How Prisma AIRS 2.0 Secures the Autonomous Workforce

In the first installment of this article, Securing the Autonomous Workforce, we looked at how AI agents are reshaping work and pushing beyond the limits of traditional security. What started as small experiments has turned into a network of autonomous systems that move faster than most teams can track. That shift has left enterprises guessing at what these agents can see and what they can reach.

This part is about taking that guesswork out of the equation.

Prisma AIRS 2.0 AI Agent Security gives organizations a clear view of how their agents operate, the risks they create, and how to keep them in check. It begins with discovery — finding what’s out there and how it’s connected. Then comes assessment, the work of understanding where the weak points are and tightening access. Finally, protection: stopping the problems that surface when agents run live inside critical systems.

The aim isn’t to slow innovation or rein in automation. It’s to give enterprises the clarity to use it safely.

Discover: Restoring Visibility Across the AI Ecosystem

AI agents can often act like black boxes. You see what they produce, but not how they got there, what data they touched, or which systems they accessed. 

Automated Discovery and Mapping

You can’t secure what you can’t see. Prisma AIRS gives security teams clear visibility into every AI agent across the organization, including those built into SaaS platforms and enterprise agents including low-code tools, GenAI services, and internal applications.

It automatically finds both approved and unapproved agents, even those operating quietly in collaboration tools or connected through APIs. Once discovered, Prisma AIRS maps how each agent interacts with data and systems, showing where it lives, what it touches, and how it is connected.

This visibility extends across the entire AI ecosystem:

Discovery

• Agent Profiling: Prisma AIRS captures each agent’s identity, purpose, connected applications, knowledge sources, and associated users. It correlates this data with risk insights from Palo Alto Networks’ global threat intelligence, model assessment, and risk profiles to surface high-risk or unmonitored agents first.
• GenAI and SaaS Awareness: The discovery process covers enterprise-sanctioned agents and also identifies hidden extensions, plug-ins, and marketplace integrations that often escape traditional monitoring. You can send alerts or initiate workflows through integrated identity and response platforms.
  
  

Mapping

This continuous cycle of assessment and remediation prevents configuration drift and maintains least-privilege access across all agent environments. Governance becomes a living process embedded into how agents operate, not an afterthought. The result is a secure, compliant foundation for enterprise AI agents that evolve safely as part of the broader SaaS and cloud ecosystem. 

• Dormant Agent Detection: Inactive or abandoned agents are flagged automatically — especially those that retain credentials, API tokens, or access permissions that could be abused.
• Access and Data Mapping: Every discovered agent is linked to the systems, datasets, and users it touches, providing a clear visualization of agent-to-resource relationships and uncovering potential overexposure before it becomes a breach.

In short, Prisma AIRS replaces guesswork with a live, unified map of your AI agent ecosystem. Security teams gain continuous, automated visibility into what’s running, where it’s connected, and how it behaves — closing one of the biggest gaps in AI governance today.

Assess: Reducing Risk Through Continuous Monitoring

After Prisma AIRS maps every AI agent and its access relationships, it shifts from discovery to governance. The platform continuously evaluates agent configurations, permissions, and data exposure to help ensure each agent operates within approved security boundaries.

AI agents tend to accumulate privileges as they integrate with new systems or inherit tokens from previous configurations. This privilege creep creates hidden access paths that can expose sensitive data or allow unintended actions. Prisma AIRS detects and corrects these issues before they lead to compromise.

Continuous Risk Assessment

Prisma AIRS maintains a live profile for every agent, tracking its access scope, connected applications, and the sensitivity of the data it handles. The platform identifies over-permissive credentials, misconfigured roles, and dormant connections that could be exploited. It also monitors for behavioral anomalies, such as an agent querying unfamiliar data sets or invoking new tools, and immediately flags deviations from expected patterns.

Automated Enforcement

When Prisma AIRS detects unsafe permissions or policy violations, it can take action automatically. Policy-driven automation allows the system to:

• Revoke or adjust privileges in real time without interrupting operations.
  
• Quarantine or suspend agents showing signs of compromise.
  

Protect: Defending Agents in Motion

Once agents are live, they must be protected while they operate—because most risks emerge in motion. Prisma AIRS 2.0 provides multi-layered runtime defense, inspecting how agents interact with tools, APIs, and networks, and stopping malicious behavior before it spreads.

API Intercept: The Detection Engine

At the core of Prisma AIRS runtime protection is API Intercept. It provides near real time threat detection and how agents use their tools, tracking inputs, outputs, and definitions. This detects agent-specific threats like prompt injection, memory manipulation, or credential leakage before they cause damage.

The latest release adds MCP-specific threat detection, which enables Prisma AIRS to:

• Detect malicious MCP tool descriptions that manipulate an agent’s reasoning.
• Identify credential exposure within tool parameters, such as tokens or API keys.

MCP Relay: The Enforcer

The MCP Relay is an open-source enforcement point that extends Prisma AIRS protection directly into live agent workflows. Deployed in your own environment, it acts as a secure checkpoint between the agent and its tools. It intercepts every tool call in real time, and if a threat is detected by Prisma AIRS—such as a poisoned context or exposed credential—the relay can block or sanitize it instantly before it reaches the model.

In short:

• API Intercept detects threats.
• MCP Relay intercepts all communication between agents and MCP servers

Managed MCP Server: Protection as a Service

For organizations that want full protection without deployment complexity, Prisma AIRS offers the Managed MCP Server. This is a cloud-hosted, Palo Alto Networks–run form factor delivering runtime defense as a service. It brings the same powerful capabilities of API Intercept and MCP Relay, directly accessible from your AI agent. 

• Universal Compatibility: Works with any AI agent that supports the Model Context Protocol (MCP).
• Built-in Protection: Detects prompt injections, context poisoning, credential leaks, and malicious activity.
• Real-time Scanning: Can be used by the agent as a part of its task planning. You can ask it to block unsafe content before execution.

Simply point your agents to the Prisma AIRS endpoint, and protection begins automatically—no setup, requires a change to system prompt, no infrastructure to manage.

The Outcome

With Prisma AIRS 2.0, your AI agents can operate freely and intelligently—while your enterprise stays secure, compliant, and confidently in control. Your workforce may be changing, but with Prisma AIRS, it’s changing securely.

For more information about Prisma AIRS, fill out our contact form and one of our representatives will be in touch.

Deploy bravely. Secure confidently.