The fastest way to lose a security buyer’s trust is to claim a position you don’t actually hold.
Why an Honest Scope Statement Matters Now
Every emerging security category goes through the same inflation phase: the term of art gets coined, the analyst coverage lands, and within two quarters every vendor within shouting distance has rebadged their product to match. Agent governance is in that phase right now. Gartner counts dozens of vendors crowding into the guardian-agent space, and projects that spend on this layer grows from under 1% of agentic AI budgets today to 5–7% by 2028. When a line item is about to grow that fast, every pitch deck converges on the same vocabulary — and the buyer’s diligence problem gets harder, not easier.
| Signal | Number | Source |
|---|---|---|
| Agentic AI spend going to guardian agents by 2028 | 5–7%, up from <1% today | Gartner |
| Agent incidents driven by internal violations through 2028 | At least 80% | Gartner |
| Enterprise AI agents operating outside security policy | 88% | Ospiri research |
| Typical window before incumbents catch up to a new control class | 12–18 months | Ospiri research |
So this post does something slightly unusual for a vendor blog: it marks our own position to market. Here is precisely what an agent firewall does, where it sits, and — just as load-bearing — what it deliberately does not attempt. A control you can’t scope is a control you can’t trust.
The Three Feature Categories, Mapped
Gartner’s framing of the guardian-agent space lands on three mandatory feature categories. They make a useful grading rubric, because most tools in the category today clear one of the three and market all three. An agent firewall is built to clear all three — at the kernel, not at the prompt.
| Gartner feature category | What it requires | Where an agent firewall delivers it |
|---|---|---|
| Visibility & traceability | Inventory of all agents, sanctioned and shadow, with attributable action logs | Kernel-level observability of every file, network, process, and IPC action, per agent |
| Continuous assurance | Ongoing verification that agent behavior stays within policy, not point-in-time review | Behavioral baselines and drift detection running against live syscall activity |
| Runtime inspection & enforcement | The ability to stop a violating action while it is happening | Policy decisions applied in the action path — before the write, the exfil, the spawn |
| Context-rich scanning | Knowing what data an action touches, not just that an action occurred | File classification and destination context evaluated at enforcement time |
| Coexistence | No conflict with the existing endpoint stack | Runs alongside EDR (CrowdStrike, SentinelOne, Defender) — different control point, no agent fights |
The third row is where most of the category currently falls short. Gartner’s own assessment is blunt: most guardian-agent tools today support passive monitoring, while fully autonomous real-time enforcement remains largely confined to research and proof-of-concept. Dashboards are positions you can see; enforcement is the hedge that actually pays out when the move goes against you.
Why the Kernel Is the Control Point
The architectural argument compresses to a sequencing fact about where intent becomes action:
- Prompt-layer tools see the plan, not the trade. Guardrails and LLM proxies (Lakera, Protect AI) inspect what the agent intends. By the time an action lands at the operating system, the prompt context that justified it is gone.
- API-layer tools see only instrumented surfaces. Gateway and DSPM-style approaches govern the traffic they proxy. A standalone agent — Cursor, Claude Desktop, Goose, Aider — acting on the local filesystem never crosses that wire.
- Process-layer tools see executables, not agent semantics. EDR was built to price malicious binaries. An agent is a signed, sanctioned process doing something out of policy — frequency and severity drift inside a legitimate position.
- The kernel sees the action itself. Every file read, network call, and process spawn passes through one chokepoint, regardless of which agent issued it or which vendor shipped that agent. That is the only layer where “sanctioned” and “shadow” agents are governed by the same book.
This matters more, not less, given who causes the losses. Gartner expects at least 80% of unauthorized agent transactions through 2028 to come from internal violations — oversharing, misuse, misguided automation — rather than external attack. Endogenous risk doesn’t trip perimeter alarms. It has to be priced where it executes.
What an Agent Firewall Deliberately Doesn’t Do
Here’s the bet: in a consolidating category, the vendors that survive diligence are the ones whose scope statements are falsifiable. So, plainly — three adjacent problems an agent firewall does not solve, and shouldn’t pretend to.
| Adjacent problem | Why it’s out of scope | Who owns it |
|---|---|---|
| Agent identity & access management | Issuing and lifecycling agent credentials is an IAM-platform problem with a 12–24 month maturity curve | Your IAM vendor, extended to non-human identities |
| Data classification | Labeling the estate (Purview, BigID-class tooling) is an information-governance program, not an endpoint control | IG and data-governance teams |
| Prompt-input defense | Jailbreak and injection screening happens above the OS, before intent resolves | Prompt guardrails — complementary, not competitive |
| Model alignment & evaluation | Whether the model itself behaves is a build-time and eval problem | AI engineering and platform teams |
The integration posture follows from the scope: an agent firewall consumes identity signals as they mature, respects classification labels where they exist, and exports enforcement telemetry to the SIEM (Splunk, Datadog) your SOC already watches. It plays well with the stack. It does not try to be the stack — that claim is precisely the inflation this post exists to avoid.
What CISOs Should Do This Quarter
| Step | Action | Output | Effort |
|---|---|---|---|
| 1 | Score your current guardian-agent shortlist against the three Gartner categories — demand proof of enforcement, not monitoring | Vendor matrix with evidence column | 1 week |
| 2 | Run a kernel-level inventory on a 100-endpoint dev sample | Count of sanctioned vs. shadow agents, per team | 1–2 weeks |
| 3 | Write one enforceable policy from observed behavior (e.g., no agent writes outside project directories) | Policy-as-code artifact, tested in copy-on-write mode | 1 week |
| 4 | Map the out-of-scope columns — IAM, classification, prompt defense — to named owners and timelines | One-page governance RACI for the board | 3 days |
The Bottom Line
An agent firewall is kernel-level visibility, continuous assurance, and runtime enforcement over every agent action on the endpoint — and deliberately nothing else. The categories it leaves out aren’t gaps; they’re boundaries, and boundaries are what make a control attestable under frameworks like NIST CSF and ISO 27001. With 88% of enterprise agents operating outside security policy today, the cost of category confusion is measured in quarters of stalled procurement while the exposure compounds. If your team is sizing this for the next budget cycle, request a working session. We will walk through your environment, score your existing stack against the three feature categories, and scope a deployment. Ninety minutes, your endpoints, real numbers.