AI is collapsing the security boundaries between code, pipeline, and runtime. These startups are racing to fill the gaps.
For years, application security followed a stable model: developers wrote code, pipelines built and tested it, and runtime controls caught what slipped through. Each stage had its own tools, teams, and assumptions about risk. That model is now breaking.
At RSAC 2026, the most interesting startups weren't simply adding 'AI' to existing categories. They were responding to a fundamental shift: AI is compressing the software development life cycle, blurring the lines between writing code, deploying it, and operating it. In many cases, those steps now happen simultaneously or are driven by the same AI agents. The result is not just more software but a collapse of security boundaries, and with them, the traditional control points security teams have relied on.
Across early-stage and next-stage exhibitors at this year's conference, a pattern is accelerating: security continues to shift left and down. Left into requirements and intent, left into the tools that generate code, left into the pipelines that assemble and ship code, and down into the runtime environments where code executes. The following startups illustrate how those control points are shifting and why old assumptions about where to enforce trust no longer hold.
AppSentinels: Securing workflows, not just endpoints
With roots in API security, AppSentinels has expanded its scope to address security needs in AI-driven systems. As AI agents and services increasingly interact through APIs, the risk is no longer limited to individual endpoints but lies in how those endpoints are chained together. The company's focus is on understanding and securing how APIs are used in combination, rather than in isolation. As AppSentinels co-founder and CEO Puneet Tutliani explained, it is not a single endpoint but the way workflows are stitched together that creates problems.
Agents can automate complex sequences of actions across APIs at machine speed, exposing logic flaws, bypassing controls, or creating unintended side effects difficult to trigger manually. Traditional API security tools focusing on individual requests or endpoints are ill-suited to detect this behavior. AppSentinels addresses this by combining continuous testing with runtime governance, modeling and monitoring workflows as they execute. A recent addition includes explicit support for agent-driven interactions, providing visibility into which agents are operating and how they use APIs and tools. This is a natural evolution of the company's earlier positioning—protecting business logic now includes AI agents as first-class participants. The challenge is complexity: modeling workflows across multiple APIs, services, and agents is inherently difficult, and many organizations struggle to inventory endpoints, let alone understand interactions. But as applications become more composable and agent-driven, achieving that visibility becomes ever more urgent.
Aurva: Tracking identity and access in an agent-driven world
If AppSentinels focuses on the seams in workflows, Aurva focuses on the who or what is actually performing the work. In 2025, Aurva centered on runtime data visibility and how information flows through applications. This year, that story has shifted toward identity and access, particularly in the context of AI agents. The underlying issue is that agents often require broad permissions to function—they access APIs, query data stores, and interact with multiple systems on behalf of users, creating complex chains of identity and authorization difficult to track and constrain.
Aurva's approach monitors those chains in real time, correlating activity at the kernel level with identity and access data to understand what agents are doing, what data they access, what permissions they use, and how they use those permissions. The problem is not just visibility but understanding agent behavior, said Aurva CEO Apuru Garg. Traditional identity and access management systems define what should be allowed; Aurva attempts to show what is actually happening and where permissions may be broader than necessary. Currently, the platform is largely focused on detection and analysis rather than enforcement, limiting its ability to act as a direct control point but still filling a gap. As agents become more autonomous, tracing their actions across systems becomes a prerequisite for meaningful access control. The question is how quickly organizations will move from observing these behaviors to actively constraining them.
Backline: Closing the loop between finding and fixing
Security startups often aim at novel problems, but Backline focuses on one of the oldest challenges: what happens after vulnerabilities are found. For years, application security has excelled at generating findings but been far less effective at ensuring those findings are fixed. As AI accelerates development, the volume of vulnerabilities increases while the capacity to remediate them scales at a slower rate. Backline's answer is to automate the remediation process itself.
The company integrates with repositories and CI/CD systems to identify exploitable vulnerabilities, generate fixes, and validate those fixes through existing build and test workflows. The goal is end-to-end closure, not just prioritization. As Backline co-founder and VP of R&D Aviad Chen described, the question is no longer which vulnerability matters but how to fix it at scale. Where earlier tools focused on triage, Backline compresses the entire loop from detection to resolution into a single automated process, allowing teams to keep pace with AI-driven development. The risk is introducing new errors—automatically generated fixes must be correct, context-aware, and safe to deploy. Backline attempts to check all those boxes by validating changes inside the pipeline before production, but organizations will expect proof over time. Nonetheless, the direction is clear: in an environment where vulnerabilities can outpace human remediation, automation moves from convenience to necessity.
