On June 17, Alex Woodie published a piece in HPCWire titled "Enterprise AI Has Outgrown Prompt Security." The argument was straightforward: most organizations built their initial AI security programs around prompt filtering and input/output guardrails. For early AI deployments — chatbots, simple copilots, contained question-and-answer tools — that approach made sense. It addressed the primary threat surface, which was the language boundary between users and models. But Gartner is now projecting that 40 percent of enterprise applications will feature embedded AI agents by the end of 2026, up from less than five percent in early 2025. That growth is expanding the ways AI can interact with enterprise data in ways that prompt-level controls were never designed to handle.
HPCWire's diagnosis is correct. Where the piece stops short is in answering the follow-on question: if prompt security no longer covers the surface area, what does? The seven-layer framework that GAIG uses to evaluate AI security platforms provides the clearest answer available. Each layer addresses a distinct category of exposure. Prompt security is strong in exactly one of those layers. It provides limited or no coverage in the other six.
Prompt Security Was Built for a Simpler Deployment
When enterprise AI first arrived at scale, the typical deployment was a conversational interface with limited system access. A user typed a question, a model produced a response, and the main risk was what that response said. The prompt was the attack surface. Filtering inputs before they reached the model and inspecting outputs before they reached the user addressed most of the practical exposure. For that generation of deployment, prompt security was genuinely sufficient as a starting point.
The deployment model has changed. Enterprise AI in 2026 increasingly involves agents that operate continuously across multiple connected systems — databases, internal knowledge repositories, customer records, business applications, email, and external APIs. An agent doesn't produce one output and stop. It chains actions autonomously across workflow steps, accessing different systems at each stage. The interaction boundary that prompt security protects is one point in that chain. Everything the agent does after processing a prompt — the API calls it makes, the data it reads or writes, the tools it invokes — sits outside the prompt layer entirely.
There's also an honest explanation for why organizations are still over-relying on prompt-level controls: they were heavily marketed by LLM providers, they were relatively straightforward to implement, and for the chatbot use cases that came first they appeared to work. Many security teams haven't revisited their AI security posture since they stood up those initial guardrails, because nothing catastrophic happened and the business kept moving. The problem is that what the business is now running is fundamentally different from what the security team signed off on two years ago.
40% of enterprise applications will feature embedded AI agents by end of 2026, per Gartner. Up from less than 5% in early 2025.
18% of organizations currently track ROI on agentic AI deployments, per Thomson Reuters research cited by MarketScale.
1 in 8 Reported AI breaches now linked to agentic systems. HiddenLayer 2026 AI Threat Landscape Report, survey of 250 leaders.
What Prompt Security Covers and What It Misses
Prompt security is a real control that addresses real risks. The issue is that it lives primarily in one layer of a seven-layer security framework. The table below maps each layer against what prompt-level controls actually cover before the detailed explanation that follows.
What Prompt Security Addresses Here
Asset & Discovery –– None
Prompt security assumes you already know what AI systems exist. It has no mechanism for finding them.
Identity & Access –– None
Prompt filtering does not control which systems an agent can access or what permissions it holds.
Threat & Vulnerability –– Partial
Prompt injection defense sits here. Adversarial testing and data leakage prevention require separate mechanisms.
Runtime & Execution –– None
Prompt security cannot stop an agent from making an unauthorized API call or database write after receiving a prompt.
LLM Interaction –– Yes
This is where prompt security lives. Input validation, output filtering, context isolation, semantic guardrails.
Model & Pipeline Security –– None
Supply chain risk, model poisoning, AIBOM, artifact integrity — all outside prompt-level controls entirely.
Audit & Evidence –– None
Prompt filtering generates no structured audit trail. Logging and evidence generation require separate infrastructure.
Layer 01 — Asset & Discovery · No coverage
Prompt security assumes you know what you're protecting
Discovery controls find AI systems that exist in the environment without formal approval or documentation — shadow agents, unsanctioned model integrations, unauthorized LLM API usage by employees or development teams. Prompt security requires that you've already identified a system before you can filter its inputs. It has no mechanism for surfacing systems that were never registered. The organizations most exposed to shadow AI risk are exactly the ones for whom this gap matters most: they don't know what agents are running, so they can't apply any controls at all to those systems, prompt-level or otherwise.
Layer 02 — Identity & Access · No coverage
Prompt filtering does not touch permissions
Identity controls manage what AI agents and model service accounts are allowed to access, enforce least-privilege scoping on those permissions, and apply lifecycle management so that access is reviewed and revoked as deployment contexts change. A filtered prompt can still reach a model that has been over-provisioned with database write access, API credentials to external services, or permissions to read HR records it no longer needs. Tenable's 2026 cloud and AI security research found that 73 percent of default AI execution roles remain inactive — permissions that were provisioned and never used, sitting open indefinitely. Prompt filtering leaves that exposure completely unaddressed.
