>
    Strata Copilot
    Protect Agents Using API Intercept
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Agent Discovery
    5. Protect Agents Using API Intercept
    Download PDF
    Prisma AIRS

    Protect Agents Using API Intercept

    Table of Contents

    Protect Agents Using API Intercept

    Learn how to protect agents using API Intercept in Prisma AIRS.
    Where Can I Use This?What Do I Need?
    • Prisma AIRS AI Runtime Security
    AI Agent Discovery allows you to discover agents from an onboarded cloud account and secure them using the AI Runtime API Intercept workflow. With the API intercept workflow, you protect applications using REST APIs by embedding Security-as-Code directly into source code.
    The APIs protect your AI models, applications, and datasets by programmatically scanning prompts and models for threats, enabling robust protection across public and private models with model-agnostic functionality. Its model-agnostic design ensures seamless integration with any AI model, regardless of its architecture or framework. This enables consistent security across diverse AI models without any model-specific customization. For more information, see the API Intercept Overview page.
    There are a few steps required before using Strata Cloud Manager to view and configure enterprise agents for AI Agent Discovery:
    1. Onboard and activate your Prisma AIRS AI Runtime API intercept in Strata Cloud Manager.
      This process allows you to activate an AUTH key to retrieve an API key and the sample code template you can embed in your application to detect threats. Once you've onboarded and activated API Intercept you can create an API security profile to enforce security policy rules.
    2. Create and configure an API security profile.
      After completing these steps you can use AI Agent Discovery for your enterprise AI agents.

    Use Strata Cloud Manager to View and Configure Enterprise Agents

    To view and configure Enterprise Agents using Strata Cloud Manager:
    1. Log into Strata Cloud Manager (SCM).
    2. In SCM, select Insights > AI Agent Security > Enterprise Agents:
      The All Agents page appears. You can use this page to view models, tools and knowledge bases. With this page, you can:
      • View all the Enterprise Agents that have been onboarded.
      • View details for each Enterprise Agent; point your cursor to the agent for additional information:
      • Filter the view based on a specific time frame (for example, past 24 hours).
      • Manage APIs. With this option, you can manage added agents, added API keys, added security profiles, or manage custom topics.
      • View potential threats.
    3. If an agent has a deployment profile that has not been activated you can activate it. Select the agent, then click the + icon to display the Activate Deployment Profile.
    4. In the Onboard API Account page, select the radio button next to the profile, then click Next:
      After you activate the deployment profile, you can create a security profile if one hasn't been configured. Refer to this page for more information.
    5. In the Create Security Profile page:
      • Enter a Security Profile Name.
      • Select the AI Model Protection options you want to use.
      • Click Create Profile.
    6. In the Add Application (Agent) page:
      1. Enter an Application Name.
      2. Select the Cloud Provider. This field represents the cloud where the AI application is running.
      3. Select the Environment where the AI application is running. For example, PROD, Staging, or QA.
      4. Select the AI Agent Framework; this field is associated with the Cloud Provider. For example, if you selected AWS as the Cloud Provider, this field will be set to AWS Agent Builder.
      5. Select the Deployment Profile.
      6. Configure the Security Profile; you can use this option to link to an existing security profile, or choose which profile to use in your app code. Use the slider to link or unlink the profile.
      7. Click Next.
    7. In the Input API Details page:
      1. Enter the API Key Name. This field represents the name of the API key associated with the previously created AI application.
      2. Select the appropriate Rotation to set the rotation frequency of the created API key.
      3. Click the Generate API key.
      After you generate the API key you can integrate the AIRS API into your application.
      When AI agents exist in the unprotected state they are displayed in the All Agents dashboard:
      If you select an AI agent in the unprotected state, you can use the dashboard to activate it (see Step 3 above):
      When an AI agent exists in the protected state it is displayed in the All Agents dashboard. This view illustrates the protected threats and associated models, tools and knowledge bases:
      When AI agents exist in both the protected and unprotected state, the All Agents dashboard changes to show the status of both agents:

    Important Considerations When Using the Prisma AIRS AI Runtime API

    In addition to using Strata Cloud Manager to configure elements of AI Agent Discovery, you can also leverage the Prisma AIRS AI Runtime API to help discover and protect applications using REST APIs. Refer to the API reference documentation for more information.
    There are a few important things to consider when using APIs for Agent Discovery:
    • An API key created for one cloud account cannot be used in another cloud account.
    • There are agent metadata requirements for:
      • AWS: all 3 agent metadata fields are required.
      • Azure: only the agent_id field is required.

    © 2025 Palo Alto Networks, Inc. All rights reserved.