Backslash: Securing the AI development toolchain
In traditional development pipelines, the path from idea to code was relatively controlled. Today, that path often runs through a growing set of AI tools: coding assistants, agents, plugins, Model Context Protocol (MCP) servers, and external services, many operating outside formal oversight. Backslash focuses on that 'in-between' layer—the AI development toolchain. The company provides visibility into which AI tools and agents are used across an organization, along with policy controls and guardrails governing how they interact. More importantly, it controls how data moves between those components, addressing risks like prompt injection and unintended data exposure.
Backslash Field CTO Gil Friedman explained that security teams are no longer dealing with a single developer writing code but with tools that sit between initiative and output. This shift has two consequences: first, security teams often lack even basic visibility into which AI tools are in use, especially as non-developers adopt them; second, traditional controls like network monitoring or endpoint detection struggle to capture interactions between agents, plugins, and local processes. Backslash's answer is an endpoint-level 'guardian' that inventories these components, evaluates their risk, and enforces policies on what can be installed or executed. The challenge is clarity—the terminology (agents, MCPs, skills, etc.) continues to evolve, and boundaries between categories are still forming. Yet the problem is urgent: now that AI tools are part of the development pipeline, they must be secured as such.
Chainloop: Building governance into the software factory
Chainloop addresses a different failure point exacerbated by AI-powered development: what happens when AI accelerates everything else. As development speeds up, governance becomes the bottleneck. Chainloop serves as a software supply chain control plane, capturing artifacts across the entire pipeline—code changes, build outputs, scan results, and deployments—to create a central, verifiable system of record. It also applies policy-as-code guardrails that automatically enforce requirements across the pipeline. The company is not trying to be another scanning tool but to become the system that defines and enforces how software moves from commit to production.
Chainloop co-founder and CEO Daniel Liszka noted that organizations can now generate and ship code faster than ever, but integration, compliance, and security remain slow. Chainloop automates that outer loop. By defining guardrails as code and tying them directly to pipeline events, the platform enables real-time feedback loops, including for AI agents themselves. Agents can iterate on code or configurations until they meet defined policies, rather than relying on manual review. This is one of the more consequential shifts from RSAC 2026: governance, long treated as friction, is being reframed as infrastructure that must be automated if AI-driven development is to scale. The trade-off is complexity—Chainloop's model requires organizations to think in terms of systems, provenance, and policy frameworks, not just tools. But for teams grappling with software supply chain risk, that abstraction may be exactly what is needed.
FireTail: Gaining visibility into AI usage across the organization
Described as an end-to-end AI security platform, FireTail takes a step back to answer a broader question: who is using AI, and how? As AI tools proliferate, usage often spreads beyond development teams to include product managers, analysts, and other business functions. Many organizations lack a clear inventory of which tools are in use, what data is shared, and where risks are introduced. FireTail focuses on providing that visibility.
The platform monitors both employee usage (interactions with tools like ChatGPT) and application-level usage (agents built on cloud AI services), aggregating activity into unified log streams to detect potential issues like data leakage, policy violations, or anomalous behavior. Founder Jeremy Snyder stated that the first use case for every customer is knowing who is using what AI service. From there, organizations can define policies and, in some cases, enforce them at the endpoint or browser level. This is a different control point—less about enforcing behavior within the pipeline and more about establishing baseline visibility and governance across the organization. That distinction makes FireTail both broadly useful and somewhat peripheral to the core development life cycle. Visibility is a prerequisite for control, but enforcement requires additional measures. Still, as AI adoption expands beyond engineering, that visibility may become a necessary first step for organizations trying to understand exposure before deciding how to manage it.
Raven: Enforcing trust where code runs
At the far end of the software life cycle, Raven represents a different kind of shift. Instead of focusing on code before it runs, Raven focuses on what happens when it does. In 2025, Raven was described as a runtime platform focused on prioritization and detection. This year, the emphasis has changed toward runtime prevention, with a more aggressive stance on what matters and what does not. The core idea is straightforward: static analysis produces large volumes of vulnerabilities, many never exercised in production, while AI reduces the time to discover and exploit real weaknesses. The traditional model of scanning for known issues and prioritizing them based on CVEs is losing relevance.