Layer 03 — Threat & Vulnerability · Partial coverage
One of three controls here, not all three
This layer covers prompt injection defense, data leakage prevention through model outputs, and adversarial testing. Prompt security addresses the first of those directly and contributes to the second by catching known sensitive patterns at the output boundary. It doesn't address adversarial testing, which requires continuously running red-team simulations against production models to find attack vectors that emerge after deployment. A model that passed every prompt-level filter during development can still behave differently six months later as data pipelines shift and prompts change. Static filtering catches static attack signatures. It doesn't catch new ones.
Layer 04 — Runtime & Execution · No coverage
The layer where agentic risk actually lives
Runtime enforcement controls what an agent is allowed to do while it is running — which API calls it can make, which databases it can write to, which tools it can invoke, and at what point a human needs to review an action before it becomes irreversible. A prompt filter sits at the input boundary. By the time an agent has processed a prompt and started chaining actions through connected systems, the prompt filter's work is done. If the agent attempts an unauthorized database write or an out-of-scope API call at step four of a workflow, no prompt-level control is in a position to stop it. HiddenLayer's research found that one in eight reported AI breaches is now linked to agentic systems. The breach vector in most of those cases isn't the prompt — it's what happens after the prompt is processed.
Layer 05 — LLM Interaction · Yes, this is where prompt security lives
The layer it was designed for
Input validation, semantic filtering, context isolation, output inspection — these are the controls that prompt security and LLM guardrail platforms provide, and they provide them well. Lakera Guard, NVIDIA NeMo Guardrails, and the prompt security capabilities that Check Point and SentinelOne each acquired through separate deals in 2025 represent genuine depth at this layer. The argument here is that organizations have over-concentrated their AI security investment at the LLM Interaction layer relative to the others, not that LLM Interaction controls are useless. They remain necessary. They're just not sufficient by themselves for the deployments that are actually running in 2026.
Layer 06 — Model & Pipeline Security · No coverage
The supply chain layer that prompt filtering cannot reach
The Shai-Hulud supply chain attack in May 2026 compromised packages across MistralAI's official SDKs, Guardrails AI, TanStack, and UiPath — packages with over 518 million cumulative downloads. It succeeded because the attacker compromised the CI/CD pipelines that generated provenance attestations. Every standard supply chain check passed. Every prompt filter in place at those organizations passed alongside it, because the attack didn't operate at the prompt layer. It operated at the build pipeline. An AI Bill of Materials that documents every model, framework, and tool definition in the stack, combined with behavioral verification of installed components, is the control that addresses this. Prompt security has no role in it.
Layer 07 — Audit & Evidence · No coverage
Filtering produces no audit trail on its own
Tamper-proof logging, structured evidence generation, and framework mapping are infrastructure-level functions that require dedicated tooling to produce records in forms that auditors and regulators can actually use. A prompt filter that blocks a malicious input generates an event. Whether that event is captured in a tamper-resistant log, associated with a session context, and packaged against the specific requirements of a regulatory framework is a separate question that the filtering tool doesn't answer on its own. Organizations that treat the block count in their guardrail dashboard as an audit record discover the gap when a regulator asks for structured evidence of what decisions were made, by which system, on which date, under which policy.
Organizations That Don't Measure Agentic AI Are Also the Ones That Can't Secure It
MarketScale reported this week that only 18 percent of organizations currently track ROI on their agentic AI deployments, citing Thomson Reuters research. The connection between that number and the security coverage gap is more direct than it might appear. An organization that doesn't know whether its agents are generating business value almost certainly doesn't know whether those agents are generating security risk either. Measurement and visibility operate at the same layer. Organizations that have no instrumentation for understanding what their agents are doing commercially have no instrumentation for understanding what their agents are doing from a security standpoint.
This is the gap that the GAIG H1 2026 State of AI Governance report framed as the difference between monitoring infrastructure and accountability infrastructure. Monitoring tells you what happened. Accountability infrastructure tells you who was responsible, what they were authorized to do, and what evidence exists that they acted within those boundaries. The 82 percent of organizations not tracking agentic AI ROI are operating agents without either. HiddenLayer found that 31 percent of organizations can't determine whether they've experienced an AI breach in the past 12 months. The two numbers are telling the same story from different angles.
