At ONUG 2026, more than 30 vendors competed in the AI Security awards. Rein was selected as the best AI cybersecurity solution by a judging committee drawn from CISOs, CTOs, and infrastructure leaders at companies like Cisco, FedEx, Cigna’s Evernorth Health Services, eBay, RTX, and Presidio, alongside ONUG’s AI leadership and senior figures from Zscaler and Sand Hill East. These are the people who actually own this risk inside the Global 2000. They’re also the people who, on any given Monday, are deciding which AI initiatives ship and which ones get paused.
We’re proud of the recognition. But the win itself isn’t the interesting part. The interesting part is what those judges chose to validate: that enterprise agent security is a different category from everything else getting called “AI security” right now, and that the companies betting their operations on agents are starting to demand a product built for their specific reality.
This post is mostly about why they picked us. It’s also about why we think this signal matters for every enterprise that’s about to put agents into production.
The room
ONUG isn’t a hype event. It’s where Global 2000 infrastructure and security leaders evaluate technology against the constraints of actual enterprise deployment: multi-cloud, hybrid, regulated, audited, and unforgiving. The committee evaluates submissions against a rigid, three-pillar scorecard:
- Innovation: breakthrough design, agent-native frameworks, ideas that don’t yet exist in the market.
- Differentiation: clear, non-commodity value versus the standard enterprise stack.
- Business Value: concrete CAPEX/OPEX impact and how cleanly a Global 2000 enterprise can actually deploy the technology without breaking its hybrid infrastructure.
In other words: not “is the demo impressive,” but “does this work, at scale, in environments that look like ours.”
That’s the bar we cleared.
The category problem
Most AI security tools on the market today were built for productivity agents: the assistants that help individuals write emails, summarize documents, generate code, or schedule meetings. The risks there are real but largely individual: prompt injection in a chat window, data leakage into a copilot, governance over which assistants employees are allowed to use, model misuse at the seat level.
That is not the world the CISOs in that room are losing sleep over.
The agents they’re rolling out, and the ones every Global 2000 is racing to ship, are enterprise agents. They move money. They touch customer records. They make decisions inside core systems of record. They execute trades, route claims, approve credits, open tickets, file orders, and take actions that, when wrong, have a board-level blast radius.
You cannot secure an agent that’s authorized to act on behalf of the business by sitting in front of a chat box. The threat model is different. The blast radius is different. And the security primitives have to be different too.
This is the line we’ve been drawing since day one. The judges’ decision is one of the first clear, public market signals that the line is real, and that the rest of the industry is going to have to pick a side of it.
The Six Controls That Stand Between Agentic AI and Production
Before getting into why Fortune 500 CISOs picked Rein, it’s worth understanding what they were actually evaluating against. The ONUG Agentic AI Overlay Working Group – a group of IT executives from companies like eBay, Cigna, Bank of America, Indeed, and Kraken – surveyed more than 350 large enterprises to answer a single question: what is stopping agentic AI from reaching production at scale? The answer, repeated across every poll and working session, was unambiguous. Enterprises are not blocked by model capability. They are blocked by the absence of runtime controls, governance mechanisms, and operational safeguards.
Out of that work came the Agentic Overlay Mandatory Controls (AOMC) – six controls that ONUG members ranked as the minimum bar for safe, large-scale agentic deployment. Compliance with all six was rated mandatory by the overwhelming majority of respondents; without them, the working group concluded, agentic AI simply will not be deployed at scale in large enterprises. Here is what each one means in practice.
1. Agent Identity, Lifecycle, and Attestation
Rated mandatory by 78% of respondents (and 79% for multi-trust-domain operation), this is the foundation everything else rests on. Agents are non-human actors, and they cannot inherit a human user’s identity to act on the network. The overlay must provide cryptographic identity, mutual authentication for every agent-to-agent exchange, and a managed lifecycle covering creation, delegation, mutation, and retirement – including the secure wiping of credentials and memory when an agent is decommissioned. Without strong non-human identity, there is no way to know which agent did what, no way to revoke a compromised agent, and no way to prevent agent spoofing inside the mesh.
2. Runtime Monitoring and Rogue Agent Detection
Rated mandatory by 65% of respondents. Agents operate at machine speed, which means post-incident log review is not a control – it is an autopsy. Enterprises require continuous, real-time monitoring of agent behavior against declared objectives, authorized tool usage, and expected execution patterns, with the ability to detect deviations and quarantine or kill a misbehaving agent before damage spreads. The model the working group repeatedly invoked is container runtime security applied to agents: execution behavior, API calls, and resource access continuously observed and enforced, not just logged.
3. Data Guardrails – Input, Output, and Residency Enforcement
The single highest-ranked control in the entire survey: 92% mandatory, with zero respondents marking it as later-phase or optional. Every input and output that crosses an agent boundary must be inspected and validated to prevent prompt injection, leakage of regulated data (PII, PHI, IP, financial records), and unauthorized external data flows. Data residency must be enforced as a first-class constraint, with explicit paths defined for regulated data across zones and jurisdictions. For regulated industries, this is the control with the shortest path between failure and a headline.
4. Zero Trust Enforcement
Rated mandatory by 67% inside enterprise-controlled domains and 62% across trust boundaries. Zero Trust here means what it has always meant – no endpoint is trusted by default; every communication is authenticated, authorized, and policy-checked at the moment of use – applied consistently across network, identity, and runtime layers. The wrinkle with agentic AI is the trust-domain boundary: capabilities that are acceptable when an agent operates inside a single VPC become unacceptable the moment it reaches across clouds, business units, or partner environments. Zero Trust is what keeps a compromised agent in one zone from achieving lateral movement into another.
