Enterprise AI Security Went From a Planning Conversation to a Board Emergency in 12 Weeks

Palo Alto Networks CEO Nikesh Arora went on CNBC's Mad Money on June 2 to discuss a blowout quarter — revenue up 31% year over year to $3 billion, raised full-year guidance, earnings per share ahead of Wall Street expectations. The financial results were strong enough on their own. But the detail that actually tells you something about the state of enterprise AI security wasn't in the income statement. It was in a single comparison Arora made during the interview.

"Just to give you a sense, we did 1,200 meetings all of last year. We've done 800 in the last 12 weeks. So we're busy."

Nikesh Arora

Chairman and CEO — Palo Alto Networks

CNBC Mad Money, June 2, 2026

Eight hundred customer meetings in 12 weeks, with 400 still in the queue. The same volume the company managed across all of 2025, run in a single quarter. That's a demand signal, but it's a specific kind of demand signal — the kind that comes from organizations who were not in motion before and suddenly are. The question worth asking is what changed, and why it changed so fast.

Three Events in Two Weeks That Changed the Conversation

The threat environment in enterprise AI security didn't change materially between January and May of this year. The attack vectors that Palo Alto's customers are now calling about — prompt injection, supply chain compromise, AI application abuse, model-layer attacks — were documented and discussed throughout 2025. The reason those 1,200 meeting requests arrived in a compressed window has less to do with the threat maturing and more to do with three external events that landed in rapid succession and gave executives something concrete to bring to a board meeting.

Mythos.

Anthropic released Claude Mythos Preview through Project Glasswing — a controlled access program available only to a small number of trusted organizations — after determining the model was too capable for unrestricted public deployment. That framing did something that two years of vendor marketing had not: it gave every CISO in the country a named, credentialed AI system that its own creator considered too dangerous to release openly. Palo Alto used early Glasswing access to scan 130 of its own products in a single month and found 75 vulnerabilities that had survived decades of human security testing. The earnings call quote put it directly:

"We have entered the era of truly cyber-capable systems, where models like Mythos possess the autonomous capability to execute comprehensive attack campaigns from start to finish. This represents a fundamental paradigm shift for the cybersecurity industry. The most critical factor in this transition is speed. When weaponized by adversaries, these frontier models can identify and weaponize vulnerabilities in mere minutes, a process that previously required months of manual effort."

Nikesh Arora

Chairman and CEO, Palo Alto Networks

Q3 FY2026 Earnings Call, June 2, 2026

The Gartner Security & Risk Management Summit.

On June 1 through 3 in National Harbor, Maryland, Gartner VP Analyst John Watts presented the firm's 2026–2027 ThreatScape and named four threats where attackers currently hold a structural advantage: AI application compromise, deepfake identity impersonation, software supply chain attacks, and prompt injection. This didn't introduce new information. What it did was give security leaders a named, credentialed framework to carry into executive conversations. "Gartner says we are structurally disadvantaged on four specific vectors" is a board-level sentence. "We think AI security is something we should look into" is not.

The Trump AI Executive Order.

Signed June 2, the same day as Arora's Mad Money appearance. The order gave NSA a formal role in classifying frontier AI models, directed the DOJ to prioritize enforcement against criminal use of AI agents under existing statutes, and established a voluntary pre-release review window for major model developers. It didn't create mandatory compliance obligations. But for enterprise security and legal teams, an executive order that puts NSA and DOJ in the conversation about AI systems reads as the beginning of federal oversight posture — and that reading converts a compliance question into a calendar item.

What Enterprise AI Security Looked Like Before These Events Landed

The threat was acknowledged, the frameworks existed, and most organizations had assigned someone to keep an eye on it. What they hadn't done was build anything. Security teams spent much of 2025 debating whether AI security was a subset of application security, a subset of data security, or a new function that needed its own organizational home. The answer — that it is all three depending on which layer you're defending — was available, but the organizational will to act on it was mostly absent.

Palo Alto's own November 2025 predictions research put a number on the planning-stage reality: only 6% of organizations had an advanced AI security strategy at the end of last year. The remaining 94% were either early-stage, ad hoc, or not yet engaged. HiddenLayer's 2026 AI Threat Landscape Report, published in March and based on a survey of 250 IT and security leaders, found that 31% of organizations didn't even know whether they had experienced an AI security breach in the preceding 12 months.

BEFORE — 2025 ENTERPRISE AI SECURITY POSTURE

AI security was largely a planning conversation. Budget was unallocated at most organizations. Vendor evaluations were theoretical, driven by awareness rather than urgency.

Security teams were still working out where AI security sat in the organizational structure. The threat was known. The accountability was unclear.

Only 6% of organizations had what Palo Alto characterized as an advanced AI security strategy. The other 94% were at various stages of awareness without commitment.

