From ’Shadow AI’ To Agentic Anarchy, AI-SPM Is Key To Visibility: Experts

AI security posture management is about ‘providing you visibility into what [AI] technologies are being used and what the risk is around these technologies,’ says Orca Security CEO Gil Geron. Solution and service provider partners such as Trace3 are finding major opportunities in the space.

Whether it’s through the rush into AI agents or the continued advancement of GenAI and LLMs, the need for sophisticated security controls that can enable new productivity-enhancing applications is increasingly apparent.

But before security for AI models and applications is even possible, something else is needed first: Visibility. An often-stated mantra in cybersecurity—“you can't protect what you can’t see”— is perhaps nowhere more relevant than in the massively complex and rapidly evolving world of AI technologies.

For solution providers looking to protect their customers, “inventory visibility is so critical” whether you’re talking about AI, cloud workloads or data—or frequently, some combination of the three, according to Kenny Parsons, cloud security team lead at Irvine, Calif.-based cybersecurity powerhouse Trace3.

To help meet this pressing need for AI visibility, Trace3 has partnered with Orca Security, which is among a growing list of vendors delivering security posture management (SPM) for AI.

After its founding in 2019, Orca was among a group of vendors that pioneered the concept of cloud security posture management (CSPM), a category that has seen explosive growth in recent years for its ability to provide rapid visibility into cloud environments. Bringing the concept to data with DSPM followed next.

Now, another major tool has entered the security posture management market—AI-SPM—and it’s proving to be another important piece of the puzzle for many Trace3 and Orca customers in need of a boost around visibility, executives and experts from the companies told CRN.

Admittedly, AI-SPM may sound like just another acronym in an industry already saturated with them. But the critical importance of AI for so many organizations—as well as the distinct challenges of visibility and security related to AI models and applications—suggests that it is in fact warranted.

AI-SPM in a nutshell is about “providing you visibility into what [AI] technologies are being used and what the risk is around these technologies,” Orca Security co-founder and CEO Gil Geron said. “When it comes to AI-SPM, we provide you the visibility of, ‘Which technologies are being leveraged? Where are they being leveraged—which environments? Who's been leveraging them?’”

Beyond that fundamental visibility, AI-SPM can then provide insight into any known risks around the AI technologies that the organization is using or thinking of adopting, Geron said.

After performing such an exercise using AI-SPM capabilities, it becomes immediately obvious why this is worthwhile, he said.

“What we’ve been seeing is that the AI sprawl is significant,” Geron said. “Engineers are pretty much trying everything and anything.”

For Trace3, there has been a substantial amount of interest among customers around gaining visibility into unsanctioned “shadow AI” usage, both from development teams and other employees using AI technologies, Parsons said.

A key reason why AI-SPM is so useful for this purpose, he said, is that the capabilities can help uncover the specific context of AI usage—something that’s essential for determining the actual risk involved.

Just like in cloud security generally, the context is king in AI, Parsons said.

“Knowing that context helps you know what the next step is,” he said.

Halting Agentic Anarchy

The emergence of AI agents, meanwhile, will only make AI visibility even more crucial, according to Ben Prescott, head of AI solutions at Trace3, No. 34 on CRN’s Solution Provider 500 for 2025.

With agentic, “now you have not just a user visibility and transparency challenge,” Prescott said. “Now you [have to know] what is the agentic solution itself actually planning and executing? And how do we understand what the right output is that is actually generating within that agentic workflow?”

The reality is that “we have a tool observability or visibility challenge that is growing much faster than we are solving for at this point in the agentic space,” he said. “My hopes are that SPM will provide value [in understanding], what are these agents doing in conjunction together? What scripts or processes are they executing? And how do we understand what the implications between the agents are?”

The bottom line, Prescott said, is that “we have to have increased visibility across the agentic tools.”

Other major names in the AI-SPM space include cybersecurity giants such as CrowdStrike, Palo Alto Networks, Zscaler and SentinelOne, as well as vendors originating in the CSPM world such as Wiz or the DSPM segment such as Cyera.

‘Don’t Have To Freak Out’

As much as there is value in highlighting that a similar approach to CSPM can be taken to gain AI visibility, it’s also important to note that AI-SPM is not a huge leap for organizations already utilizing CSPM, according to CrowdStrike CTO Elia Zaitsev.

“People hear the new term and they assume, ‘Oh no, I’ve got to go out and figure out a whole new solution,’” Zaitsev told CRN. “You should expect your existing cloud posture management providers to be developing and expanding for the new AI-based services.”

In other words, when it comes to AI-SPM, “this is one area where I think the CISOs will maybe feel a little bit better—that if they’ve already invested in that CSPM paradigm, they don’t have to freak out that there’s a whole new ecosystem out there, a whole new set of technologies [now required],” he said.

Meanwhile, “if you haven't invested already in cloud security posture management—and you're starting to go down that generative [and] agentic application road—this is the time to make sure you go take care of that basic hygiene.”