Speakeasy

"AI security" means something different depending on who's selling it. Legacy infrastructure vendors are extending existing products to cover AI sessions at the network and endpoint layers. Purpose-built tools are emerging at the application layer to govern model calls and tool calls directly. Both are shipping under the same label but they don't cover the same thing. AI security spans five layers: identity and access, endpoint and device, network and infrastructure, application and AI, and data. Traditional security tools cover the first three, but not the application and AI layer. This means they can't see prompts, tool calls, or what an agent does after a model responds. This is where the new risk concentrates. A developer running Claude Code against a production database without hooks or an MCP gateway generates activity that never reaches the SIEM, never appears in EDR, and is invisible to every security tool in a standard enterprise stack. The agent acts, and nothing in the existing infrastructure records that it did. The products most enterprises already own have expanded their "AI security" coverage — but at the endpoint and network layers, not the application and AI layer where the risk actually lives. We wrote a breakdown of all five layers and where legacy vendor coverage ends: https://t.co/N9y4vx85gl

Uber had 84% of its developers using agentic coding tools daily by early 2026. A single background agent was generating 1,800 code changes per week, used by 95% of the engineering org. None of that was possible without AI governance infrastructure. Before they built it, engineers were connecting AI tools directly to internal services with no visibility, no authorization, and no way to trace an agent's actions back to a human. The governance layer wasn't optional. It was the prerequisite for scaling. What they built: an LLM gateway with PII redaction on every call, an MCP gateway and registry across 10,000+ internal services, and an agent identity system that cryptographically attests every participant in a multi-agent workflow. Three layers, handling 60,000 agent task executions per week. What it cost: years of platform engineering, a dedicated Agentic AI Platform team, and deep integration with infrastructure most companies don't have. They extended an existing SPIRE deployment, an existing authorization service, and their own inference stack. These foundations took years to build before AI was even relevant. Uber proved the architecture works. They also proved it takes a significant fraction of a platform engineering org to build it from scratch. The Speakeasy AI control plane is that same architecture, available as a product. The four problems Uber's multi-year investment was designed to solve (governed MCP access, user-scoped agent identity, real-time data protection, and auditable logs on every interaction) are the four problems we solve out of the box. We wrote more on this here: https://t.co/xV5Cfuxv2I

Before you roll agents out across a company, you have to be able to answer three questions: what is the agent reading, what is it connected to, and what data can it move. This month we shipped the features that answer them, expanding the security layer of the Speakeasy AI control plane. → 𝗣𝗿𝗼𝗺𝗽𝘁 𝗜𝗻𝗷𝗲𝗰𝘁𝗶𝗼𝗻 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻: catch malicious instructions hidden in anything your agent reads, before they execute → 𝗦𝗵𝗮𝗱𝗼𝘄 𝗠𝗖𝗣 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻: every MCP server mapped to its real endpoint and checked against your approved list at session start → 𝗠𝗖𝗣 𝗦𝗲𝗿𝘃𝗲𝗿 𝗔𝗽𝗽𝗿𝗼𝘃𝗮𝗹 𝗪𝗼𝗿𝗸𝗳𝗹𝗼𝘄𝘀: one-click access requests, approve org-wide or project-wide, policies inherited automatically → 𝗗𝗮𝘁𝗮 𝗟𝗼𝘀𝘀 𝗣𝗿𝗲𝘃𝗲𝗻𝘁𝗶𝗼𝗻: detect secrets, PII, financial, and healthcare data, and flag or block it before it leaves the session Every check runs in real time, on every message in and out of your agents. More to come.

Roughly every decade, a new layer of enterprise infrastructure transitions from "early adopters only" to "you're behind if you don't have this." The transition usually happens faster than most organizations predict, and the catch-up cost for late movers is higher than the investment would have been earlier. Cloud is the clearest recent example. In 2016, running compute on your own servers was still normal. By 2020, the absence of a cloud strategy being well underway was a major red flag. The teams that waited for the transition to be obvious paid more to catch up than the ones that moved when the signal was clear but not yet loud. The AI control plane is in a similar early window. The case for it is clear to organizations running AI agents in production. Most have no consistent way to connect every AI tool to the systems that matter, control who can use what, secure what flows through, or observe whether the investment is even working. Those are the four functions of the control plane, and without them, enablement and governance stay in permanent tension. The difference from the cloud transition is that the forcing function isn't gradual operational pressure. It's usually a specific security or compliance event. Which means organizations don't see it coming until it arrives. We wrote about what this transition looks like and why the timing matters here: https://t.co/Qickm4IKyI

The organizations that deployed an LLM gateway two years ago made the right call. Having a centralized proxy for model calls, unified credential management, and cost logging across providers was the right infrastructure for what they were running. The surface has since expanded. Agentic workflows, MCP, coding assistants generating shell commands and file edits, background agents running scheduled jobs against production APIs: the LLM gateway only sees pieces of it. The gateway still does what it always did. It just covers a shrinking fraction of what's actually happening. The common progression we see is gateway first, MCP governance when the tool-call blind spot becomes painful, identity because policy without attribution isn't enforcement, then a shared policy foundation to make the components function as a system. That sequence works. It just takes 18 months and a few incidents to get there. We want to help organizations skip the progressive discovery of each gap and get to full coverage directly.

Claude Code, Cursor, Codex, and VS Code Copilot all expose dozens of hook events. But if you're standing up AI governance this quarter, you only need to know about four hooks that will be the basis of your AI governance posture 1. UserPromptSubmit. Fires when a developer submits a prompt. Scan for secrets pasted out of .env files. Redact PII before it hits the model. This is your inbound chokepoint. 2. PreToolUse. Fires before any tool call executes. Block dangerous shell commands. Gate MCP calls. Scope file writes. This is your outbound action control. 3. PostToolUse. Fires after a tool returns its result. The command might be fine. The output might not be. cat .env is harmless. What comes back is the exfiltration risk. This is response auditing. 4. SessionEnd. Fires when the agent finishes. Ship the full transcript to a central store. "Find every session that touched the customer database last quarter" becomes a query, not a forensic investigation. Start with these four. Wire them into a central event feed. Everything else is an optimisation on top of a foundation that already works.