New Features - Prisma AIRS - November 2025

Prisma AIRS supports AI Agent Discovery to track enterprise AI agents you create using simple, no-code/low-code tools provided by cloud providers. Think of this process by creating an inventory and a security guard for your AI bots (or, agents ); these processes are built on cloud platforms like AWS Bedrock and Azure AI Foundry/Open AI.

AI Agent Discovery addresses two main objectives:

• Determine what AI agents exist. This part of the process, referred to as configuration discovery, involves finding the blueprint of each agent, including its name, description, the brain (Foundation Model) it uses, what it knows (Knowledge Bases), and what it can do (Tools).

• Determine how the AI agents are used . This part of the process, referred to as runtime interactions, involves watching the agent while it's working to see if it talks to another agent, uses a tool, or asks its brain (model) a question. This is primarily supported for AWS agents using their activity logs.

AI Agent Discovery supports SaaS and enterprise AI agents. With this functionality you can discover agents from an onboarded cloud account and secure them using the AI Runtime API Intercept workflow.

Note: At this release, only AWS Bedrock agents and Azure AI Foundry Service (and Azure OpenAI Assistants) are supported.

You can delete historical discovery data for cloud accounts in Prisma AIRS to meet data compliance requirements when you need to remove collected asset information, flow logs, and audit logs from your environment. This feature addresses regulatory compliance scenarios where you must permanently remove specific data sets while maintaining operational security coverage. When you initiate discovery data deletion, the system validates your request and places the cloud account in an inactive state to prevent new data collection while a background process removes all associated data from storage systems and discovery databases.

The deletion process handles firewall deployments differently based on their deployment method. Manually-deployed firewalls continue inspecting traffic during data deletion, ensuring uninterrupted security coverage, while auto-deployed firewalls stop traffic inspection as the system undeploys them. You must manually delete the Terraform template associated with the cloud account regardless of deployment type. For auto-deployed firewalls, deleting the Terraform template removes the firewall from your deployment, whereas manually deployed firewalls require separate removal since only the template is deleted. The deletion process runs asynchronously to maintain system performance, during which you cannot modify account settings or enable additional monitoring features.

Prisma AIRS maintains audit timestamps throughout the deletion process to track when deletion was requested and completed, providing the visibility needed for compliance reporting and data lifecycle management activities. Once deletion completes, the account remains inactive and no longer collects data until you manually reactivate it through the cloud account interface in Strata Cloud Manager.

You can use Multi-Cloud Security Fabric (MSF) Deployment to fully automate the deployment of AIRS and VM-Series firewall instances along with the complete networking infrastructure required for traffic redirection across your cloud environments. This feature eliminates the manual complexity of creating security VPCs in AWS or VNets in Azure, configuring load balancers, setting up subnets, and orchestrating cloud-native routing elements that was previously required when using basic Terraform templates from Strata Cloud Manager.

The automation handles multiple traffic flow scenarios including east-west flows within VPCs or VNets, between VPCs in single regions, across different regions in the same or multiple clouds, and north-south flows for internet egress traffic. You can deploy firewalls in any region regardless of where your applications are located, and the system automatically establishes the necessary tunnels, route tables, and cloud-native elements to ensure traffic reaches the appropriate firewall instances for inspection.

You benefit from this feature when you need to secure complex multi-cloud architectures without investing significant time in manual network configuration. The automated deployment reduces the risk of configuration errors that can occur when manually setting up VPC peering, transit gateway routing, and cross-account connectivity. You can redirect traffic from discovered applications with minimal clicks while maintaining visibility into all orchestration changes through both cloud dashboards and SCM.

The feature supports both new deployments where new security infrastructure is created and existing environments where you can integrate existing VM-series firewalls into the automated traffic paths. You maintain control over the deployment process with options to opt out of automatic networking setup if you prefer to handle routing configuration manually or if you have existing networking arrangements that should remain unchanged.

You can initiate deployments either from the Cloud Asset Map page where application context is automatically populated, or through the traditional deployment interface where you manually specify source and target details. The system minimizes traffic disruption by establishing tunnels before modifying route tables and provides end-to-end path tracing capabilities to validate traffic flows before and after firewall insertion.