Your Devs Run AI Agents.
Your Production Systems Run AI Agents.
Nobody's Watching.

Runtime security & compliance governance for the AI agent era

dev Development
Cursor · Claude Code · Windsurf · Copilot · GitHub Copilot Workspace
Executes shell commands with dev's full permissions
Reads ~/.ssh, ~/.aws, env vars, entire filesystem
Writes to any file, installs packages, runs scripts
prod Production
OpenClaw · LangChain · OpenAI Agents SDK · CrewAI · AutoGen · Anthropic Agent SDK
Queries and modifies production databases
Calls external APIs with real credentials
Processes financial transactions autonomously
Accesses customer PII without audit trail
Zero runtime controls →
No policy gates No audit trail No guardrails No access control No behavioral monitoring
Talk to Us View on GitHub
agentshield

The attack surface

This isn't theoretical. It's already happening.

money
$250K Lost in Seconds
Lobstar Wilde: AI agent sent 52M SOL instead of 4. No numeric bounds check. No runtime validation.
No numeric bounds
lock
SSH Key Exfiltration
Prompt injection via PR comment caused coding agent to exfiltrate developer SSH keys to attacker server.
Prompt injection → credential theft
chain
MCP Supply Chain Attack
Poisoned MCP tool descriptions injected hidden instructions, hijacking agent behavior through tool metadata.
Tool description poisoning
exfil
Bulk Data Exfiltration
Production agent entered agentic loop, exfiltrating customer data record-by-record without triggering any alerts.
Agentic loop → exfil
db
Production DB Wiped
Coding agent misinterpreted “clean up the schema” and ran DROP TABLE on production database. No rollback, no confirmation gate, 1.2M rows gone.
Destructive query → no confirmation
spoof
Agent Identity Spoofing
Attacker embedded hidden instructions in a support ticket. Customer-facing agent escalated its own privileges and issued a $47K refund autonomously.
Indirect prompt injection → privilege escalation
0
Runtime security tools built for AI agents
78%
Enterprises deploying AI agents with zero enforcement

“How do you control what your AI agents can do? Show me the audit trail.

— Every SOC 2 auditor, starting now
EU
EU AI Act enforcement: 2026 deadline. Non-compliance fines up to €30M or 6% of global turnover. Every company deploying AI agents in the EU needs governance — now.

Product suite

Three products. One governance platform.

shield
AgentShield
Runtime Security Gateway
  • 6-layer analyzer pipeline: regex → structural → semantic → dataflow → stateful → guardian
  • BLOCK / AUDIT / ALLOW decisions in real-time
  • IDE hooks: Claude Code, Cursor, Windsurf, OpenClaw
  • MCP mediation: tool description poisoning, content scanning, value limits
100% accuracy on 147 test cases (123 shell + 24 MCP)
comply
Comply
AI Risk Compliance Platform
  • Scans codebases for AI usage (Semgrep-powered, 37 rules, 6 languages)
  • Maps to 5 frameworks: OWASP LLM Top 10, EU AI Act, SOC 2, ISO 27001, NIST AI RMF
  • Auto-generates AgentShield policy packs
  • 13-section audit-ready compliance reports
  • React dashboard for visualization
37 Semgrep rules · 5 frameworks · 6 languages
rules
Rules Hub
Security Rule Management
  • Browse and edit static rules, runtime packs, taxonomy
  • Compliance coverage matrix across all frameworks
  • Search across all rule types
  • Version-controlled rule lifecycle
  • Community-contributed rule database
32 taxonomy entries · 7 threat kingdoms

The governance loop

Scan. Assess. Enforce. Audit. Repeat.

scan
Scan Code
Semgrep rules find AI usage
risk
Assess Risk
Map to compliance frameworks
policy
Generate Policy
Auto-create enforcement rules
enforce
Enforce
AgentShield runtime gateway
audit
Audit Log
Every action recorded
report
Report
Compliance-ready output
rescan
Rescan
Continuous governance
From code scan to compliance report in under 5 minutes
Closed loop →
Policy generated from Comply scan is directly enforceable by AgentShield. No manual translation. No policy drift.

