Why Purpose-Built Architecture Wins in AI Agent Governance

Gartner named Zenity the company to beat in the AI Agent Governance category in its AI Vendor Race: Zenity Is the Company to Beat in AI Agent Governance report as of 17 April 2026. The evaluation covered technical capabilities, customer implementations, business model, and ecosystem strength. That methodology matters because for us, it means the recognition reflects what the platform actually does in production, not just how well a demo lands.

Three outstanding features of Zenity include:

• agentic architecture built specifically for how agents behave
• intent-aware detection that goes beyond what rule-based systems can do
• community contributions that have helped define the standards the rest of the market is now building toward

The details behind each of these is worth a deeper look.

Existing Tools Can't Be Retrofitted to Secure Agents

Traditional security tools were built around three assumptions: users are the actors, applications are the targets, and data moves along known paths. Agents break all three simultaneously.

An agent isn't a user. It inherits credentials and permissions, but it reasons across systems, chains tool calls together, and acts at a speed and scale that doesn't look like a human session. What makes this particularly hard to secure is the identity surface agents operate across. Most security tools were built to handle a single identity layer. Agents operate across several at once using static credentials, dynamic session identities, identities embedded in the tools they invoke, and implicit identities that emerge through agent-to-agent interactions. Controlling access at one layer while leaving others ungoverned doesn't provide meaningful protection.

Non-human identity (NHI) tools have the same limitation. They were designed to manage static service account assignments, not to govern the layered, dynamic identity surface that agents create. Knowing what credentials an agent holds is different from understanding what that agent can do with them across chained tool calls and agent-to-agent interactions.

The result is a mismatch that shows up in practice, not just in architecture discussions. SIEMs generate events without the context needed to interpret them. DLP tools see data movement but not the agent intent behind it. Identity tools can tell you what credentials an agent used, but not whether the action sequence was appropriate. These aren't gaps that can be patched with integrations. They reflect fundamental assumptions in the underlying architecture that weren't designed for autonomous systems.

Agents Live Across Three Environments, Most Tools Only Govern One

One of the differentiators is a full-lifecycle coverage across the three distinct environments where enterprise agents actually live.

SaaS-managed agents

The first is SaaS-managed agents, those embedded in platforms organizations already use, such as Microsoft Copilot Studio, Salesforce Agentforce, ChatGPT Enterprise, and ServiceNow. Security teams often don't fully see these agents when they arrive. They come bundled with existing enterprise subscriptions, get configured by users or IT, and start operating before governance is in place. This is also where the citizen developer problem compounds quickly. Business users building their own agents on low-code platforms like Copilot Studio generate a sprawl of agents that outpaces any central inventory. Visibility here requires integration at the platform layer, not monitoring at the network perimeter.

Home-grown agents

The second is home-grown agents, custom agents built internally using Azure AI Foundry, Google Vertex AI, Amazon Bedrock, or OpenAI AgentKit. They carry the full complexity of custom software, including model configuration, tool access, prompt design, memory structures, and API integrations that may not be documented anywhere outside the team that built them. Securing them requires understanding their composition from build time, not just watching their behavior at runtime. Increasingly, these agents connect to external tools and data sources through interoperability frameworks like MCP, which extends the risk surface further and requires coverage at the tool layer, not just at the agent itself.

Device-based agents

The third is device-based agents. Coding assistants, agentic browsers, and local AI tools operating on developer and employee machines represent a blind spot that neither cloud security nor traditional endpoint tools fully see. These agents access files, reuse authenticated sessions, and trigger downstream SaaS and cloud actions that look like normal user activity at the event level but carry a very different risk profile.

A platform that covers one or two of these patterns doesn't provide governance. It provides partial visibility and gives teams false confidence about the gaps it leaves. We believe, Gartner's assessment recognized that full-lifecycle coverage across all three patterns is a structural requirement, not a premium feature.

Events Tell You What Happened, but Intent Tells You Why It Matters

The second differentiator is intent-aware detection. This is where the gap between purpose-built and retrofitted tools is most pronounced.

Event-based detection asks, “Did something happen that matches a known pattern?” Intent-aware detection asks, “Does this sequence of behavior align with what this agent was supposed to do?”

These are very different questions. A procurement agent researching vendors and a procurement agent sending an actual purchase order can generate similar individual events. The difference only becomes visible when the agent's action chain is tracked across tool calls over time. A scope violation (which recent research shows organizations are already dealing with at significant scale) often looks identical to normal activity at the event level. Catching it requires a stateful model of what the agent was intended to do.

This is what the Clarity Agent and stateful threat engine deliver together. The stateful threat engine tracks agent execution continuously across sessions, building a behavioral baseline against which deviations can be assessed. The Clarity Agent applies AI-driven reasoning on top of that, analyzing tool calls, memory access, and data usage patterns to classify behavior by intent rather than just by event type. It's not about whether a single tool call looks suspicious; it's whether the full context of what the agent is doing across its execution aligns with what it was designed to accomplish. That combination is what enables proactive identification of manipulation attempts, including prompt injection, before they propagate through downstream systems.

That intent layer changes the investigation workflow entirely. Instead of reviewing disconnected alerts and trying to reconstruct causality manually, security teams get a behavioral narrative with the relevant context already assembled.

