Skip to main content
Springvanta
All posts
AI Security & GovernanceJun 12, 2026 · 7 min read

Four Governance Layers in 72 Hours: Zscaler, Cisco, Seclore, KPMG

Zscaler, Cisco, Seclore, and KPMG each shipped a different layer of agent governance in the same 72-hour window. Together they sketch a complete AI agent security stack.

By Springvanta

Four different companies shipped four different pieces of AI agent governance infrastructure between Monday and Thursday this week. None of them overlap. Together, they sketch what a complete agent security stack actually looks like.

On June 12, Zscaler extended its Zero Trust Exchange to cover AI agents directly, launching an AI Broker that secures MCP and A2A protocol traffic, an endpoint security product that catches browser plugin and local AI tool threats on employee devices, and an AI Access Graph that maps who (and what) is touching which data. On June 11, Cisco introduced Policy Studio inside AI Defense, an AI-assisted tool that walks a policy owner through writing custom guardrails, ones a compliance team can actually read and an auditor can verify, then publishes those guardrails for runtime enforcement. The same day, Seclore shipped ARMOR DSPM, a data security product that classifies sensitive data before AI agents get near it, using what they call a Semantic Triad approach (Content, Context, Intent) instead of basic regex pattern matching. And on June 9, KPMG announced it is deploying Microsoft Agent 365 to govern AI agents across its global operations, folding the control plane into its existing Trusted AI framework and offering the experience as a client service.

What these four announcements share

Each one targets a different layer of the same problem. Zscaler secures the transport: how agents talk to tools, services, and each other. Cisco handles the policy layer: what agents are allowed to do and how those rules get written. Seclore protects the data underneath: what sensitive information exists and whether it should be accessible to an autonomous system at all. And KPMG plus Microsoft represents the enterprise deployment layer: actually running governed agents at scale inside a large, regulated organization.

Governance layers for AI agents

None of these companies would claim to solve the whole problem on their own, and that is the point. The industry is converging on a layered model where agent security is not one product but a stack.

Why this week specifically

The timing is not random. Microsoft research found that 84% of senior leaders now consider unsanctioned AI agents a growing security risk. A Kiteworks study from this quarter reported that 65% of organizations have experienced at least one cybersecurity incident caused by AI agents on corporate networks. The CSA's daily briefing on June 9 flagged that 73% of organizations still have unresolved internal conflict over who owns AI security. HiddenLayer's 2026 AI Threat Landscape Report puts the number at 1 in 8 AI breaches now involving agentic systems.

The gap between deployment and governance has been widening for months. This week, the security industry started building products fast enough to close it.

The transport layer: Zscaler's AI Broker

Zscaler's launch is the broadest of the four. The company operates more than 160 data centers globally, and it is extending that footprint to cover the protocols agents use to communicate. AI Broker sits on MCP (Model Context Protocol) and A2A (Agent-to-Agent) traffic, the plumbing that lets agents call tools, pass tasks between each other, and connect to external services. That is new territory for most security products, which were built around human user sessions, not autonomous software actors that spawn sub-agents, create short-lived identities, and make access requests at speeds legacy systems cannot log.

The AI Access Graph, built on technology from Zscaler's acquisition of Symmetry Systems, maps the relationships between users, agents, applications, models, and data sources inside an organization. Security teams get visibility into connections they could not see before, especially browser extensions, local AI tools, and plugin ecosystems running on employee devices.

Zscaler also expanded its AI Protect product line with red teaming for MCP servers, a standalone prompt-hardening service, and compliance heat maps for governing AI applications from development into production.

The policy layer: Cisco's Policy Studio

Cisco's contribution is the most technically interesting. Policy Studio tackles a problem most governance tools ignore: actually writing the rules.

