Palo Alto Networks announced expanded agentic AI security capabilities within Prisma SASE, positioning the platform to govern autonomous agents operating across enterprise networks, SaaS environments, and cloud infrastructure [1]. Prisma SASE represents a structural shift in how enterprises approach agentic AI security as deployments accelerate with security as the top concern. The real question is whether SASE architecture, designed for human users and static workloads, can actually enforce policy on agents that spawn dynamically, operate across trust boundaries, and generate their own API calls.
What is Covered in This Article:
- Palo Alto Networks’ Prisma SASE expansion to cover agentic AI workloads and autonomous agent traffic
- Structural mismatch between legacy SASE design assumptions and agentic AI behavior patterns
- Competitive positioning against Microsoft, Zscaler, and emerging AI-native security vendors
- Execution risks in agent identity, policy enforcement, and real-time threat detection at machine speed
The News: Palo Alto Networks extended Prisma SASE to address what it calls the era of agentic AI, where autonomous agents execute tasks, access sensitive data, and operate across enterprise systems without direct human supervision [1]. The platform now targets agent-to-agent communication, agentic browser sessions, and API-driven workflows that traditional SASE architectures were never designed to inspect [1]. The announcement follows Palo Alto’s simultaneous release of Prisma AIRS 3.0, which targets AI application security across cloud and SaaS environments where developers are building agent-driven applications [2].
According to Futurum Group’s 2H 2025 Cybersecurity Decision Maker Survey (n=1,008), 62.1% of security decision-makers agree AI-powered defensive tools are now a necessity, and relying solely on human analysts is no longer viable. That same survey found 82.3% of organizations experienced at least one significant security incident in the past 12 months. Palo Alto is betting that the next wave of incidents will originate from compromised or misbehaving agents, not compromised users.
Can Prisma SASE Actually Secure Agents It Cannot See?
Analyst Take: Palo Alto is making a structurally sound bet: agentic AI creates a new attack surface that existing security tooling cannot address. The harder question is whether SASE, an architecture built around user identity and network perimeter, is the right foundation for securing entities that have no fixed identity, no predictable behavior, and no human in the loop.
SASE Architecture and Prisma SASE: Built for Humans, Not Agents
SASE architecture assumes a relatively stable set of identities, devices, and access patterns. Agentic AI breaks every one of those assumptions. Agents spawn dynamically, inherit permissions from the applications that invoke them, and generate API calls that look identical to legitimate application traffic [1]. Traditional policy enforcement relies on user context; agents have no user context in the conventional sense. Palo Alto’s claim that Prisma SASE can govern this traffic requires the platform to solve agent identity at a level of granularity that no vendor has demonstrated in production at scale. According to Futurum Group’s 2H 2025 Cybersecurity Decision Maker Survey (n=1,008), 62.0% of organizations have already observed a significant increase in sophisticated AI-driven attacks. Agents that can be hijacked or manipulated represent the next generation of that threat vector, and SASE inline inspection may simply be too slow to catch it.
The GPU Blind Spot Problem and Prisma SASE Limitations
Palo Alto’s Prisma SASE operates at the network and application layer, but agentic AI workloads increasingly execute within GPU-accelerated infrastructure where traditional endpoint and network tools have no visibility. Futurum’s February 2026 research (‘Do AI Factories Signal a New Mandate for Certified Security?’) identified a structural ‘GPU Blind Spot’ where conventional EDR tools monitor only CPU and OS activity, leaving GPU execution opaque to security teams entirely. SASE can inspect traffic flowing between agents and external services, but it cannot observe what an agent is doing inside an AI factory or within a GPU-accelerated inference cluster. Palo Alto’s simultaneous push with Prisma AIRS 3.0 [2] suggests the company recognizes this gap, but the two platforms need to operate as a genuinely integrated control plane, not as adjacent product lines with separate consoles and separate policy engines.
Prisma SASE Consolidation Story Meets a Market Still Expanding Vendor Count
Palo Alto’s platformization strategy for Prisma SASE depends on enterprises consolidating security vendors around Prisma. The data does not yet support that outcome. According to Futurum Group’s 2H 2025 Cybersecurity Decision Maker Survey (n=1,008), 43.0% of organizations plan to expand their security vendor count versus only 34.6% consolidating. The market is in net-expansion mode, which means Palo Alto is selling Prisma SASE consolidation into a buying environment that is actively adding tools. Zscaler, Microsoft Defender for Cloud, and a growing set of AI-native security startups are all positioning for the same agentic security opportunity that Prisma SASE targets [3]. Wall Street’s bullish consensus on PANW reflects confidence in Palo Alto’s execution track record [3], but the competitive window for owning agentic AI security with Prisma SASE is narrow. Whoever establishes the de facto standard for agent identity and policy enforcement in the next 18 months will be very difficult to displace.
What to Watch:
- Agent Identity Standard: Will Palo Alto commit to open agent identity frameworks such as SPIFFE or emerging A2A protocols, or will Prisma SASE require proprietary agent instrumentation that creates its own lock-in by Q4 2026?
- AIRS and SASE Integration Depth: Do Prisma AIRS 3.0 and Prisma SASE share a unified policy engine and single control plane, or are they separate products with a marketing wrapper that forces customers to manage two consoles?
- Zscaler Counter-Move: How quickly does Zscaler extend its Zero Trust Exchange to cover agent-to-agent traffic, and does its cloud-native architecture give it a structural advantage over Palo Alto’s hybrid SASE model?
- Incident Attribution Test: When the first major breach involving a compromised autonomous agent occurs, will forensic evidence show that SASE-class tools detected or missed it, and what does that mean for the entire category’s credibility?
Sources
1. Securing the Era of Agentic AI with Prisma SASE
2. Securing the AI Enterprise — Introducing Prisma AIRS 3.0
3. Is It Worth Investing in Palo Alto (PANW) Based on Wall Street’s Bullish Views?
Declaration of generative AI and AI-assisted technologies in the writing process: This content has been generated with the support of artificial intelligence technologies. Due to the fast pace of content creation and the continuous evolution of data and information, The Futurum Group and its analysts strive to ensure the accuracy and factual integrity of the information presented. However, the opinions and interpretations expressed in this content reflect those of the individual author/analyst. The Futurum Group makes no guarantees regarding the completeness, accuracy, or reliability of any information contained herein. Readers are encouraged to verify facts independently and consult relevant sources for further clarification.
Disclosure: Futurum is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of Futurum as a whole.
Read the full Futurum Group Disclosure.
Author Information
This content is written by a commercial general-purpose language model (LLM) along with the Futurum Intelligence Platform, and has not been curated or reviewed by editors. Due to the inherent limitations in using AI tools, please consider the probability of error. The accuracy, completeness, or timeliness of this content cannot be guaranteed. It is generated on the date indicated at the top of the page, based on the content available, and it may be automatically updated as new content becomes available. The content does not consider any other information or perform any independent analysis.