Raven's response is to focus on behavior at runtime, rather than signatures or known vulnerabilities. By observing how code executes inside the application, the platform attempts to identify and stop exploit activity directly, regardless of whether a vulnerability has been cataloged. Co-founder and CEO Roi Abitboul emphasized that they stop relying on CVEs and look at what the application is actually doing. The company uses a kernel-level approach to observe application behavior without injecting code or modifying the runtime environment, minimizing performance impact. From that vantage point, it identifies anomalous behavior in libraries or functions and blocks execution in real time. This diverges from the current AI narrative: while many vendors emphasize AI-driven detection, Raven argues AI is too slow for real-time prevention and uses it selectively for analysis and prioritization. The result is a model that treats runtime as the ultimate control point—if earlier stages fail or are bypassed, enforcement still happens where the code executes. As AI accelerates both development and exploit generation, the gap between vulnerability discovery and exploitation shrinks, making runtime enforcement less of a fallback and more of a primary defense.
Seezo: Securing what gets built, before code exists
One of the most dramatic shifts in information security is happening at the very start of the development life cycle. In previous years, application security vendors focused on scanning code after it was written. Seezo is betting that in an AI-driven world, that is already too late. The company focuses on generating security requirements before code is written, shaping how both developers and AI agents build systems from the outset. The premise is simple: if AI is generating large volumes of code, then controlling what gets built becomes more important than analyzing what was built after the fact.
Co-founder and CEO Sandesh Mysore Anand noted that the cost of generating code has gone to zero while the cost of reviewing code remains very high. That imbalance is driving a quiet but important change: instead of interrupting developers with scans and findings, Seezo inserts security into the requirements layer—the one place both humans and AI systems rely on to understand intent. This is not just a shift-left story but a recognition that when AI agents are writing code, they are also reading instructions. If those instructions include security constraints, the resulting code improves before it ever hits a pipeline. The trade-off is obvious: this approach depends on organizations adopting a more disciplined requirements process, something many teams have historically resisted. But as AI increases output, that discipline may become less optional.
TestifySec: Turning compliance into a continuous control
Promising to turn the development pipeline into a live audit feed, TestifySec is tackling a stubborn bottleneck: compliance as a gating function. In traditional environments, proving that software meets regulatory or security requirements is slow, manual, and often disconnected from how code is actually built. That lag becomes a real problem when development accelerates, especially when AI agents are generating changes faster than teams can review them. To answer this challenge, TestifySec moves compliance into the pipeline itself, using an evidence-based model. Instead of relying on documentation and manual audits, the platform maps code, test results, and artifacts directly to security controls and evaluates them continuously.
Co-founder and CEO Cole Kennedy stated that organizations can write software fast but cannot ship it any faster because they cannot measure it—that measurement gap is what TestifySec aims to close. The platform uses AI agents to analyze what evidence should exist for a given control, then looks for that evidence across the codebase, pipeline outputs, and supporting artifacts. Developers can get feedback on compliance before code is merged, rather than waiting for a downstream audit cycle. This is a subtle but important shift: compliance moves from being a post hoc validation step to a continuous signal inside CI/CD. The challenge is trust—automated compliance has been promised before, and organizations tend to be cautious about replacing human validation with machine-generated assessments. But as development speed increases, the alternative may be worse: a growing backlog of software that cannot be shipped because it cannot be certified.
If there was a single takeaway from RSAC 2026, it is that the industry is no longer arguing about whether AI will change software development—it already has. What is still being worked out is where security belongs when the boundaries between development, deployment, and execution no longer hold. The vendors highlighted here are not converging on a single answer but redefining control points across the entire life cycle, from requirements and toolchains to pipelines, runtime, and workflows. Some approaches will prove more durable than others. Not every new layer will become a category, and not every claim will hold up under real-world pressure. But the direction is clear: as AI compresses the software development life cycle and accelerates both development and exploitation, security can no longer rely on isolated checkpoints. Trust must be enforced continuously, and in more places than before. The challenge for organizations is not just adopting new tools but deciding where those control points should reside in their environments. The answer will vary, but the underlying shift is the same: security is no longer a stage—it is part of the system itself.
Source: InfoWorld News