llmthreat
For vendors 21 vendors · 10 tools Matrix Vendors
Category

AI-SPM / Runtime Protection: 5 Vendors and 0 Tools Compared for 2026

AI-SPM / Runtime Protection covers posture management with live detection: who's running which model where, and whether anything is attacking it right now. It maps most closely to OWASP LLM risks LLM03 Supply Chain, LLM10 Unbounded Consumption, LLM04 Data and Model Poisoning. 5 vendors and 0 open-source tools sit in this category, scored as of .

5 of 5 AI-SPM / Runtime Protection vendors score Covered for LLM03 Supply Chain, as of . See the whole market in the coverage matrix.

Vendors

Ranked by llmthreat's editorial coverage score, as of 2026-07-13 — public documentation, not a third-party audit.

AI-SPM / Runtime Protection vendors — as of 2026-07-13
VendorCoveredPartialStatusFundingBest for
Noma Security 5/10 4 Active $132M Enterprises wanting one platform for AI/ML supply-chain posture, agent runtime protection and framework-mapped governance
HiddenLayer 3/10 6 Active $56M Enterprises needing model file scanning plus non-invasive runtime detection across GenAI, predictive ML and agentic systems
Protect AI 2/10 4 Acquired ~$108.5M (seed + Series A + $60M Series B); some trackers list up to $129M Securing the ML model supply chain, scanning third-party/Hugging Face models, and MLSecOps in the build pipeline
Apiiro 1/10 5 Active $135M Security teams securing the SDLC, AI-generated code and software supply chain across large codebases
Cranium 1/10 4 Active $32M Enterprises needing to discover and inventory AI models/data/vendors (AI Bill of Materials), map exposure, and stress-test models across a large AI estate

How to choose a AI-SPM / Runtime Protection product

"AI-SPM" and "runtime protection" get sold as one SKU but they're two different jobs: finding every model, agent, and MCP connection you don't already know about, and stopping a live attack against the ones you do. Vendors split hard on which job they actually do well, and on whether their control sits inline in the request path or watches from the side after the fact.

01 Deployment point: SDK vs inline gateway vs out-of-band
SDK-embedded controls add roughly 10-50ms per call and can block in real time, but only cover the apps that actually shipped the SDK. An inline reverse proxy or gateway (WitnessAI's model) enforces one policy across everything routed through it, but it's a new hop with its own uptime SLA and becomes a target itself. Out-of-band log/API analysis, the pattern behind CNAPP add-ons like Wiz AI-SPM or Microsoft Defender for Cloud's AI posture module, adds zero latency and needs no code change, but it detects after the request already left — it can't block anything.
02 Shadow AI discovery method and its blind spot
Network-traffic or CASB-style discovery catches unsanctioned SaaS copilots and browser tools but needs a vantage point — a proxy or endpoint agent — to see the traffic. Cloud-API-based discovery (the Wiz / Defender for Cloud pattern) enumerates models and datasets living inside your AWS, Azure, or GCP accounts, but is blind to a raw API key pasted into a script or a third-party SaaS calling an LLM directly. Code/SCM scanning finds models and prompts committed to a repo but misses anything that's runtime-only. No single method sees the whole estate; ask which blind spot the vendor is asking you to accept.
03 Detection accuracy: false-positive rate and tunability, not just the headline number
Vendors publish self-reported detection-rate and false-positive numbers (for example, sub-0.5% FPR at sub-50ms latency claims for prompt-injection filtering) but these come from vendor benchmarks — there's no independent AV-TEST equivalent for this category yet. What matters operationally is whether you can tune thresholds per application and pull an audit log of blocked-vs-allowed traffic, because a fixed high-recall filter blocks legitimate prompts in specialized domains (legal, clinical, financial) at a far higher rate than in generic chat. Test with your own traffic, including a few OWASP LLM01-style injection payloads, before trusting the vendor's number.
04 Model/artifact supply-chain scanning vs runtime-only
Some products scan the model artifact itself — pickle deserialization, embedded code, tampered weights — before deployment, tied into CI/CD and model registries (mapping to OWASP LLM03 Supply Chain and LLM04 Data and Model Poisoning). Others are runtime-traffic-only and never touch the artifact, so a malicious Hugging Face checkpoint pulled straight into production is invisible to them until it starts misbehaving in live requests. If open-weight or third-party models are anywhere in your stack, artifact scanning isn't optional — confirm the vendor actually does it rather than just monitoring the API in front of it.
05 Platform bundling: CNAPP module vs purpose-built platform
If you already run a CNAPP like Wiz or Microsoft Defender for Cloud, its AI-SPM module gives you model inventory and posture findings inside the console you already use, cheaper incrementally, but shallower on runtime/agent depth. Purpose-built platforms go deeper on agent- and MCP-specific controls and OWASP LLM Top 10 coverage, but that's another console, another SIEM/SOAR integration, and another vendor relationship to maintain.
Watch out

Consolidation risk is real and recent: Palo Alto Networks closed its $700M acquisition of Protect AI in July 2025 (folded into Prisma AIRS), Check Point agreed to acquire Lakera for $300M in September 2025, and Cisco acquired Robust Intelligence in 2024. A purpose-built point product you buy today can become one module in an acquirer's platform roadmap within a year, with pricing, support, and feature velocity set by the parent company, not the founding team. Ask directly whether the SKU you're signing is still a maintained standalone product or a legacy line being merged into the acquirer's platform.

Frequently asked questions

What is AI-SPM / Runtime Protection?

Posture management with live detection: who's running which model where, and whether anything is attacking it right now.

Which vendors lead AI-SPM / Runtime Protection coverage?

Noma Security, HiddenLayer, Protect AI cover the most OWASP LLM Top 10 risks in AI-SPM / Runtime Protection, by llmthreat's scoring, as of 2026-07-13. See the ranked table above.

What is the best AI-SPM / Runtime Protection tool for supply chain?

Noma Security leads AI-SPM / Runtime Protection for Supply Chain, by llmthreat's coverage scoring: Enterprises wanting one platform for AI/ML supply-chain posture, agent runtime protection and framework-mapped governance. Compare the full ranked list above.

Last verified . Sources: OWASP GenAI Solutions Reference Guide, vendor documentation, GitHub API. Funding and repo figures are third-party and go stale. Re-verify before you rely on them.
Informational, not professional security advice — verify vendor and tool claims directly before a purchasing or security decision. OWASP, MITRE, and the listed vendors and maintainers do not endorse llmthreat.com.