Palo Alto Networks — Prisma AIRS 3.0 adds agent artifact security

AI relevance: Scanning agent code, MCP servers, and skills for unsafe permissions and indirect injection paths targets the actual execution fabric of agentic systems, not just model prompts and outputs.

• Palo Alto Networks is repositioning Prisma AIRS 3.0 from AI-app protection toward a broader agent security platform spanning discovery, assessment, and runtime control.
• The headline feature is Agent Artifact Scanning, which extends model scanning into agent code, MCP servers, and skills to look for unsafe permissions, hidden vulnerabilities, and indirect injection paths.
• That matters because the dangerous part of agentic AI is rarely just the prompt — it is the tooling layer that decides what an agent can touch, call, modify, or chain together.
• Prisma AIRS 3.0 also expands visibility across cloud agents, SaaS agents, browser-based agents, and endpoint agents, including developer-side coding agents that often sit outside traditional security inventories.
• The company says its AI Agent Gateway will act as a control plane for tool calls, model access, external connections, governance, and observability.
• Agent Identity Security is meant to give each agent a governed identity with attributable permissions, which is the right direction for a world where agents act on delegated access rather than static service accounts alone.
• Palo Alto also positions Agent Red Teaming as a multi-agent simulation layer for testing tool misuse and manipulated inputs before deployment.
• The product language is a blunt market signal: vendors now assume enterprises need security controls for what AI does at runtime, not merely for what AI says in chat.

Why it matters

• Security teams already know how to scan models and prompts; the harder problem is securing the plugins, skills, MCP servers, identities, and endpoint actions that make agents useful.
• By explicitly naming indirect injection paths and unsafe permissions, Palo Alto is acknowledging that agent risk lives in composition — how tools, data, and authority connect — not in one isolated component.
• Even if the marketing is ambitious, the feature direction is real: agent governance is becoming its own product category inside enterprise security stacks.

What to do

• Inventory agent artifacts: Track agent codebases, MCP servers, skills, plugins, and browser/endpoint automations as first-class assets.
• Test for indirect injection: Red-team how malicious tool output, poisoned context, and misleading metadata affect downstream agent actions.
• Bind identity to action: Give agents narrowly scoped permissions with logs that clearly attribute tool calls and system changes.
• Secure developer endpoints: Coding agents on laptops and workstations are part of the AI control plane now, not just “local dev tooling.”

Sources

• Palo Alto Networks — Securing the AI Enterprise: Prisma AIRS 3.0
• PR Newswire — Palo Alto Networks Secures Agentic AI with Prisma AIRS 3.0
• Help Net Security — Prisma AIRS 3.0 closes visibility gaps in autonomous AI systems