naturally own execution control.

Here's what the survey data shows:

AI Security Is Already a Line Item

CISOs know they have battles ahead. 82% of them grew their security budgets over the past 12 months. 87% expect another increase in the future. When we asked them to name the biggest reason their security spend is growing, the largest single answer was AI. 47% pointed at securing AI workloads as the primary driver. 60% expect that pressure to intensify as the next generation of frontier models pushes deeper into production environments.

This is no longer an exploratory budget. CISOs are allocating operational spend against AI-related risk before the category has stabilized. 78% of respondents have already carved out a dedicated "security for AI" budget, most of it sitting in the $100K to $1M range. 18% are holding between $1M and $5M earmarked specifically for this. The money is allocated, and they're looking for somewhere to put it.

80% told us they want to evaluate new AI security startups this year. When we asked who they expect to build the dominant solution, the answer ran the same way — new AI-focused startups led, with existing platform players and identity incumbents tied for second.

Budget Searching for a Solution

We asked CISOs where the biggest gap in their current security stack is. The runaway answer was AI security and securing LLM workloads, at 30 mentions out of 45 respondents. That's more than the next three categories combined (data security and DLP, detection and response, and AppSec).

The same answer holds when CISOs name what's bottlenecking their entire security program. 29% pointed at the lack of a mature approach to AI workloads as the single biggest thing slowing them down, ahead of budget, talent, and tool sprawl.

91% of organizations told us they're still in "developing" or "early" stages of AI security maturity, and zero respondents reported a mature program. The budget category exists before the architectural category has fully formed.

What's Actually Going Wrong

AI concerns have joined the top tier of CISOs' general worry list, tied with the kinds of incidents they've been thinking about for years.

When CISOs name what they're worried about inside the AI category specifically, the answers cluster around three things that didn't exist a few years ago:

• Data leakage to AI tools and agents (56%)
• Shadow AI, meaning employees using models the security team doesn't know about (53%)
• Over-permissioned AI agents acting beyond their scope (47%)

Underneath these is the bigger fear, which is AI-powered attacks themselves. 73% of CISOs rate their concern as "high" or "critical." 42% call it high, and 31% put it at the level the survey labeled "this keeps CISOs up at night."

These risks are operational realities CISOs face today and have been facing for some time now. Employees paste customer data into chat interfaces. Agents call APIs with more credentials than they should. The behaviors are already widespread, and nothing in the existing stack was designed to see them.

In every case, the core failure is the same: enterprise security systems were built around stable software and human actors, while AI systems are probabilistic, delegated, and autonomous.

The Missing Control Plane

The threat data tells you what's going wrong. The "what we wish existed" open-text answers tell you what CISOs want someone to build. They converge on one thing: a unified control plane for NHI and autonomous execution that covers the full lifecycle, including inventory, access, runtime, and governance.

These numbers should make any team running agents in production uncomfortable. 58% of CISOs told us they're using legacy IAM systems as a workaround for non-human identities, and 56% can't count the NHIs running in their environment. Most enterprises are deploying agents faster than they can inventory, authorize, or audit them.

The same pattern shows up outside our survey. Dustin Wilcox, the CISO at S&P Global, recently put it to CSO Online (opens in new tab) this way: "Identity is now both a control surface and an attack surface. We've had non-human identities as API keys, tokens, service accounts, but now we have agents, and that's a new class."

That framing matters because agents are not just another workload category. They combine identity, delegation, and reasoning in ways existing security tooling was never designed to govern. This is the most underserved subcategory we found in the survey. Instead of asking for incremental DLP or a better SIEM, CISOs are describing a single product that lets them see every agent and service identity, govern what each one can access, and watch it at runtime.

Bigger Than Cloud Security

We asked how big "security for AI" will get as a category. 64% of respondents told us it will be at least as large as cloud security, and a third said it'll be bigger, at platform-scale security outcome (e.g., Wiz).

