A budget line item that does not exist yet is the easiest to underestimate — and the hardest to fight for once it lands.
Why a Five-to-Seven-Percent Allocation Matters Now
Gartner published a research note in February 2026 (G00836388) projecting that by 2028, organizations will allocate 5 to 7 percent of total agentic AI spend to guardian agents — the runtime governance, observability, and enforcement layer that sits around production agent deployments. The number today is under 1 percent.
This is a line item that did not exist on enterprise P&Ls 18 months ago. It exists now in the imagination of every Gartner-reading CISO and CIO. By 2028 it will be a procurement category as recognizable as EDR or DLP — with all the same vendor consolidation, RFP cycles, and budget defense conversations.
The mark-to-market matters. Below 1 percent today reads like rounding error. Five to seven percent of a six- or seven-figure AI program reads like a discrete line item your CFO is going to ask about by name.
| Metric | Today | 2028 (Gartner forecast) |
|---|---|---|
| Guardian agent share of agentic AI spend | <1% | 5–7% |
| Vendors in the risk & security specialist category | A handful | 29+ named today |
| CIOs with agents in production | 17% | 42% within 12 months |
| Time to deploy a first-line enforcement control | Quarter-scale | Week-scale |
The CIO survey numbers above (Gartner, 2025) are the demand side of the same equation. The supply side is the 29-plus vendors already swarming the category. The budget is forming around them — fast.
Whose P&L Absorbs It
Here is the question no one wants to surface in a steering committee: which budget does this line item sit in? There are three plausible homes, and the political shape of each is different.
| Budget owner | Argument for | Argument against | Procurement leverage |
|---|---|---|---|
| CISO | This is policy enforcement at the kernel — security operations own it. | Risk teams are often asked to fund AI-enablement controls and then called “the office of no” when they push back. | Strong on technical evaluation, weak on tying spend to revenue. |
| CIO | Agents are an IT delivery program; governance is the platform tax. | Platform budgets fund what platforms run. Governance gets cut first when program ROI is questioned. | Strong on standardization, weak on incident-driven defense. |
| CFO / Chief AI Officer | Both demand-side and risk-side belong to whoever is sizing the program. | New role, new budget — political capital is the constraint. | Strong on enablement framing, weak on operational depth. |
| Split across two | Reflects reality — risk and platform are co-owners. | Splits are politically expensive and slow to negotiate. | Weakest. The split becomes the easiest line to cut. |
Whoever does not decide loses the procurement negotiation. That sounds obvious; it is not how most organizations are operating today. We watch budget approvals stall in pilots because the CISO budget owns the RFP but the AI program budget owns the deployment — and the two committees do not meet. The result is a guardian agent capability that is six months past the point where the underlying agents went live.
Hedge your exposure by deciding now — not when the 5-to-7 percent has hardened into a turf fight. See our enterprise positioning and agent governance framing for how this conversation typically resolves in active deployments.
Twenty-Nine Vendors, Five Real Categories
Gartner’s “risk and security specialist” bucket today has 29-plus named vendors. The operational decision is harder than the budget decision — because the category is not one category. The 29 collapse into roughly five distinct architectural patterns:
- Prompt guardrails (Lakera, Protect AI, GuardrailsAI): sit above the model, inspect prompts and outputs, enforce content policy. Necessary, not sufficient — they cannot price what an agent does after the prompt resolves.
- AI gateways and LLM proxies: terminate API traffic, inspect tokens, redact in transit. Good metadata, after-the-fact mitigation.
- Agent observability and discovery: inventory the fleet, surface unsanctioned binaries, baseline behavior. The starting point Gartner explicitly calls out: visibility over all agents, sanctioned and unsanctioned, is the most critical starting point.
- Agent identity (IAM for agents): scoped credentials, attestation, lifecycle. Necessary for the long run. Per Gartner’s note on IAM/IG convergence: a 12-to-24-month build, not a quarter.
- Runtime enforcement at the kernel (where the agent firewall category sits): policy that intervenes mid-action, not after the gateway has already logged the call. This is the control point Gartner now defines as a mandatory feature category alongside visibility/traceability and continuous assurance.
Five categories, 29-plus vendors. Most enterprises will not buy one of each — they will land on a primary architecture and a complement or two. The procurement question reduces to: which architecture is your control of record, and which are supporting evidence?
What to Fund First, What to Defer
Treat this like portfolio construction, not feature comparison. Some line items are the core position; others are insurance; others are options on a thesis.
Risk Allocation = (Control of Record × Coverage of Fleet) + (Complementary Controls × Maturity Horizon)
| Quarter | Fund | Defer | Rationale |
|---|---|---|---|
| Q1 | Discovery + observability + runtime enforcement (the kernel-layer control of record) | Full agent IAM rebuild | You need a view of the fleet and the ability to intervene before identity matures. |
| Q2 | Policy codification, integration with existing SIEM/EDR (CrowdStrike, SentinelOne, Defender, Splunk, Datadog) | Prompt-layer-only solutions as the primary control | Prompt guardrails are complementary; they should not be sized as the load-bearing control. |
| Q3 | Agent identity pilot, scoped to highest-risk workflows | Cross-cloud unified control-plane promises | Per Gartner: no cloud provider can unilaterally enforce runtime control once agents operate or delegate across another provider’s environment. |
| Q4 | Information governance, data-classification convergence | Vendor consolidation bets — the category is still moving | The buyout cycle is already starting (Palo Alto → Protect AI, Check Point → Lakera in 2025). Lock-in risk is real. |
The deferred items are not unimportant. They are unimportant first. Build velocity on the controls that ship in weeks; let the controls that take 12-to-24 months mature in parallel.
What CISOs Should Do This Quarter
| Step | Action | Output | Effort |
|---|---|---|---|
| 1 | Surface the 5-to-7 percent number to your CIO and CFO before the FY-27 planning cycle closes | Three-way budget conversation locked in | 1 meeting |
| 2 | Run an agent-discovery sprint across the dev estate | Baseline fleet inventory + sanctioned vs unsanctioned ratio | 1–2 weeks |
| 3 | Stand up runtime enforcement around the single highest-risk agent workflow | Deployable control of record + reference incident | 2–4 weeks |
| 4 | Draft the FY-27 budget narrative: enablement, not tax | One-page memo your CFO can defend to the board | 1 week |
The CFO needs the framing. The CIO needs the discovery. The CISO owns the control. None of these wait on each other.
The Bottom Line
The 5-to-7 percent line item is forming whether your organization names it or not. Treat it as a portfolio allocation problem: discover the fleet, stand up runtime enforcement as your control of record, defer full identity and information-governance rebuilds to their natural 12-to-24-month horizon, and let the prompt-layer and gateway categories play their complementary roles. The budget conversation lands in someone’s P&L within twelve months. Whoever frames it first wins the procurement leverage.
If your team is sizing this for the FY-27 planning cycle, request a working session. We will walk through your agent estate, sketch the budget breakdown across the five architectural categories, and scope a runtime-enforcement deployment that can be operating in your environment inside the quarter. Ninety minutes is enough to leave the call with a defensible number for your CFO.