Drata launches AI agent governance for enterprises

Drata has launched AI Agent Governance for enterprise customers, extending its trust management platform to oversee AI agents.

The launch follows growing customer scrutiny of how companies monitor and control AI tools inside their organisations. Analysis of 2.1 million security questions processed through Drata's platform over the past nine months found that AI-related questions rose by more than 30%.

Drata is positioning the issue as a new security category emerging from the spread of AI agents across large organisations. Buyers, auditors and internal governance teams are increasingly asking businesses to show which agents are running, what they are allowed to do, whose identity they use, whether they behave as intended, and whether those controls can be evidenced.

According to Drata, most vendors are struggling to answer those questions. It said 89% of organisations leave the most important category unanswered: whether they can prove what their AI agents actually did.

Growing scrutiny

The launch comes as companies face pressure to move AI projects from experimentation into operational use while satisfying internal controls and external reviews. Drata cited McKinsey research showing that 57% of business leaders see governance friction as the main barrier to deploying more AI.

That has implications beyond internal risk teams. Security reviews are a standard part of enterprise procurement, and suppliers are increasingly being asked to document their use of AI and the guardrails around it before contracts are approved.

Nils Puhlmann, co-founder of Cloud Security Alliance and former chief security officer of Twilio, Navan and Zynga, described a shift in the nature of those reviews.

"When enterprise customers conducted security reviews in the past, the conversation centered on which frameworks we were certified against, how we managed our security posture, and what our third-party risk profile looked like. However, over the past few months, an entirely new category of questions has emerged, focused on which AI agents are running and how they are governed. Answering those questions confidently is impossible with today's technology; anyone who solves that problem is solving for the future of enterprise trust," said Puhlmann.

How it works

The product is designed to help security teams identify AI agents operating in their environment, assign ownership, track identities and permissions, and create an evidence trail for reviews by boards, auditors, customers and regulators.

Once integrated, the system uses inline sensors to discover agents created by employees across the organisation, including tools that may have been deployed without central oversight. It then maps each agent to its owner, identity, permissions and scope.

From there, actions are checked against individual policy rules in real time. Policy breaches are blocked before execution, and deviations are flagged as they occur. Each decision is recorded in a tamper-evident log intended to support later review.

The product is in early access with customers in financial services, healthcare and software. Drata says more than 8,500 organisations use its broader trust management platform.

Next security layer

Adam Markowitz, chief executive officer and co-founder of Drata, said the company sees AI agents creating a new market for oversight software, much as previous computing shifts created specialist security vendors.

"Every major technology wave creates a security wave, and the security wave never starts with the platform vendor. Where endpoint created CrowdStrike and cloud created Wiz, we are now in a world where AI agents are creating a technology wave that requires a security layer to support its growth. We have spent five years building the trust layer between great companies and helping our customers prove trust faster through agentic workflows. Extending the platform to govern agents themselves is the next required step, and Drata is uniquely positioned with the platform data and the policies, controls, risk, monitoring, and remediation actions to do it credibly," said Markowitz.

Drata's argument rests partly on visibility into its existing customer base and the volume of security questionnaires moving through its platform. By treating those interactions as a signal of buyer concern, the company is betting that AI governance is becoming a routine requirement in enterprise software deals rather than a niche compliance issue.

For businesses adopting AI agents, the challenge is no longer limited to experimentation or productivity gains. Increasingly, it is whether they can show who deployed the tools, what authority they hold, and what record exists of their actions.