Why this is different

SAST did this for code.
We're doing it for AI agents.

Before
Traditional SAST
Static Analysis Security Testing
1
Scan source code
2
Find bugs and vulnerabilities
3
Patch code manually
Outcome: find problems, hope devs fix them
Now
AI Agent Lens
AI Agent Governance Platform
1
Scan AI usage in codebase
2
Assess risk against frameworks
3
Generate enforcement policy
4
Enforce at runtime automatically
5
Audit + compliance report
Outcome: find problems, generate the fix, enforce it, prove compliance

Key differentiator: not just finding problems, but generating and enforcing the fix automatically.

Defensibility

The Rules Are the Product

Every scan enriches the rule database. Compliance intelligence compounds.

idea
Compounding Intelligence
37 Semgrep rules, 32 taxonomy entries, 5 compliance frameworks — all open source, all growing with every deployment.
network
Network Effects
A startup plugging in on day one inherits the compliance intelligence of every company before it.
knowledge
Hard-Won Domain Knowledge
Rules are domain expertise encoded as code. This protects us from new competitors — rules are hard-won knowledge, not just software.
Like Vanta's questionnaire database but for AI agent security — defensible and grows with adoption. Every new customer makes the platform smarter for every other customer.

By the numbers

Built and battle-tested.

100%
Accuracy on 147 red-team test cases
7
Threat kingdoms in taxonomy
32
Taxonomy entries
5
Compliance frameworks
6
Defense-in-depth layers
37
Semgrep rules across 6 languages

OWASP LLM Top 10 2025 fully aligned

Market opportunity

$308M today. $3.6B by 2033.

AI Governance Market
$308M → $3.6B
2025 → 2033 (Grand View Research). No incumbent in “AI agent runtime security.”
"AI Governance" Search Trend
+1,110%
12,100 searches/month. Enterprises are actively looking for solutions that don't exist yet.

Target segments

AI-Native SaaS Startups
$99 – $499/mo
Trigger: SOC 2 audit or fundraise
Enterprise CISOs
$2K – $8K/mo
Trigger: AI inventory + compliance reporting
EU Companies
$1.5K – $5K/mo
Trigger: EU AI Act compliance deadline
Security Consultancies
$1K – $3K/mo per seat
Trigger: 3-week assessment → 3 minutes
VC Funds
30x multiplier
1 fund = 30 portfolio companies = 30 customers
Vanta $50K + dedicated security team
Legal counsel $300/hr for static documents
AI Agent Lens Starts at $99/mo — automated, continuous, enforceable

Team

36+ combined years in security & engineering leadership

Gary
Gary
Co-founder & CTO
  • 18+ years Application Security (AppSec)
  • CISSP, CSSLP certified
  • Built SAST detection rules for enterprise software — now applying the same model to AI agent runtime security
  • Led AI/LLM attack surface research: prompt injection, jailbreaks, data poisoning
  • Cloud security: ISO 27001, PCI-DSS, SOC compliance
Anshuman
Anshuman Biswas, PhD
Co-founder & CEO
  • 18+ years Engineering Leadership
  • VP Engineering at Elastio — ransomware detection, AI-powered anomaly detection, 100M+ files/day
  • 6+ years Turbonomic/IBM — orchestration, multi-team management
  • PhD Systems & Computer Engineering, Carleton University
  • 6 published papers on cloud auto-scaling and ML
Why this team
Both ex-Turbonomic, deep cloud/security expertise. Gary has literally written the rules that protect enterprise codebases for 18 years. Anshuman has built and shipped security infrastructure at cloud scale. Together they own the full stack from rule authoring to production enforcement.

Let's Build the Governance Layer
for AI Agents

Open source. Enterprise ready. Start protecting your AI agents today.

email [email protected] email [email protected]
AgentShield Comply Rules Hub
See us at AgentCon Toronto — March 14, 2026
Apache 2.0 Open Source · © 2026 AI Agent Lens
aiagentlens.com