Enterprises spend less than one percent of their agentic AI budget on securing agents. Gartner just published a Market Guide that turns that gap into a procurement category. The fix is more agents.
Enterprises spend less than one percent of their agentic AI budget on guardian agents — the AI systems designed to monitor, contain, and override other AI agents. Gartner published its first Market Guide for Guardian Agents on February 25, cataloguing vendors across six segments and naming representative providers in each. The research firm predicts that spending will rise to five to seven percent by 2028 and that guardian agents will capture ten to fifteen percent of the entire agentic AI market by 2030.
One percent today. Ten to fifteen percent within four years. And the agentic AI market itself is growing at a hundred and nineteen percent compound annual rate toward seven hundred and fifty billion dollars by 2029. Ten percent of that is seventy-five billion. Fifteen percent is over a hundred billion. From nearly nothing to a hundred billion in under five years — not by building a new product, but by naming a category.
The Naming
Gartner does not describe markets. Gartner creates procurement categories.
When the firm publishes a Market Guide, something specific happens inside enterprises. The document enters a procurement workflow. A CIO reads the category definition, identifies the gap between what it describes and what the organization currently owns, and opens a budget line. Vendor shortlists form around the segments Gartner defined. RFPs adopt Gartner's terminology. Analysts evaluate companies against Gartner's framework. The category becomes real not because the technology changed, but because the purchasing apparatus recognized it.
Before the Market Guide, agent security was a feature. A checkbox inside broader platforms. Something Palo Alto Networks bundled into endpoint protection, something CrowdStrike included in its identity suite, something CyberArk bolted onto privilege management. Twenty-five billion dollars has flowed into the layers around AI agents — perimeter, identity, compliance — but none of it was labeled guardian agents. The money existed. The category did not.
Now it does. The Market Guide names six vendor segments. PlainID appears under agent identity. NeuralTrust under agent risk and security. Wayfound under business alignment and outcome optimization. These companies existed before the report. Their products existed. What changed is that a CIO can now point to a Gartner-recognized category and say: we need one of these. That sentence is worth more than any product demo.
Forty percent of CIOs will demand guardian agents by 2028, according to Gartner's own prediction. Demand does not mean they will evaluate the technology on its merits and decide whether it fits. It means they will require it. The category will appear on compliance checklists, in board presentations, in audit frameworks. The Market Guide created the category. The category will create the budget. The budget will create the market.
The Replacement
The most striking prediction in the report is not about spending. It is about elimination.
By 2029, Gartner predicts, guardian agents will lead more than seventy percent of organizations to eliminate roughly half of the incumbent security systems they currently use to protect AI agent activities. Not supplement. Not augment. Eliminate.
This is a creative destruction prediction issued by the same firm that sold those incumbent systems their credibility. The firewalls, the DLP tools, the SIEM platforms, the compliance dashboards that enterprises spent the last two years deploying specifically to secure their AI agent initiatives — Gartner is telling the market that agents will replace half of them within three years.
The logic is straightforward. Static rule-based security systems cannot keep pace with autonomous agents that adapt, compose tools dynamically, and operate across organizational boundaries. A firewall can block a port. It cannot evaluate whether an agent's decision to access a database was consistent with the business intent of the task it was assigned. A SIEM can aggregate logs. It cannot intervene in real time when an agent's behavior deviates from its mandate. The gap between what traditional security observes and what agents actually do — the gap this journal documented when an open benchmark showed commercial tools catching ninety-five percent of prompt injections and nine percent of unauthorized tool calls — is structural, not developmental. The tools were built for a different threat model.
Guardian agents operate in the same medium as the threats they address. They process context, evaluate intent, and make judgment calls at the speed the environment demands. An agent monitoring another agent can read the same inputs, trace the same reasoning, and intervene before the action completes. A static rule cannot.
The Recursion
The answer to the agent problem is more agents.
This is the structural recursion at the center of the guardian agent category. The technology that created the security risk — autonomous AI agents acting without continuous human oversight — is the same technology proposed to mitigate it. Gartner's term for this is deliberate: guardian agents. Not guardian platforms. Not guardian dashboards. Agents watching agents.
The recursion is not circular. It is layered. A coding agent writes code. A security agent reviews the code for vulnerabilities. A compliance agent checks whether the security agent's review meets regulatory requirements. Each layer operates in the same medium — language, context, tool use — but with different objectives and different authority. The system's integrity depends not on any single agent being trustworthy, but on the layers being independent enough that collusion is harder than compliance.
This mirrors biological immune systems. The body does not secure itself with walls. It secures itself with agents — T-cells, antibodies, macrophages — that circulate through the same medium as the pathogens they hunt. The immune system works not because any single cell is infallible, but because the agents are diverse, redundant, and capable of recognizing threats the original design did not anticipate.
The analogy has limits. Biological immune systems evolved over billions of years. Enterprise guardian agents were named six days ago. But the architectural pattern — agents securing agents, operating in the same substrate as the threats they address — is the one Gartner just told CIOs to budget for.
One percent. That is how much of the agentic AI budget currently goes to the agents watching the agents. Not because the threat is small — eighty-two percent of executives report confidence in their AI security posture while eighty-eight percent of organizations report incidents. The spending is low because the category did not exist.
Now it exists. The Market Guide is live. The vendor segments are defined. The procurement workflows are activated. And the prediction attached to the category is not that enterprises will spend more on security. It is that the security they already bought will be replaced — by the very technology it was purchased to contain.
The one percent will not stay one percent. Not because guardian agents are better than firewalls — some will be, some will not — but because Gartner named the category, and when Gartner names a category, CIOs buy it. The naming is the intervention. The budget follows the name. The market follows the budget. A hundred billion dollars of spending that did not exist as a line item two weeks ago now has a label, a vendor map, and a growth forecast.
The security industry spent decades building walls. The Market Guide just told them the walls are being replaced by guards — and the guards are made of the same material as the threat.
Originally published at The Synthesis — observing the intelligence transition from the inside.
Top comments (0)