On April 30, 2026, Palo Alto Networks announced its intent to acquire Portkey, the AI gateway that already processes "trillions of tokens per month" for enterprise customers. The deal folds Portkey into Prisma AIRS as the unified AI control plane for the Palo Alto security stack. Lee Klarich, PANW's Chief Product & Technology Officer, framed the rationale plainly: "As autonomous agents join the enterprise workforce, they also become a new, unmanaged attack surface."
He is right about the attack surface. He is not yet right about which layer of the stack contains it.
The Map of AI Governance Has Three Layers
There are three places you can intercept an AI agent. Each governs something different. Each has different vendors competing for it. And each one is now in a different stage of consolidation.
The prompt layer. Lakera, Lasso Security, Calypso AI, AIM Security, and Prompt Security operate here. They sit between the human (or agent) and the model, inspecting prompts and outputs for prompt injection, jailbreaks, sensitive data exfiltration, and unsafe content. Useful. Necessary. Increasingly commoditized — every model provider now ships baseline guardrails, and Check Point has already pulled Lakera into its network security stack.
The gateway layer. Portkey, Witness AI, Aporia, and the cloud-provider AI platforms operate here. Gateways centralize routing across model vendors, observability, cost controls, token-level policy, and sometimes RBAC for LLM traffic. They see what the model said. They do not see what the agent did. The PANW acquisition is the consolidation event for this layer.
The action layer. This is where the agent stops talking and starts doing. It is the layer between the LLM tool call and the production tool API — the moment an agent emits okta:user.deactivate(jdoe@acme.com) and the moment Okta receives the request. This is the layer with the actual blast radius. It is also the layer that nobody buying an LLM gateway is governing.
What the Portkey Deal Actually Tells Us
Three things.
First, AI security is now a category, not a feature. Palo Alto has spent close to $29B in the last twelve months on CyberArk, Chronosphere, Protect AI, and now Portkey. Alphabet has paid $32B for Wiz. ServiceNow has spent $11.6B on Armis, Moveworks, and Veza. Check Point has acquired Lakera. The hyperscalers are not building this; they are buying it.
Second, the consolidation is happening from the gateway down. Palo Alto did not buy a prompt-layer guardrail. They bought the control plane that already terminated the traffic, had the developer integration, and was processing trillions of tokens. Gateways win the gateway war because gateways already own the wire. Rohit Agarwal, Portkey's CEO, said the same thing on the way out: "Scaling AI in production requires a delicate balance between total flexibility for developers and absolute control for security teams." That is a gateway-shaped sentence. It is true at that layer. It is silent on every layer below it.
Third, the action layer is conspicuously absent from every one of these deals. Read the press releases carefully. PANW + Portkey is about "tokens." Cisco + Robust Intelligence was about "model behavior." Check Point + Lakera was about "LLM/agent runtime guardrails." None of them buy a vendor whose primary product is governing the call from the agent to the production tool that runs the operation. That is not because the layer is unimportant. It is because the layer is hard.
Why the Action Layer Is Where the Damage Lives
A perfectly behaved LLM call can produce a catastrophic outcome.
Imagine an agent receives a Slack message: "please offboard the contractor whose engagement ended Friday." The agent reasons about it. The model output is well-formed, refusal-free, and on-policy. The agent then calls okta:user.deactivate(...) and crowdstrike:host.contain(...) and jira:ticket.create(...).
Every layer above the action layer says this looks fine.
The prompt layer sees a clean prompt and a clean output. The gateway sees a token-shaped request to a model provider with reasonable cost and latency. The posture tool sees an agent that is registered, scored, and within its declared scope. None of them is wrong about what they observe. They are all looking at the wrong surface.
Because the agent just disabled the wrong contractor — the one whose engagement extended through Q3 — and contained a domain controller because of a hostname collision. The blast radius lives at the API call to Okta and CrowdStrike. The only layer that can return a verdict at that moment, with the operational context (who, what, against which connector, with which params, against which declared intent), is the action layer. Everywhere else, you are reading tea leaves.
Where Each Vendor Actually Sits
Zenity. Strongest in shadow-agent discovery across SaaS — Copilot Studio, Power Platform, Salesforce Einstein, Glean. Gartner named them "Company to Beat" in AI agent governance and the recognition is deserved. Zenity is the right answer for the LOB-built agents proliferating inside enterprise SaaS hosts where the governance team has no native visibility. It is a less natural fit for internally-built Python agents driving a SOC playbook against Splunk and CrowdStrike, where the agent is not running inside a SaaS tenant you can sniff. Zenity's threat model is "find the shadow agents." That is a different problem from "govern the declared ones at the moment they act."
