Blog · June 26, 2026

How the runtime layer is being built

A June 2026 snapshot of who is building runtime supervision, mapped by control: three industries, no shared control plane, and the seam no one owns.

apeiris.ai·Vendor landscape series · snapshot, June 2026

This is a companion to the groundwork post on runtime supervision and detection. That one covers the controls. This one is a snapshot of who is building them, and where the movement is, as of June 2026. Read the disclosure at the foot before you read anything into it: this is a map of activity, not a list of recommendations.

Runtime is worth starting with because it is moving fastest and fragmenting hardest. The pieces are being built by three different industries that do not naturally connect: the endpoint-security vendors who own the operating system, the frontier labs who own the model's reasoning, and the identity vendors who own the boundary. Each is building a real part of the layer. None of them is building the part that joins the others. That gap is the same seam this whole project is about, and you can see it plainly once you sort the activity by control.

The standards and open work come first

Before any product, the layer has a spine of shared, non-commercial work.

  • MITRE ATT&CK and ATLAS are the threat catalogues everything else references. ATT&CK is the long-standing catalogue of attacker techniques; ATLAS is its AI extension, and it has begun adding agentic technique IDs. Both are the common language detections are written against.
  • A shared vocabulary for supervision is emerging from the labs. Google DeepMind's AI Control work (published June 18, 2026) introduced escalating detection tiers, D1 through D4, and response tiers, R1 through R3. Functionally, that is a common scale for "how hard is this agent to watch" and "how hard do we stop it." It is a strong candidate for shared vocabulary; whether it is adopted beyond DeepMind's own work is still early to call.
  • Anthropic's ARiES is an open scoring idea: add Threat, Vulnerability, and Impact instead of multiplying them, so a partial signal does not get zeroed out. It is a detection-scoring heuristic for keeping weak signals visible, not a replacement for formal risk math, and it is a methodology, not a product.
  • CSA's MAESTRO and AISMM give the threat-model and maturity framing for the layer.
  • Open benchmarks carry the testing side: garak for vulnerability probing, and the injection suites do the measuring that turns "seems safe" into a number.

These open and standards pieces give you much of the vocabulary, threat model, and testing foundation for the runtime layer. They do not provide the live telemetry, enforcement, or response system; that is what the products below add.

Seeing what the agent does (RT-01)

The structural argument here comes from the endpoint-security world, and CrowdStrike has made it most directly (this is the company's own positioning, and some of it describes capability still rolling out, so take the specifics as vendor claims). The argument itself is sound within its execution model: an agent that runs on a host (a coding or desktop agent, anything executing locally) runs as a child process carrying the user's full privileges, so tools that watch the network or the application layer cannot see what it actually does on the machine. For that class of agent, operating-system telemetry, process lineage (which process spawned which), file activity, network calls, is what captures the real picture, complementing application, identity, and network telemetry rather than replacing them. In effect, for host-run agents the endpoint, not the network, is where you can both see and stop them. (API-hosted and managed agents are a different case.) The category doing this work is EDR, endpoint detection and response, the same class of tool that already watches laptops and servers.

Catching the hijack, and the data on the way out (RT-02, RT-05)

This is the most crowded cluster, because injection and exfiltration are the most immediate threats.

  • Google folds prompt-injection guidance into SAIF 2.0 and its Agent Risk Map (October 2025), which it has contributed to the cross-vendor Coalition for Secure AI.
  • OpenAI publishes prompt-injection mitigations in its Agent Builder safety guidance (2025), oriented toward people building on its platform.
  • CrowdStrike extends the endpoint argument to inspecting agent input and output at the boundary.
  • Ping Identity's Identity for AI line [shipping product] (GA March 2026) includes Agent Detection, which identifies AI-agent activity (managed and unmanaged) through bot-detection and behavioral signals and routes it into authorization. That is agent discovery and identity-anomaly detection, adjacent to RT-02/RT-05 rather than a prompt-injection or DLP engine itself.
  • On the open side, garak lets you probe for injection and leakage yourself rather than taking a vendor's word for the coverage.