5. Secure Orchestration and Tool Authorization
Rated mandatory by 71% of respondents – and tool invocation was repeatedly named by working group members as the single highest-risk capability an agent has, because it is the point at which an agent’s decision becomes a real-world action. Every tool call, API invocation, or infrastructure change must be subject to explicit authentication, policy-based authorization, and full audit logging. Critically, the control must not depend on human-in-the-loop approval as a default – enterprises need fully automated, policy-driven enforcement, with step-up authorization and blast-radius limits applied to high-impact actions.
6. Governance of Agent Autonomy
Rated mandatory by 56% of respondents, with one of the most quoted observations in the entire report: enterprises are not rejecting autonomy, they are rejecting ungoverned autonomy. The overlay must let operators define, constrain, and dynamically adjust how independently an agent may plan, decide, and act – spanning fully autonomous execution, policy-constrained autonomy, and human-in-the-loop operation – with mandatory kill-switch and human-override capabilities. Autonomy levels should be a policy that operators can tune, not a property baked into the agent at design time.
Why These Six, Together
Each of the six controls addresses a different failure mode, but the working group is explicit that they are meant to work as a system. Identity without runtime monitoring gives you accountable agents that can still go rogue undetected. Data guardrails without Zero Trust let a compromised agent in Zone A exfiltrate from Zone B. Tool authorization without autonomy governance leaves you policing individual API calls while the agent’s planning loop is busy concocting the next sequence of them. This is why ONUG frames the AOMC as the minimum set, not the maximum – and why demonstrating all six in a single production agent, end-to-end, was the bar set at the AI Networking Summit.
That is the bar Rein cleared.
The four pillars in Rein’s platform
When we walked the committee through how Rein actually works, four ideas came up repeatedly. They aren’t marketing categories. They’re the things that have to be true if you’re going to let an agent take action inside your business. And they correlate perfectly with the AOMC controls above.
1. Context. Security decisions for enterprise agents have to be grounded in business reality, not generic AI guardrails. Who is this agent acting on behalf of? What customer, what region, what data class? What policy applies to this specific transaction? An AI firewall that doesn’t understand the business can only enforce at the lowest common denominator, and that isn’t deployable inside the Global 2000.
2. Control. Fine-grained, runtime control over the business action, not just the underlying API call. The right question isn’t “did the agent call this endpoint?” It’s “did the agent move $4.2M from this account to that account, on behalf of this user, against current policy?” Real control means approvals, intervention, and the ability to stop the agent mid-flight when the context warrants it.
3. Coverage. Enterprise agents don’t live in one place. They span SaaS, custom internal workflows, third-party platforms, on-prem systems, and the long tail of tools every large enterprise has accumulated over twenty years. Security that ends at the model, or at the chat interface, isn’t coverage. It’s a checkbox.
4. Privacy. These agents handle the company’s most sensitive data: customer PII, financial records, regulated health information, trade-sensitive material. That data cannot leak into prompts, logs, training pipelines, or downstream tools that aren’t authorized to see it. Privacy has to be enforced at the data layer, not assumed by policy.
The common thread across all four is simple: this is security designed around the business action the agent is taking, not the model, not the prompt, not the chat window.
Why the pillars mapped to how they graded
The judges’ three criteria (innovation, differentiation, business value) line up almost exactly with the case we made.
Innovation, because the technology underneath has to be agent-native; you can’t bolt enterprise agent controls onto a DLP or a CASB built for human users a decade ago. Differentiation, because the rest of the market is still optimizing for productivity-agent risk, and we’re not in that bucket, and we don’t want to be. Business value, because enterprises evaluating us aren’t asking whether agents are interesting; they’re asking whether agents can be deployed responsibly at scale, with audit trails and policy enforcement their risk leadership can actually sign off on.
When the people grading your work are running security and infrastructure for Cisco, FedEx, Cigna, eBay, RTX, and Presidio, “operationally credible” is the only grade that matters.
Why this matters for every enterprise about to ship agents
Enterprises are shipping enterprise agents as we speak. Over the next eighteen months, the agents going into production won’t be the chat copilots; they’ll be the ones embedded inside operations, finance, support, claims, supply chain, and customer-facing workflows. They will be empowered to act. And the security posture around them will determine whether the rollout accelerates or stalls.
There are two ways this goes.
The pessimistic path is a series of well-publicized incidents: an agent that fires off transactions it shouldn’t, a leak of regulated data through a prompt, a misconfigured tool chain that exposes a system of record. After two or three of those, board-level pressure freezes agent programs, and the productivity gains the market is counting on disappear into a multi-quarter pause.
The optimistic path is that enterprises adopt the right security primitives early (context, control, coverage, privacy) and the agents ship safely, at scale, with the audit trail and policy enforcement that lets risk leadership actually approve them. In that world, agents become to the next decade of enterprise software what cloud became to the last one.
The difference between those two paths is whether the industry treats enterprise agent security as its own discipline, with its own product category, instead of an extension of tools designed for a different problem.
ONUG just put a public marker on the second path.
Thanks
To ONUG, to the CISOs and infrastructure leaders who judged this year’s submissions, and to the analyst community that pressed on every claim we made: thank you. The recognition is meaningful precisely because of who you are and what you grade on.
We’re going to keep building.
The Rein team