What to Build Next If You're Starting From Prompt Security
The honest starting point is acknowledging that prompt security was a reasonable first step for an earlier generation of AI deployment. Organizations that have it in place aren't behind — they built the right control for the use case they had at the time. The issue is that the deployment model moved and the security model didn't follow it. Expanding coverage doesn't require replacing prompt security. It requires adding the layers that agentic deployment actually exposes.
Prioritized sequence for organizations running agents in production
Asset & Discovery first. Before any other control is effective, you need to know which agents and AI systems exist across the environment, including the ones that were deployed without formal review. You cannot apply runtime controls, identity governance, or audit logging to systems that don't appear in any registry. This is also the step that most reliably surfaces the scale of the problem — organizations that run discovery for the first time routinely find more AI systems than anyone expected.
Identity & Access second. Once you have an inventory, lock down what each agent is actually permitted to do. Review provisioned permissions against the scope of the workflow the agent was built for. Revoke access to systems the agent no longer touches. Implement least-privilege scoping. For high-sensitivity operations, apply just-in-time credential issuance so that broad access doesn't sit open between task executions.
Runtime & Execution third. With inventory and permissions established, you can add enforcement that actually operates at the point where agentic risk materializes — the API call, the database write, the tool invocation. Runtime controls that run inline with agent execution can stop an unauthorized action before it completes. Controls that run after the fact can only document that it happened.
The sequence matters because the controls depend on each other. Runtime enforcement that doesn't know which agents exist and what they're authorized to do can't make correct decisions about which actions to allow. Identity governance applied to agents you never inventoried leaves the unregistered agents completely ungoverned. Discovery without the downstream controls only tells you how exposed you are without changing it. Organizations that skip the first step in favor of buying a runtime enforcement product typically discover gaps in their coverage when something goes wrong and the investigation reveals agents that were never in scope for the control at all.
Organizations usually discover these gaps in one of three ways: a security incident that traces back to an agent nobody knew was running, a failed audit or security review that reveals missing coverage in specific layers, or a procurement or compliance process where a security team tries to answer basic questions about what agents exist and what they can do, and finds they can't answer them reliably. The third scenario is the most common and the least costly. The first is the most common and the most expensive.
Sources
Alex Woodie, "Enterprise AI Has Outgrown Prompt Security," HPCWire AIwire, June 17, 2026 — hpcwire.com
Gartner, "Gartner Predicts 40% of Enterprise Applications Will Feature Embedded AI Agents by 2026," referenced in HPCWire coverage — gartner.com
MarketScale, "Agentic AI Hits Critical Mass, but Only 18% of Organizations Track Its ROI," June 2026 — marketscale.com
HiddenLayer, "2026 AI Threat Landscape Report," March 18, 2026 — prnewswire.com
Tenable, Cloud and AI Security Risk Report 2026 — tenable.com
StepSecurity, "Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Hits the npm Ecosystem," May 10, 2026 — stepsecurity.io
The Hacker News, "Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More," May 2026 — thehackernews.com
GetAIGovernance.net, "AI Security Controls Explained: What They Are, How They Work, and How to Evaluate AI Security Platforms" — getaigovernance.net
GetAIGovernance.net, "The State of AI Governance H1 2026" — getaigovernance.net
Palo Alto Networks, Koi Security acquisition press release, April 14, 2026 — paloaltonetworks.com
Check Point Software, Lakera acquisition announcement, September 2025 — calcalistech.com
SentinelOne, Prompt Security acquisition announcement, August 2025 — sentinelone.com
Our Take
AI Security Take
HPCWire got the diagnosis right. Most enterprise organizations are invested heavily in the LLM Interaction layer and relatively exposed across the other six. The fix doesn't require throwing out prompt security — it requires understanding which of the six other layers your current deployment actually needs and starting with the ones that correspond to your real exposure.
A company running an internal knowledge-base chatbot with no external system access has a very different prioritization than one running autonomous agents with write permissions to production databases and API access to external services. The company with the chatbot probably has sufficient coverage with strong LLM Interaction controls for now. The company with the autonomous agents is carrying exposure at the Asset & Discovery, Identity & Access, Runtime & Execution, and Audit & Evidence layers simultaneously, and prompt security addresses none of those four.
The acquisition wave documented in GAIG's H1 2026 report — Palo Alto acquiring Protect AI and Koi, Check Point acquiring Lakera, SentinelOne acquiring Prompt Security — is the market's answer to this problem at institutional capital scale. Every one of those acquisitions added a capability that sits in a different layer from the one the acquiring company already owned. The vendors doing the buying understood that prompt security was one layer. They went out and bought the other layers. Enterprise security teams are working through the same realization, one deployment at a time.