Alerts Don't Investigate Themselves

Even accurate detection doesn't help if the output is just a long list of alerts. This is one of the most common operational problems security teams run into as their agent environments grow. The signal exists somewhere in the data, but finding it requires manually correlating posture findings, identity relationships, runtime anomalies, and data access patterns across multiple tools.

Zenity Issues addresses this directly. The Clarity Agent takes posture findings, runtime anomalies, identity relationships, and graph insights and assembles them into a single coherent incident view. Each Issue includes the root cause, the entities involved, the attack path, the sequence of events, and the evidence needed to move forward with confidence.

Severity adjusts in real time based on whether something is a theoretical exposure or actively exploited. An Issue that begins as a misconfiguration finding escalates automatically if runtime behavior indicates exploitation has started. Investigators begin with clarity rather than raw signals, which shortens response time and reduces the risk that real incidents get buried under noise.

This matters especially in agent environments because incidents don't behave like traditional security events. They develop across multiple systems, over multiple tool invocations, in real time. The investigation needs to match that pace.

Observe, Govern, Defend, and Then Scale

It's worth being specific about what distinguishes a platform from a collection of technical capabilities, because this distinction matters operationally.

Most security teams dealing with agents today are assembling something from parts. A tool for discovery. Another for posture. Alerts from one system that don't connect to investigation workflows in another. The result is what security programs have learned to recognize as the point product trap, where each tool solves its slice of the problem, but the overhead of correlating their outputs and translating findings into action lands entirely on the team.

The Zenity platform is organized around three pillars that are designed to work as a connected workflow: Observe, Govern, and Defend.

Observe provides the full-lifecycle inventory: every agent, across SaaS, cloud, and endpoint environments, including shadow AI that appears before governance structures exist.

Govern applies policy and posture management from build time, enforcing controls on how agents are configured and what they can access before they ever take an action.

Defend is the runtime layer. The Clarity Agent and stateful threat engine work together, surfacing behavioral intent and feeding that context directly into Issues.

From there, Inline Prevention closes the loop. It enforces hard boundaries at execution time, blocking unsafe agent actions before they reach downstream systems. Security teams don't just get visibility and alerts. They get a workflow: discover, assess, detect, investigate, and enforce.

Where this is heading is Guardian Agents: autonomous agents embedded within the security layer that monitor, reason over, and respond to agent behavior at machine speed. Rather than replacing human judgment, guardian agents amplify it. They surface the right signals, handle the pattern-matching work that doesn't scale with human review, and extend security coverage as the number of agents in an environment grows.

That full sequence, from discovering what agents exist to governing how they're configured, detecting when behavior deviates from intent, investigating with full context, enforcing policy in real time, and scaling that process autonomously, is an operational security workflow built for how agent environments actually behave. Each capability hands off to the next.

Three Differentiators, Three Problems That Actually Need Solving

According to us, Gartner's evaluation looked at technical capabilities and customer implementations, not market positioning or product roadmaps. The three differentiators they identified map directly to the challenges organizations run into when they try to govern agents at scale with tools that weren't built for the problem.

Purpose-built architecture matters because the mismatch between agent behavior and traditional security tool assumptions can't be resolved at the integration layer. Intent-aware detection matters because agents are autonomous systems whose risk can't be assessed event by event. Community contribution matters because the organizations that helped define the OWASP Top 10 for Agentic Applications, contributed to MITRE ATLAS, and produced the research that became foundational to how the industry thinks about prompt injection. Those organizations aren't catching up to the category, they are building it.

The organizations that are further along in their agent security programs have already worked through all three of these lessons, often the hard way. We believe, the Gartner assessment reflects what those production deployments have taught.

The Floor Is Already Moving

The agent landscape is growing faster than most security teams expected when they started planning for it. Shadow AI agents appear before governance is in place. Device-based agents create lateral movement paths that existing tools don't trace end-to-end. Citizen developer ecosystems generate agent sprawl that outpaces any manual inventory process.

We hold the view that the platform capabilities Gartner assessed, including full-lifecycle coverage, intent-aware detection, and context-rich incident management, aren't just features for future deployments, they're what organizations need today to govern the agents that are already running in their environments.

There's a next evolution already visible from here. Static enforcement rules, however well-designed, describe what an agent is allowed to do in the abstract. What agent governance will ultimately require is a policy layer that responds to what an agent actually has in context at runtime. If an agent accesses data it wasn't expected to reach, the right response isn't just an alert or a block. It's a policy mechanism that immediately adjusts what that agent is permitted to do for the remainder of that session, based on what it now knows. Write the policy once, apply it everywhere, and let it respond to context rather than match conditions against a static ruleset.

That's where agent authorization is heading. More on that soon.

If you're working through how to govern the agents already running in your environment, request a demo, and we can walk through what that looks like in practice.

Gartner, AI Vendor Race: Zenity Is the Company to Beat in AI Agent Governance, Tarun Rohilla, Mark Wah, Lauren Kornutick, 17 April 2026

GARTNER is a trademark of Gartner, Inc. and/or its affiliates. Gartner does not endorse any company, vendor, product or service depicted in its publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner publications consist of the opinions of Gartner’s business and technology insights organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this publication, including any warranties of merchantability or fitness for a particular purpose.