And they're skeptical that the incumbents win it — startups led the expected-source responses, with existing platform players like Palo Alto and CrowdStrike, alongside identity incumbents like Okta, tied behind.

Our read is that this risk surface doesn't look like cloud, and CISOs aren't betting on their existing platform vendors to figure it out fast enough.

Three Lanes Is Better Than One Suite

The harder question isn't whether security for AI is a category. It's which lane produces the durable company.

When CISOs talk about "security for AI" they're talking about three different things, and the companies they named in our open-text answers cluster into three lanes.

Agent Runtime Governance

The control plane for agents and service accounts, covering inventory, access, runtime governance, and audit. We think this is the lane that produces the platform.

Workforce Access And AI Adoption Governance

Managing how humans access AI tools, discovering the AI apps employees are using without IT approval, and governing SaaS-to-AI connections.

Model and Inference-Layer Security

Guardrails on model outputs, red-teaming, prompt-injection defense, and AI-aware DLP.

These lanes don't converge into a single product. They will probably produce one or two large outcomes each, with the agent governance lane producing the largest. CISOs who already have a "security for AI" budget mostly intend to spend across at least two lanes, not on a single suite. That matters for any founder deciding what to build, and for any CISO deciding what to evaluate first.

Engaging the Counters

The strongest case against a new platform in security for AI is the distribution case. Palo Alto Networks and CrowdStrike already sit in the security stack, already have CISO trust, and will ship "AI security" modules into existing platforms. New startups, the argument goes, will get squeezed before they can scale.

That same argument ran against cloud-security startups in 2018 and lost to Wiz. It loses again here because the platforms are built on identity and detection models designed for human users and stable workloads. Agent governance requires different primitives, like identity for ephemeral processes, runtime control over autonomous calls, and audit over natural-language inputs. None of these map cleanly onto the architectural assumptions underlying current identity, SIEM, or endpoint platforms. They require new identity and execution primitives rather than incremental feature extension. The companies that started with the right primitives in 2024–2026 will be too far ahead by the time the platforms commit.

A second argument cuts deeper. Securing AI may not be a standalone category at all. It may be a feature inside existing identity, data, and endpoint platforms, each with strong incumbents. Cisco's $400M acquisition of Astrix this April points that way. It pulls agent identity inside a $100B security platform before Astrix had to choose between staying independent and selling. The deal validates the lane — Cisco doesn't pay $400M for a feature — but it also warns that incumbents will pay to short-circuit a category before any independent agent-governance company can scale. We read $400M as a floor on the lane's strategic value, not a ceiling. A check that size buys an option, not a category.

The incumbents will likely win the easier lanes, like model output filtering, basic prompt security, and AI-aware DLP for known data flows. They'll likely need to invest significant time and energy in acquiring the lane that matters most.

By 2031

CISOs are facing a category of risk their current stack doesn't cover. They've already allocated budget for it, and they want to evaluate new startups this year. In their own view, the category will be at least as large as cloud security, with new entrants rather than the platform incumbents taking the share.

There's one more signal worth naming. The products that win this won't be the ones promising to replace the security team. 43% of CISOs told us they're growing headcount because of AI. The pitch that lands is augmentation rather than displacement.

We expect that by 2029, security for AI will be one of the largest line items in enterprise security budgets. The company that owns the agent governance lane will be a public-market story by 2031. The CISOs we surveyed don't yet know which company that is. The other companies that came up most across CISOs were Bay, Zenity, Noma, Onyx, Manifold and Runlayer. (We are investors in Runlayer.)

For any founder reading this, the bigger risk isn't backing the wrong company in security for AI, it's missing the architecture call. That can happen by assuming the category produces one suite when it actually produces three lanes, or by assuming the incumbents win the lane that matters most.

If you're a founder building in this space, we'd like to talk.

Survey conducted spring 2026. n=45 enterprise security leaders, 76% of them CISO/CSO-level.