AI-SPM / Runtime Protection: 5 Vendors and 0 Tools Compared for 2026
AI-SPM / Runtime Protection covers posture management with live detection: who's running which model where, and whether anything is attacking it right now. It maps most closely to OWASP LLM risks LLM03 Supply Chain, LLM10 Unbounded Consumption, LLM04 Data and Model Poisoning. 5 vendors and 0 open-source tools sit in this category, scored as of .
5 of 5 AI-SPM / Runtime Protection vendors score Covered for LLM03 Supply Chain, as of . See the whole market in the coverage matrix.
Vendors
Ranked by llmthreat's editorial coverage score, as of 2026-07-13 — public documentation, not a third-party audit.
| Vendor | Covered | Partial | Status | Funding | Best for |
|---|---|---|---|---|---|
| Noma Security | 5/10 | 4 | Active | $132M | Enterprises wanting one platform for AI/ML supply-chain posture, agent runtime protection and framework-mapped governance |
| HiddenLayer | 3/10 | 6 | Active | $56M | Enterprises needing model file scanning plus non-invasive runtime detection across GenAI, predictive ML and agentic systems |
| Protect AI | 2/10 | 4 | Acquired | ~$108.5M (seed + Series A + $60M Series B); some trackers list up to $129M | Securing the ML model supply chain, scanning third-party/Hugging Face models, and MLSecOps in the build pipeline |
| Apiiro | 1/10 | 5 | Active | $135M | Security teams securing the SDLC, AI-generated code and software supply chain across large codebases |
| Cranium | 1/10 | 4 | Active | $32M | Enterprises needing to discover and inventory AI models/data/vendors (AI Bill of Materials), map exposure, and stress-test models across a large AI estate |
How to choose a AI-SPM / Runtime Protection product
"AI-SPM" and "runtime protection" get sold as one SKU but they're two different jobs: finding every model, agent, and MCP connection you don't already know about, and stopping a live attack against the ones you do. Vendors split hard on which job they actually do well, and on whether their control sits inline in the request path or watches from the side after the fact.
- 01 Deployment point: SDK vs inline gateway vs out-of-band
- SDK-embedded controls add roughly 10-50ms per call and can block in real time, but only cover the apps that actually shipped the SDK. An inline reverse proxy or gateway (WitnessAI's model) enforces one policy across everything routed through it, but it's a new hop with its own uptime SLA and becomes a target itself. Out-of-band log/API analysis, the pattern behind CNAPP add-ons like Wiz AI-SPM or Microsoft Defender for Cloud's AI posture module, adds zero latency and needs no code change, but it detects after the request already left — it can't block anything.
- 02 Shadow AI discovery method and its blind spot
- Network-traffic or CASB-style discovery catches unsanctioned SaaS copilots and browser tools but needs a vantage point — a proxy or endpoint agent — to see the traffic. Cloud-API-based discovery (the Wiz / Defender for Cloud pattern) enumerates models and datasets living inside your AWS, Azure, or GCP accounts, but is blind to a raw API key pasted into a script or a third-party SaaS calling an LLM directly. Code/SCM scanning finds models and prompts committed to a repo but misses anything that's runtime-only. No single method sees the whole estate; ask which blind spot the vendor is asking you to accept.
- 03 Detection accuracy: false-positive rate and tunability, not just the headline number
- Vendors publish self-reported detection-rate and false-positive numbers (for example, sub-0.5% FPR at sub-50ms latency claims for prompt-injection filtering) but these come from vendor benchmarks — there's no independent AV-TEST equivalent for this category yet. What matters operationally is whether you can tune thresholds per application and pull an audit log of blocked-vs-allowed traffic, because a fixed high-recall filter blocks legitimate prompts in specialized domains (legal, clinical, financial) at a far higher rate than in generic chat. Test with your own traffic, including a few OWASP LLM01-style injection payloads, before trusting the vendor's number.
- 04 Model/artifact supply-chain scanning vs runtime-only
- Some products scan the model artifact itself — pickle deserialization, embedded code, tampered weights — before deployment, tied into CI/CD and model registries (mapping to OWASP LLM03 Supply Chain and LLM04 Data and Model Poisoning). Others are runtime-traffic-only and never touch the artifact, so a malicious Hugging Face checkpoint pulled straight into production is invisible to them until it starts misbehaving in live requests. If open-weight or third-party models are anywhere in your stack, artifact scanning isn't optional — confirm the vendor actually does it rather than just monitoring the API in front of it.
- 05 Platform bundling: CNAPP module vs purpose-built platform
- If you already run a CNAPP like Wiz or Microsoft Defender for Cloud, its AI-SPM module gives you model inventory and posture findings inside the console you already use, cheaper incrementally, but shallower on runtime/agent depth. Purpose-built platforms go deeper on agent- and MCP-specific controls and OWASP LLM Top 10 coverage, but that's another console, another SIEM/SOAR integration, and another vendor relationship to maintain.
Consolidation risk is real and recent: Palo Alto Networks closed its $700M acquisition of Protect AI in July 2025 (folded into Prisma AIRS), Check Point agreed to acquire Lakera for $300M in September 2025, and Cisco acquired Robust Intelligence in 2024. A purpose-built point product you buy today can become one module in an acquirer's platform roadmap within a year, with pricing, support, and feature velocity set by the parent company, not the founding team. Ask directly whether the SKU you're signing is still a maintained standalone product or a legacy line being merged into the acquirer's platform.
Frequently asked questions
What is AI-SPM / Runtime Protection?
Posture management with live detection: who's running which model where, and whether anything is attacking it right now.
Which vendors lead AI-SPM / Runtime Protection coverage?
Noma Security, HiddenLayer, Protect AI cover the most OWASP LLM Top 10 risks in AI-SPM / Runtime Protection, by llmthreat's scoring, as of 2026-07-13. See the ranked table above.
What is the best AI-SPM / Runtime Protection tool for supply chain?
Noma Security leads AI-SPM / Runtime Protection for Supply Chain, by llmthreat's coverage scoring: Enterprises wanting one platform for AI/ML supply-chain posture, agent runtime protection and framework-mapped governance. Compare the full ranked list above.