NOW — Q2/Q3 2026 DEMAND CONDITIONS

1,200 customer meeting requests in a single quarter. Board-level urgency driven by three specific events that landed inside a two-week window and gave executives named threats to respond to.

Prisma AIRS tripled its customer count in a single quarter to over 300, from a product that had no customers a year ago. SentinelOne, CrowdStrike, and Check Point all reporting accelerating demand for AI-specific security products.

The vendor consolidation and acquisition activity that has been building since mid-2025 — SentinelOne buying Prompt Security, Palo Alto acquiring Portkey and Koi, Check Point absorbing Lakera — is now visible in customer demand figures rather than just deal announcements.

What Should We Be Looking For

The 1,200 meetings are a real signal. They are also a complicated one. Arora noted on the earnings call that customers "don't want to solve just the problem today" — they want to understand how to prepare for the next generation of threats. That's a reasonable instinct given what Mythos demonstrated about automated vulnerability discovery. The problem is that most of the organizations now requesting these meetings are trying to start at the wrong layer of the AI security stack.

AI security in 2026 is four distinct problems that happen to share a category label. An organization evaluating Palo Alto's Prisma AIRS for enterprise infrastructure security and an organization trying to figure out what its employees are sharing with ChatGPT are asking different questions requiring different products. The demand surge is collapsing all four into one conversation, and the vendors positioned at the enterprise infrastructure layer — Palo Alto, CrowdStrike, SentinelOne — are the ones fielding most of the calls, even when the buyer's most urgent problem sits somewhere else.

LAYER 1

AI Model Security

Protecting the model itself: adversarial attacks on inference, model theft, supply chain compromise through poisoned packages, backdoor detection in model weights. This is the layer Mythos made impossible to ignore.

Primary vendor: HiddenLayer

LAYER 2

LLM Application & Prompt Security

Runtime guardrails against prompt injection, jailbreaks, and data leakage through AI application outputs. Includes indirect injection through RAG content and document pipelines.

Pillar Security · Polygraf AI · Check Point (via Lakera)

LAYER 3

Browser & Employee AI Usage

Visibility and control over what employees are sharing with external AI tools — ChatGPT, Copilot, Gemini — from inside the corporate environment. Shadow AI is the most undiscovered exposure at most organizations.

LayerX Security · Nudge Security

LAYER 4

Enterprise AI Infrastructure & Agent Security

Network-level, endpoint, and agentic AI workflow security for organizations running AI systems at scale across their infrastructure. This is where most of the 1,200 meetings are concentrated.

Palo Alto Prisma AIRS · CrowdStrike Falcon AIDR · SentinelOne

The agentic dimension of this market is worth specific attention. HiddenLayer's 2026 AI Threat Landscape Report, based on 250 IT and security leaders, found that one in eight reported AI breaches is now linked to agentic systems — and that finding came out in March, before Mythos made autonomous attack capability tangible for a broader audience. The HiddenLayer CEO framed the problem plainly:

"AI agents operate at machine speed. If they're compromised, they can access systems, move data, and take action in seconds — far faster than any human could intervene."

Chris Sestito, CEO and Co-founder — HiddenLayer, March 2026

Palo Alto's own unit 42 researchers demonstrated the speed compression directly: a simulated ransomware campaign from initial entry to data exfiltration ran in 25 minutes using Mythos-class capabilities. That figure matters because most enterprise incident response playbooks assume hours to days for the detection and containment window. A 25-minute attack-to-exfiltration cycle makes those playbooks structurally obsolete unless the detection layer is operating at machine speed rather than human speed. This is exactly the problem Palo Alto's XSIAM platform is designed to address — processing 17 petabytes of daily telemetry to compress threat response to under 10 minutes for most customers.

For enterprises that haven't yet catalogued what AI they're running, none of that matters yet. You can't defend a system you haven't inventoried. We covered the supply chain dimension of this in May when the Shai-Hulud worm compromised over 170 AI packages — including Guardrails AI and Mistral AI's official SDKs — by compromising legitimate CI/CD pipelines and generating valid provenance attestations. Every standard supply chain check passed. The packages looked clean. See our full coverage: Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI, and Dozens of Other Packages.

THE ACQUISITION STORY

The vendor consolidation in AI security over the past nine months positioned the major players for exactly this demand moment. SentinelOne acquired Prompt Security in August 2025 for $180 million, giving it genuine LLM security depth it didn't have before. Check Point absorbed Lakera — the company whose Gandalf adversarial prompt game generated over 80 million real attack examples that now feed its threat intelligence database. Palo Alto acquired Portkey, an AI gateway processing trillions of tokens monthly, and Koi for agentic AI security, then integrated both into Prisma AIRS.

The deal activity was the setup. Arora's 1,200 meetings are the payoff. Companies that spent 2025 building these capabilities through acquisition are now the ones fielding the calls from the 94% that spent 2025 in planning mode.