Zenity’s designation as a 2025 Gartner Cool Vendor for Agentic AI Trust, Risk and Security Management (TRiSM) coincides with the public disclosure of “AgentFlayer”—a class of zero-click exploits that can silently manipulate and exfiltrate data from production AI agents. The timing forces a marketplace conversation that many enterprise IT leaders have been dodging: agentic AI is no longer just a productivity tool; it is a primary attack surface that demands runtime enforcement and forensic-grade telemetry.
Agentic AI—software agents that reason, maintain long-lived state, and act autonomously across cloud ecosystems—has surged from experimental labs to mainstream deployment inside Microsoft Copilot Studio, Salesforce, and custom enterprise platforms. Gartner’s TRiSM guidance and its associated Cool Vendors report respond to this acceleration by highlighting vendors that bring novel, practical approaches to AI security. Zenity’s recognition, announced alongside its availability in the Microsoft Azure Marketplace, signals that agent-centric security is an emergent category worth serious procurement evaluation.
What Gartner’s Cool Vendor Designation Actually Means
Cool Vendor listings spotlight innovative, impactful, and interesting technology, often before broad enterprise awareness. The label is a signal—not a substitute for technical due diligence. For CIOs and CISOs, the value is twofold: it validates market recognition for runtime agent enforcement and step-level policy controls, and it elevates the vendor’s visibility with procurement teams responsible for securing Copilot-style deployments. Gartner does not endorse Zenity’s product or guarantee fit for every use case, and the wider market remains immature, with many vendors “agent washing” basic features. Gartner itself warns that without robust governance, a material fraction of agent projects will fail over the next few years—a forecast that amplifies the importance of specialist tools focused on runtime risk and remediation.
What Zenity Claims—and What’s Verifiable
Zenity describes an agent-centric security and governance platform that spans the entire agent lifecycle. Its public materials detail:
- Agent inventory & observability: Continuous discovery of agents, their connectors, and privilege mappings.
- AI Security Posture Management (AISPM): Build-time scanning and posture checks that flag excessive privileges, misconfigured connectors, and embedded secrets.
- AI Detection & Response (AIDR): Runtime telemetry, anomaly detection, and automated playbooks that block, quarantine, or roll back suspicious agent actions.
- Inline, step-level enforcement: The platform intercepts planned agent “steps”—discrete operations such as a connector call or CRM write—and applies policy before execution. Azure Marketplace previews describe enforcement at invocation points used by Copilot Studio agents.
These capabilities appear consistently across press releases and product documentation. However, the exact runtime mechanism remains opaque. Whether enforcement leverages Microsoft-provided extension hooks, an agent-side SDK, or a mediating proxy is not publicly detailed. Procurement teams must demand architecture diagrams and proof-of-concept (PoC) tests to validate the integration model, latency impact, and failure modes.
AgentFlayer: The Research That Changes the Stakes
At Black Hat, Zenity Labs demonstrated AgentFlayer—a family of zero-click, persistent exploit chains that weaponize standard agent behaviors. Major outlets including Wired and multiple cybersecurity publications confirmed the mechanics and vendor responses. The attacks work by:
- Embedding hidden instructions in poisoned documents or messages that an agent will obediently execute.
- Exploiting connector APIs, model reasoning, and Markdown/image rendering to exfiltrate secrets in small, innocuous chunks—without bulk file downloads that traditional DLP might catch.
- Triggering actions without any overt victim interaction; the agent simply processes content in its normal operation.
Because exfiltration leverages the agent’s own reasoning surface and trusted blob-storage domains, conventional network controls and data loss prevention tools are often blind to the activity. Multiple vendors issued rapid mitigations, but the underlying systemic risk endures: connectors and retrieval-augmented generation (RAG) pipelines that blend external content with agent logic can be poisoned at scale. AgentFlayer thus reframes the security conversation from “do we trust our models?” to “do we trust every document, email, and web page our agents might read?”
Practical Implications for Enterprise IT and Security Teams
Agentic AI forces security teams to reckon with a new class of privileged infrastructure. Key operational realities include:
- Agents are privileged infrastructure: Treat them like service accounts—inventory them, rotate credentials, enforce connector allow-lists, and conduct entitlement reviews.
- Build-time controls are insufficient: Agents evolve in production, read new inputs, and can be manipulated dynamically. Runtime interception at the action/step level shrinks the window between exploitation and mitigation.
- Detection must be agent-contextual: Logs must include planner steps, tool invocations, connector-call parameters, and retrieved content that shaped a decision. Generic SIEM data alone is inadequate.