Most custom guardrail tools on the market give you a dropdown of fixed categories, a regex field, or a blank text box, and assume you already know what your policy should say. Cisco's approach is different. Policy Studio is an AI assistant that guides a policy owner through the process of authoring a guardrail from scratch. It asks "insights," which are framed questions paired with evidence from your own data. Some insights flag gaps in the current draft (a textual insight might note that your policy prohibits investment recommendations but does not address hypothetical phrasing like "if you were investing in bonds today"). Others come from running the draft against your production chats and surfacing behavioral patterns (the draft lets through responses that compare historical returns across asset classes, effectively steering readers toward a specific investment choice).

The policy owner answers at the pattern level, not the individual case level. A single answer applies to every conversation in that group, and to future cases the policy has not yet seen. Cisco says a policy with ten distinct decisions takes roughly ten resolved insights, whether you bring in seventy chats or seventy thousand. The resulting guardrail is a human-readable document that runs at inference through open-source safety models like Meta's Llama Guard and Google's ShieldGemma, so you do not need a hosted API to enforce it.

The data layer: Seclore's ARMOR DSPM

Seclore's ARMOR DSPM sits at the bottom of the stack, where agents meet data. Its job is to answer a question most organizations cannot: what sensitive data do we have, where is it, who can access it, and is it protected before an AI system touches it?

The product uses what Seclore calls a Semantic Triad, evaluating data across Content (what it is), Context (why it matters to the business), and Intent (how it should be used). That is a step beyond the regex-based pattern matching that most DSPM tools rely on, which catches credit card numbers but misses trade secrets, source code, and proprietary research that looks like plain text to a pattern scanner.

ARMOR DSPM starts classifying as soon as repositories are connected, with no model training or manual rule creation. Findings get prioritized by business risk and can feed into Seclore's broader ARMOR platform for automated protection, monitoring, and audit readiness. The product runs in a dedicated cloud environment with no external API calls and no data passed to third-party LLMs, which matters for organizations under data sovereignty requirements.

The deployment layer: KPMG and Microsoft Agent 365

The KPMG announcement is the least surprising of the four, but it may be the most significant for adoption. KPMG is deploying Microsoft Agent 365, the governance and control plane for autonomous agents, across its global firms while rolling out Microsoft 365 Copilot to its workforce. Agent 365 handles identity management for agents, enforces least-privilege permissions, monitors agent behavior, and manages the full lifecycle from deployment through updates.

The deal matters because KPMG is not just using the product internally. It is packaging the experience as a consulting service for clients in regulated industries who need to deploy agents safely. A Big Four firm betting its own operations on an agent governance platform, then selling that expertise to others, accelerates the market's recognition that this infrastructure is necessary, not optional.

Tech Times noted the honest caveat: Agent 365 is a management and governance layer, not a cure. It can enforce permissions and monitor behavior, but no control plane eliminates prompt injection or other fundamental agent vulnerabilities on its own. Governance contains risk. It does not erase it.

What this means if you are running agents now

If your organization is deploying AI agents, or planning to, this week's announcements give you a rough blueprint of the stack you need:

  • Transport security: Can you see and control how agents communicate with tools, services, and other agents? MCP and A2A traffic is a new protocol layer that your existing firewall and API gateway were not designed for.
  • Policy authoring: Do you have written, enforceable rules for what your agents are allowed to do? Not a vague Acceptable Use Policy, but specific guardrails that a model can interpret at runtime and an auditor can read.
  • Data classification: Do you know which sensitive data your agents can access? If you cannot answer that question, your agents are probably already touching data they should not.
  • Lifecycle governance: Can you deploy, monitor, update, and decommission agents the way you manage any other piece of software? Agents with standing permissions and no oversight are an incident waiting to happen.

You do not need all four layers on day one. But if you have agents in production and have not thought about any of them, this week's product launches are a good reminder that the market now has answers for each gap.

Sources

Continue reading

← Previous

June 11 Was the Day Vertical AI Stopped Being a Feature

Next →

Claude Fable 5, JFrog Supply Chain Plugin, Cohere North Mini: 48 Hours That Reshaped AI Dev Tooling

Read more

Like this kind of writing?

One email when something good ships — usually once or twice a month.

SubscribeAll posts