How the continuous assurance layer is being built
A June 2026 snapshot of who is building continuous assurance, mapped by control. Open tooling and standards lead the labs and vendors here.
Pair this with the groundwork post on continuous assurance: controls there, field activity here, as of June 2026. The disclosure at the end frames the whole thing; start there.
Assurance leans on open and standards work more than any other layer I mapped, and it is led less by security vendors than by the frontier labs and the open-source supply-chain community. That gives it a different texture: a lot of what matters here is publicly available rather than sold.
The standards and open work come first
- Open benchmarks carry the testing: AgentDojo (hundreds of injection cases), the OWASP FinBot capture-the-flag, garak for vulnerability probing. You can measure an agent's resistance with these on your own, no vendor required.
- OpenSSF Model Signing and Sigstore's model-transparency work provide open tooling to sign and verify model weights.
- CISA's SBOM-for-AI minimum elements define what a model bill of materials should record.
- The EU AI Act's Article 9 frames assurance as a continuous duty, not a one-time gate.
Who is building what, by control
Pre-launch red-teaming (AS-01). The labs lead: Anthropic's Frontier Red Team [research program], Microsoft's AI Red Team (with the open-source PyRIT harness [open source] for automated agent red-teaming), and OpenAI. The open benchmarks make specific attack suites reusable outside the labs; they do not reproduce a lab's internal model access, instrumentation, threat intelligence, or release authority.
Static analysis in CI (AS-02). Microsoft's Agent Governance Toolkit [open source] signs and scans plugins and manifests; CrowdStrike [shipping product] contributes AI-component scanning and dependency review in the CI/CD pipeline.
Continuous validation gate (AS-03). Google/DeepMind frame validation as an ongoing release gate [research / published posture], matching the EU AI Act's continuous-risk-management duty, a posture to adopt, not a shipping release-gate product.
Bug bounties for agentic abuse (AS-04). OpenAI's Safety Bug Bounty explicitly scopes agentic abuse, third-party prompt-injection hijacks, data exfiltration, harmful autonomous actions (reproducible at least half the time). Google runs an AI Vulnerability Reward Program too, but it is not the same scope: Google routes prompt injection and jailbreaks through its abuse channels and keeps them out of the core AI VRP, so "covered by a bug bounty" means different things at different vendors.
Frontier-capability study (AS-05). This is pure lab territory: Anthropic's Frontier Red Team and RSP capability evaluations, Google's frontier-safety work, OpenAI's Preparedness Framework with its tracked-risk deployment thresholds.
Model provenance (AS-06). Here the open-source supply-chain community leads, OpenSSF and Sigstore [open source], with Google (SAIF) contributing. Signing the weights at the registry/build layer, not just the application-layer plugins. This layer also splits by role: model producers run the capability evals, weight signing, and training-lineage attestations; enterprises on a hosted model usually cannot reproduce those, and instead require the provider's attestations, pin approved model versions, and tighten runtime controls when the evidence is incomplete.
Where there is no product yet
Behavioral integrity verification (AS-07), checking that a skill actually does what it declares, is research-stage, not a product. The striking study behind it (49,943 skills, around 80% deviating from their declared behavior, 5% carrying multi-stage attack chains) is academic work, and the capability-diff technique it proposes is not something you can buy today. It is on the leading edge of where assurance is going.
Where implementation activity is concentrated
The energy here is the labs and the open-source supply-chain world, not a crop of new commercial entrants. Two movements stand out: bug bounties maturing into a real external-assurance channel for agentic abuse, and model signing moving from idea to deployable open tooling. There is less disintermediation drama here than elsewhere, because so much of the layer is open by nature, the open benchmarks and signing tools are already the disintermediating force, keeping assurance from becoming a closed, paid gate.
Consolidating or fragmenting?
Consolidating in shape, less so in substance: the broad pattern is converging (validation gates, supply-chain signing, lab frontier programs, external bounties, on an open backbone), but the benchmark coverage, thresholds, and evidence formats are not yet standardized enough to make assurance comparable across vendors. The clearest gap is behavioral integrity (AS-07), which is still in the lab. For a defender, this is the layer where the open tools cover the most ground on their own.
The handoff
The assurance tools, benchmarks, signing, bounties, produce results and artifacts. Nothing in the map binds those results to live runtime so a responder can confirm what was actually tested. The seam between "we tested this release" and "this is what is running right now" has no owner, which is why a release-gate result silently expires the first time a prompt, model, or tool changes.
See the assurance groundwork post for the controls and validation steps, and see the assurance-related controls at apeiris.ai.
Sources
- AgentDojo · OWASP FinBot CTF · garak · Microsoft PyRIT
- Anthropic, Frontier Red Team · OpenAI, Preparedness Framework v2 and Practices for Governing Agentic AI · Google DeepMind, AI Control Roadmap
- OpenSSF Model Signing / Sigstore model-transparency · CISA, SBOM for AI: Minimum Elements · EU AI Act Article 9
- Wu, Li & Liu, Behavioral Integrity Verification for AI Agent Skills (arXiv 2605.11770)
---
How to read this. Snapshot dated 21 June 2026. A product appears here because it maps to a control, not as a recommendation or independently validated efficacy; vendor figures are their own claims; status tags mark what kind of thing each entry is. The full neutrality statement and method are in the capstone.