Prisma AIRS
Agent Discovery
Table of Contents
Expand All
|
Collapse All
Prisma AIRS Docs
Agent Discovery
Learn about Prisma AIRS Agent Discovery.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
Prisma AIRS supports AI Agent Discovery to track enterprise and SaaS AI agents
you create using simple, no-code/low-code tools provided by cloud providers. Think of
this process by creating an inventory and a security guard for your AI
bots (or, agents); these processes are built on cloud platforms like AWS Bedrock
and Azure AI Foundry/Open AI.
AI Agent Discovery addresses two main objectives:
- Determine what AI agents exist. This part of the process, referred to as configuration discovery, involves finding the blueprint of each agent, including its name, description, the brain (Foundation Model) it uses, what it knows (Knowledge Bases), and what it can do (Tools).
- Determine how the AI agents are used. This part of the process, referred to as runtime interactions, involves watching the agent while it's working to see if it talks to another agent, uses a tool, or asks its brain (model) a question. This is primarily supported for AWS agents using their activity logs.
AI Agent Discovery supports SaaS and enterprise AI agents. With this
functionality you can discover agents from an onboarded cloud account and secure them
using the AI Runtime API Intercept workflow.
There are a few key points to consider when using AI Agent Discovery:
- The existing Prisma AIRS Discovery page is used for cloud account onboarding; you simply need to add additional permissions to use it. Consider the following:
- For new accounts, you'll need to onboard a cloud account if one is not present in the tenant.
- For existing accounts in an enabled state, you need to re-apply the Terraform to provide AI Agent Discovery access for existing onboarded accounts. This process updates the inline discovery permissions.
- For existing accounts in a disabled state (that is, cloud
accounts that are disabled), attempts to re-enable the account results
in failed validation. To resolve this issue, download and re-apply the
onboarding Terraform configuration. Ensure that the previous
tfstate file and the .terraform
directory from the last apply are present before proceeding.The onboarding scenarios outlined above are applicable to both AWS and Azure environments.
- Agents are discovered using the cloud provider’s API/SDK and data from the store bucket (for example, S3). This information is used to analyze invocation logs to generate a Sankey-style visualization in Strata Cloud Manager (SCM).
- Protection is enabled using Prisma AIRS AI Runtime API Intercept.
- Agent correlation determines whether an agent is protected, and understands the interactions. This process is achieved by analyzing storage logs and API scan logs from the log viewer in SCM. These logs include both agent IDs and asset IDs, which are used for mapping relationships.
- When you add an API to the Agentic application, after the first call the Agent is moved to the protected state.After the first call to the Prisma AIRS API, the agent is moved to the protected state (as displayed in the Strata Cloud Manager Agent Discovery dashboard). This process may take approximately 10 minutes to complete.
- For AWS Bedrock only optimized models are supported.
- For Azure AI Foundry/Open AI only static configurations are supported.
How AI Agent Discovery Works on Each Cloud Provider
AI Agent Discovery functions differently based on the cloud provider.
AWS Bedrock
When it comes to assets, because agent versions are permanent snapshots of the
agent's settings, each one is treated as a separate, discoverable item. AWS Bedrock
provides good support for monitoring runtime activity (Agent to Model, Agent to
Tool, Agent to Agent) by parsing detailed logs.
Azure AI and OpenAI
With Azure AI agents and OpenAI assistants, assets are treated
differently because they don't have versions; the agent itself is the asset. At this
release, AI Agent Discovery only supports finding the agent's configuration (what it
is and what it knows/does). Live activity monitoring (runtime logs) is not yet
supported.
How AI Agent Discovery Provides Protection
AI Agent Discovery represents a comprehensive blueprint for bringing
visibility and security control to low-code AI development. It is designed to check
if an agent is protected.
Consider the following:
- A unique, unified Asset ID is used for each discovered agent (or version).
- API results show all agents, models, knowledge bases, and tools divided into Protected and Unprotected lists.
Using AI Agent Discovery
Prisma AIRS allows you to discover AI Agents created and used through
low-code/no-code platforms from Cloud Providers. With this functionality you can
discover, store, and monitor AI agents across two major cloud platforms:
- AWS: Focuses on Bedrock Agents, including their configuration discovery and runtime interactions.
- Azure: Focuses on AI Foundry Agents and OpenAI Assistants.
This release only supports configuration discovery. The
discovery supports Foundry Projects but not the older Hub-Based
Projects.
AI Agent Discovery includes the following key concepts:
- Onboarding workflow and permissions. This process involves specifying the IAM roles and permissions that are required for AWS Bedrock, and Azure.
- Agent Configuration Discovery. This process involves understanding how to discover and store metadata for components like:
- Agent Versions and Aliases (AWS Bedrock only, storing immutable versions).
- Foundation Models (and resolving inference types like on-demand, inference profile, and provisioned throughput).
- Collaborator Agents (for multi-agent systems).
- Knowledge Bases and Tools/Action Groups.
- Agent Runtime Interactions: Describes the requirements and parsing logic for various agent interactions logged by AWS Bedrock (Agent to Model, Agent to Tool, Agent to Knowledge Base, Agent to Agent).
- Limitations: Notes limitations such as no runtime invocation information for Azure agents in the current phase and limited support for tool types and non-Anthropic models in AWS logs.
These key concepts represent the blueprint for the AI Agent Discovery feature, which
automatically detects inventories agents built by users in major cloud
platforms.