Every new dataset, model and agent brings incredible opportunities and entirely new risks. Most organizations have never had to secure technology like this before. That’s why we created Prisma® AIRS™ 2.0, a platform purpose-built to help you stay ahead. It gives you a clear view of your entire AI ecosystem, helps you assess emerging risks, and defends your organization against threats unique to AI.
This major platform upgrade, which completes the native integration of the recently acquired Protect AI, establishes a unified foundation for scalable and secure AI innovation.
AI Agent and MCP Security Is Securing the Autonomous Workforce
Let's begin with our approach to securing AI agents. Agents are often embedded within platforms, such as Microsoft 365 Copilot and Salesforce. They’re driving a new wave of intelligent automation across the enterprise. However, with their broad access and limited oversight, they also introduce unique security challenges. Threats such as prompt injection, context poisoning, tool misuse and memory tampering can manipulate agents to act in unintended or unsafe ways.
Prisma AIRS AI Agent Security provides the visibility and control organizations need to safeguard AI agents across any environment, from SaaS platforms to runtime deployments.
Prisma AIRS delivers protection for AI agents across two key domains:
Posture Security
Before agents even begin operating, Prisma AIRS secures them at the source. It automatically discovers every AI agent, maps its permissions and reduces exposure before deployment.
- Comprehensive discovery: Finds all AI agents across SaaS, cloud and custom environments, including shadow or inactive agents that still hold access.
- Permission and configuration management: Detects misconfigurations, shared credentials and over-permissive identities that violate least-privilege policies.
- Continuous hardening: Monitors for configuration drift and risky trust chains between agents and third-party tools, keeping environments aligned with best practices.
Runtime Defense
Once AI agents are operational, Prisma AIRS continuously monitors their behavior in real time to detect and prevent threats that are unique to agent-driven systems. This includes privilege escalation, prompt injection, context poisoning, memory manipulation and data exfiltration. The platform inspects and validates live agent-to-tool interactions to identify and block malicious activity before it can impact business operations.
We’ve also rolled out a managed Prisma AIRS MCP Server that makes it easy for agents to weave threat detection right into their workflows, keeping security front and center from start to finish.
Watch: Can Your AI Be Tricked? Exposing the Security Gaps in MCP
Prisma AIRS protects how agents are set up and how they run, so enterprises can confidently scale AI automation with full visibility and control.
AI Model Security Is Shielding Open-Source Deployment
As organizations embrace open-source models, train them with their own data, and move them into production, they’re also exposing a new and growing attack surface. Traditional security tools were never designed to protect it.
For years, the industry has attempted to adapt legacy methods, such as artifact scanning, malware detection and binary analysis to secure AI systems. However, models are not static files or containers. Rather, they are dynamic, highly complex structures that contain embedded code, unique formats and opaque logic. Vulnerabilities can reside deep within these architectures, well beyond the visibility and capability of conventional security approaches.
Watch: The Guardrail Trap: Why Existing AI Security Strategies Aren’t Enough
Prisma AIRS AI Model Security is purpose-built for this new frontier. It prevents attacks before they reach production, stopping arbitrary code execution, architectural backdoors and provenance issues at their source. The Prisma AIRS product is powered by Advanced WildFire threat intelligence and insights from Huntr, our 18k strong global threat research community. Prisma AIRS identifies and mitigates threats to AI models that other solutions miss.
The platform currently scans millions of models, detects more than 25 distinct threat patterns, and secures over 20 model formats. The result is comprehensive, end-to-end protection for AI models across the ecosystem, from open-source supply chains to enterprise-trained intellectual property.
With API-first, composable controls that integrate directly into CI/CD and MLOps pipelines, Prisma AIRS embeds security seamlessly into the model lifecycle, enabling automation, scalability and speed without compromise.
AI Red Teaming Is Continuous, Autonomous Vulnerability Hunting
Language can be used to manipulate models, extract sensitive data, or generate harmful content. Artificial intelligence creates a new attack surface defined by language, one that constantly evolves as models are retrained and data changes. Traditional, static security testing can’t keep up. It often misses risks that only appear through real-world, interactive use.
Most current red-teaming approaches are either manual or service-based, providing valuable insights but limited scalability. Automated tools, on the other hand, tend to perform narrow prompt-based tests that lack business or development context, or they require extensive technical configuration. The result is fragmented visibility, high operational overhead and findings that rarely translate into stronger, actionable defenses.
Watch: Red Teaming Your AI Systems Before Attackers Do
Prisma AIRS AI Red Teaming introduces a new approach to testing and validation. It's autonomous, comprehensive and context-aware, and it can profile targets and run more than 500 tailored adversarial simulations. The results map to established frameworks, such as NIST AI-RMF, OWASP and MITRE, and each finding includes detailed, operator-level remediation guidance to reduce surprises and speed resolution.
The solution delivers actionable insights, enabling organizations to identify vulnerabilities, implement corrections and rapidly re-test new versions. By embedding continuous validation into the AI development lifecycle, Prisma AIRS enables enterprises to innovate securely and deploy with confidence.
Deploy Bravely with Prisma AIRS™ 2.0
Already a FLEX credit customer? Deploy Prisma AIRS from your portal.
Ready to take the next step? Contact us to speak with an expert or to schedule a demo.
FAQ: Prisma AIRS™ 2.0
Q: How can I deploy Prisma AIRS 2.0, and what are the associated costs?
Customers can purchase Prisma AIRS 2.0 using Software NGFW Credits (Flex Credits) deploy the solution directly from the Customer Service Portal (CSP). Customers can use our Credit Estimator tool to figure out how many credits you'll need.
Q: From when is Prisma AIRS 2.0 available?
Prisma AIRS 2.0 is available today. To learn more, register for Ignite: What's Next on Tuesday, October 28, at 9 a.m. PT. Visit our official news center for the latest announcements, news and developments from Ignite: What's Next.
Q: Do I still need Prisma AIRS if my cloud provider or LLM vendor already offers some AI security?
A: Yes, you do. Vendor security offers a basic starting point, but Prisma AIRS 2.0 provides the comprehensive layer needed to catch advanced threats they miss. This includes finding vulnerabilities deep inside open-source models and blocking sophisticated attacks, like jailbreaks and agent tool misuse.
This blog contains forward-looking statements that involve risks, uncertainties and assumptions, including, without limitation, statements regarding the benefits, impact, or performance or potential benefits, impact or performance of our products and technologies or future products and technologies. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available.