Drata has expanded its trust management platform to cover governance of enterprise AI agents. The new product is in early access for customers in financial services, healthcare and software.
The move follows rising AI-related scrutiny during security reviews. Data from more than 2.1 million security questions processed through Drata's platform over the past nine months showed AI-specific questions rose by more than 30%, making them the fastest-growing category in enterprise procurement.
Buyers are increasingly asking five related questions: which AI agents are running, what they are allowed to do, who they run as, whether they are behaving as expected, and whether a company can prove those controls. Most organisations struggle to answer them, and Drata said 89% of vendors leave this category of queries unanswered.
The product is aimed at security teams trying to track AI agents employees have introduced into business systems, including tools that may not be centrally approved. Drata said its system creates an inventory of agents in use and maps each one to an owner, identity, permissions and scope.
It also monitors actions against policy rules in real time, blocks violations before execution and records decisions in what Drata described as a tamper-evident audit trail. The company said that evidence can then be used for boards, auditors, customers and regulators.
The launch marks a broader push by Drata to expand beyond compliance automation and security reviews into AI governance inside large organisations. The company, which says it serves more than 8,500 organisations, has built its business around helping customers gather evidence for audits and respond to trust and risk questionnaires.
Research cited by Drata points to wider demand for such tools. McKinsey has found that 57% of business leaders see governance friction as the main obstacle to wider AI deployment, suggesting adoption is moving faster than oversight in many companies.
Growing scrutiny
Security reviews have traditionally focused on certifications, security controls and third-party risk. That is changing as procurement teams and enterprise customers ask more detailed questions about autonomous systems operating inside suppliers' environments.
One industry figure said the shift has become noticeable in recent months.
"When enterprise customers conducted security reviews in the past, the conversation centered on which frameworks we were certified against, how we managed our security posture, and what our third-party risk profile looked like," said Nils Puhlmann, Co-Founder of Cloud Security Alliance and former Chief Security Officer of Twilio, Navan and Zynga.
"However, over the past few months, an entirely new category of questions has emerged, focused on which AI agents are running and how they are governed. Answering those questions confidently is impossible with today's technology; anyone who solves that problem is solving for the future of enterprise trust," Puhlmann said.
Drata is framing that shift as the emergence of a distinct enterprise security market. It argues that AI agents differ from earlier software tools because they can act with delegated identities and permissions, creating a need for more direct oversight of what they do and what data they can access.
Platform push
Drata's Chief Executive Officer linked the expansion to earlier shifts in cybersecurity spending tied to new computing models.
"Every major technology wave creates a security wave, and the security wave never starts with the platform vendor. Where endpoint created CrowdStrike and cloud created Wiz, we are now in a world where AI agents are creating a technology wave that requires a security layer to support its growth," said Adam Markowitz, Chief Executive Officer and Co-Founder of Drata.
"We have spent five years building the trust layer between great companies and helping our customers prove trust faster through agentic workflows. Extending the platform to govern agents themselves is the next required step, and Drata is uniquely positioned with the platform data and the policies, controls, risk, monitoring, and remediation actions to do it credibly," Markowitz said.
Drata has not disclosed pricing or broader availability. For now, the early-access rollout suggests it is testing demand for AI governance tools among regulated industries and software companies that face the heaviest customer due diligence.
The launch also underlines how AI adoption is widening the remit of governance, risk and compliance vendors, as customers seek ways to document not just whether they use AI, but how those systems are identified, restricted and monitored across the business.