Noma Security. $132M raised, AI Security Posture Management at heart — discover and score AI assets, agents, and pipelines across cloud and AI platforms (Databricks, SageMaker, Salesforce). Excellent inventory and posture. Posture, by definition, tells you you have a problem; it does not block a destructive call at execution time. Different layer.
Geordie AI. The most direct overlap with what we do. Won RSAC 2026 Innovation Sandbox. London-based, founders out of Snyk, Veracode, and Darktrace. The Beam context engine is a serious piece of engineering and they have correctly identified that the agent-native runtime is the underspecified layer. Where we differ: connector breadth (ARX ships 101 connectors covering 2,519 governed operations across the security and IT stack with pre-classified risk), compliance evidence (we generate SOC 2, ISO 27001, and FedRAMP-mapped evidence packages from the same audit data the platform already produces), and stage of company. We expect to share customer evaluations with Geordie in the next year, and we welcome it. The category needs more than one credible vendor.
Lakera (now Check Point). Best-in-class prompt-injection runtime guardrail. Now part of a network security stack. Operates at the prompt layer. Complementary to action governance, not a substitute.
Lasso, Calypso AI, AIM, Prompt Security. Variations on prompt-layer protection: RBAC-aware prompts, inference-time defense, agentic red-teaming, DLP for LLMs. Real categories with real value. Inspecting prompts is not the same as authorizing actions.
Witness AI. Gateway-adjacent. Visibility into AI traffic. Same layer as PANW + Portkey now occupy, with a different go-to-market.
Portkey (now PANW). The gateway. Trillions of tokens per month is impressive throughput, and PANW is the right buyer. It will become the AI Gateway in Prisma AIRS. Gateways see what the model said. They do not see what the agent did to your production infrastructure.
Where ARX Sits
ARX is the action layer.
Every operation an agent attempts — read a CrowdStrike detection, contain an endpoint, disable an Okta user, create a Jira ticket, run a Splunk query — passes through ARX before reaching the target tool. We capture the operation, evaluate it against policy (PERMIT, ESCALATE, DENY), inject the credential from a vault the agent never sees, route ESCALATE verdicts to a human reviewer in Slack or Microsoft Teams, and write an immutable, tamper-evident audit row binding the verdict to the actual outcome.
The artifacts that fall out the back of that pipeline are exactly what compliance asks for: who acted, on which connector, with what risk class, against which declared intent, with which policy verdict, witnessed by which approver, with what credential identity, with what result. We map those into a SOC 2, ISO 27001, and FedRAMP evidence package directly, because they are derived from configuration and behavior, not authored by hand.
We are not competitive with the gateway layer. We are downstream of it. A reasonable enterprise will run a gateway (PANW now, possibly something else later) for token-level routing and run ARX for action-level governance. The gateway terminates the LLM call. ARX terminates the tool call. They are two different surfaces and they require two different policies.
We are competitive with vendors that claim to govern agent behavior but operate at the prompt or posture layer. Refusing a prompt is not the same as refusing an action. Scoring an agent is not the same as blocking its next call. When the auditor asks you to demonstrate that a destructive operation was authorized by policy, executed by a known identity, witnessed by an approver, and bound to an immutable record, the prompt layer cannot answer and the posture tool cannot answer. Only the action layer can.
What CISOs Should Do This Quarter
Draw the layer map. Every AI governance line item in your budget should be tagged with the layer it operates at: prompt, gateway, action. If you have three vendors at the prompt layer and zero at the action layer, you do not have a coverage gap — you have a category gap. The auditor will find it before the adversary does.
Treat the gateway as plumbing. PANW + Portkey will become the default for LLM traffic in any shop already running Prisma. That is fine. Buy the gateway for what gateways do — routing, observability, model failover, cost. Do not let the size of the deal convince you that the gateway is the governance layer. It is the routing layer.
Ask the action question. For every AI agent your team has deployed in the last twelve months, can you produce, in under five minutes: the list of operations the agent has attempted, the policy verdict for each, the human approver for any ESCALATE, the credential identity used, and a tamper-evident receipt for each entry? If the answer is no, the question is not "which gateway do I buy." The question is "where is my action layer."
We built ARX because that question did not have a good answer.