- Red-teaming must include prompt injection, RAG poisoning, and memory persistence: Simulate zero-click flows and connector-based exfiltration to gauge real-world resilience.
Operationally, experts recommend a phased rollout:
| Phase | Action |
|---|---|
| 1 | Inventory and prioritize high-risk agents (those with access to PII, payment systems, or production workflows). |
| 2 | Deploy inline controls in monitoring-only mode to baseline false positives and latency. |
| 3 | Tune policies and automated playbooks, then enforce for high-risk actions. |
| 4 | Integrate agent telemetry into SOC playbooks and SOAR pipelines. |
Critical Analysis: Strengths, Gaps, and Operational Risks
Zenity’s agent-centric model offers three clear strengths:
- Fidelity: By focusing on step/action dimensions rather than treating agents as generic cloud workloads, the platform enables precise policy enforcement and forensic clarity—a scalable approach for Copilot-style environments.
- Lifecycle coverage: Combining AISPM and AIDR delivers defense-in-depth, addressing misconfigurations pre-deployment and threats in-flight.
- Research-led credibility: The independently verified AgentFlayer research underscores deep domain expertise and creates urgency for runtime controls.
Nevertheless, meaningful limitations and risk vectors exist:
- Opaque enforcement mechanics: Without architectural clarity, security teams cannot assess single points of failure, data leakage paths, or performance impact. Validate whether enforcement is truly inline, proxy-mediated, or SDK-based.
- Identity and entitlement dependencies: Inline prevention is only as strong as the underlying identity hygiene. Oversized service principals or shared secrets undermine policy enforcement.
- False positives and productivity trade-offs: Aggressive blocking can disrupt legitimate business processes. Vendors must demonstrate mature policy templates and low false-positive rates during enterprise-scale PoCs.
- Vendor lock-in and concentration risk: Adding a third-party enforcement layer to tightly coupled cloud agent platforms (Microsoft, Google, Salesforce) introduces procurement, legal, and operational complexity. Enterprises must weigh short-term gains against native platform guardrails that may emerge.
Eight Questions Procurement Must Demand
To move from analyst recognition to validated capability, security teams should require objective evidence:
- Provide a detailed architecture diagram showing exactly how inline enforcement integrates with Copilot Studio agent execution.
- Share SLA metrics: added latency per agent action, throughput limits, proven scale under test.
- Detail telemetry and data residency: what logs are retained, where are they stored, how are credentials and sensitive artifacts handled?
- Supply independent third-party test results showing false-positive rates and adversarial testing outcomes against real enterprise workflows.
- Demonstrate SOC integrations: SIEM/EDR/SOAR forwarding, incident playbooks, and escalation paths for blocked actions.
- Explain the mechanism for policy updates: how quickly can rules propagate to enforcement points, and what happens during partial failures?
- Clarify support for non-Microsoft agents: does the platform cover agents built on OpenAI, Google Vertex AI, or custom frameworks?
- Provide a live PoC using the enterprise’s own agents and connectors—synthetic demos mask edge cases and data-handling risks.
Market Context and a Cautious Way Forward
Zenity’s recognition arrives as analysts caution that agentic AI projects face a high cancellation risk without proper governance. The Cool Vendor report names multiple vendors, signaling a competitive emerging ecosystem. Enterprises should evaluate multiple solutions and avoid single-vendor lock-in. For Windows and enterprise IT teams, a short-term playbook is clear:
- Inventory: Map every agent, connector, and data classification accessed, prioritizing by privilege and regulatory exposure.
- Pilot: Deploy inline enforcement in monitoring mode on finance, HR, and customer-facing agents. Measure latency, false positives, and SOC integration friction.
- Red-team: Run adversarial prompt-injection, RAG-poisoning, and zero-click scenarios using Zenity’s published patterns as a baseline.
- Harden identity: Move agents to least-privilege identities; avoid shared service principals; rotate keys; enforce connection allow-lists.
- Institute governance: Add approval gates for new connectors, agent lifecycle processes, and mandatory training for citizen developers.
Zenity’s Cool Vendor status is a market milestone, but it is not a finish line. Inline enforcement is powerful only when paired with identity hygiene, supply-chain governance, and continuous adversarial testing. For Windows-focused enterprises racing to deploy Copilot agents, the message is unambiguous: adopt agentic AI, but do so with runtime guardrails and an evidence-based procurement process. The AgentFlayer research makes the cost of inaction tangible—zero-click, silent exfiltration is not a theoretical threat; it is a demonstrated reality. The industry pivot toward agent-centric security, signaled by Gartner’s recognition, should accelerate protective projects, but responsible adoption still demands rigorous validation to convert short-term productivity gains into sustainable, secure automation.