The honest read: lots of activity, measured very differently from vendor to vendor, which is exactly why the groundwork post pushes an attack-success-rate you run yourself rather than a coverage claim you accept.

Watching the reasoning, and below it (RT-03, RT-08)

This is the frontier, and it belongs almost entirely to the frontier labs right now.

  • Google DeepMind's AI Control Roadmap (June 2026) is the most detailed public treatment I mapped of supervising an agent's reasoning, treating internal agents as potential insider threats and not assuming alignment is perfect. The D1-D4 tiers come from here.
  • Anthropic's Project Glasswing is a defensive frontier-capability program, framed around studying capability in order to secure critical software.

Two things stand out. First, this work is research and programs, not products you can buy and deploy, which tells you how early the reasoning-supervision layer is. Second, watching the model's internal state rather than its visible output (the representation-level monitoring in the groundwork post) is barely past the lab bench. If a vendor tells you they have solved it, that is a claim to check hard.

Stopping it (RT-04)

Containment response draws from several directions at once: DeepMind's R1-R3 response tiers, which escalate from after-the-fact review to real-time blocking, CrowdStrike's endpoint isolation, and, going back furthest, OpenAI's 2023 governance practices, which named interruptibility, the ability to pause rather than only kill, as a design goal early.

Naming the new attacks (RT-06, RT-07)

  • Anthropic's LLM ATT&CK Navigator (June 2026) is the empirical backbone for the orchestration argument, and ARiES is the scoring method that comes with it.
  • MITRE ATLAS is adding the agentic technique IDs the field maps against.
Update · July 2026
In Apeiris, this runtime layer overlaps our Agentic domain, and the ATT&CK and ATLAS grounding described above is now live rather than referenced. The pinned MITRE ATLAS model, its tactics, techniques, mitigations, and case studies, is loaded into the Apeiris knowledge graph and browsable at /graph/, with the same model served read-only to agents over an ATLAS MCP. The three-industries, no-shared-control-plane seam this post names is the federated-proof problem Apeiris is building toward.
  • Multi-agent collusion detection (RT-07) has no product behind it that I can point to. It is framework-level and research-stage, with DeepMind's control work and CSA's MAESTRO as the nearest thinking. That blank is worth stating plainly rather than papering over.

Where implementation activity is concentrated

The freshest movement is a mid-2026 cluster: DeepMind's roadmap and Anthropic's Navigator both landed within weeks, and Ping's Agent Detection reached general availability earlier in the year. The energy is real, but notice its shape. It is incumbents and labs shipping fast, plus a healthy open-benchmark ecosystem. Unlike the workspace-containment layer, where genuinely new entrants are appearing, runtime supervision does not yet have a dominant newcomer collapsing the layer into one tool. That may change, and when it does it will be worth watching for the disintermediation pattern, a single product claiming to see the OS, the reasoning, and the boundary at once. For now, no mapped product demonstrates all three in its public materials.

Consolidating or fragmenting?

Fragmenting, clearly. The endpoint vendors own the operating system. The labs own the reasoning. The identity vendors own the boundary. Three industries, three real contributions, and no shared control plane that ties an OS-level alert to a reasoning-divergence signal to an egress block. A defender assembling a runtime program today is doing the integration by hand. The one consolidating force is linguistic, not commercial: the D1-D4 / R1-R3 vocabulary is starting to give everyone a common way to talk about detection and response, which is usually how a fragmented layer begins to converge.

The handoff

The three industries here, endpoint, labs, identity, each detect a slice. The seam none of them owns is the one that matters most operationally: can a detection from any of them trigger a governance hard-stop before an irreversible action commits? The detectors live in this layer; the stop lives in the governance layer's products; the wire between them is yours to build.

If you want the controls these products map to, with the validation steps to test any of them yourself, see the runtime groundwork post and see the runtime-related controls at apeiris.ai.

Sources

---

How to read this. Snapshot dated 21 June 2026. A product appears here because it maps to a control, not as a recommendation or independently validated efficacy; vendor figures are their own claims; status tags mark what kind of thing each entry is. The full neutrality statement and method are in the capstone.

Explore the graph →