In Discovery: AI Agent Security Monitoring

You’re Invited

The SailPoint Product team is inviting a small group of customers to participate in a 30–90 day Closed Preview for AI Agent Behavior Monitoring (ABM) — a new capability designed to give security teams visibility into what AI coding agents and assistants are doing on employee endpoints.

The Problem We’re Solving

Your developers are using AI agents — Claude Code, Cursor, GitHub Copilot, Windsurf — that can read files, execute commands, access APIs, and connect to external services via MCP servers. Today, most security teams have zero visibility into:

  • Which AI agents are running across the fleet
  • What tools and external services those agents are connected to
  • Whether agents are accessing sensitive data, credentials, or internal systems
  • Whether newly installed agents or MCP servers are sanctioned or shadow IT

Traditional endpoint tools (EDR, MDM) see processes but don’t understand AI agent behavior. SIEM captures network telemetry but can’t attribute actions back to a specific agent or its human owner.

What is ABM?

Agent Behavior Monitoring correlates your existing SIEM telemetry with SailPoint’s agent discovery data to detect:

  • Unsanctioned AI tool usage — agents or MCP servers not on your approved list
  • Credential exposure — API keys, tokens, or secrets stored in plaintext agent configs
  • Anomalous data access — agents reaching databases, internal APIs, or file systems outside normal patterns
  • Policy violations — sensitive data (PII, secrets) being sent to AI tools via prompts

ABM doesn’t require a new agent on the endpoint. It works by analyzing telemetry you’re already collecting.

What’s In It for You

As a Closed Preview participant, you receive:

  • Early access to ABM capabilities before general availability
  • Direct influence on the feature’s direction — your use cases shape what we build
  • A dedicated SailPoint PM and engineer as your point of contact throughout
  • A findings report — at the end of the preview, we’ll deliver a summary of AI agent activity discovered in your environment (shadow AI tools, credential risks, anomalous patterns)
  • Priority onboarding when ABM ships to production

What We Need from You

Requirement Detail
SIEM read-only access Non-production / lower environment only (dev/test). We need read access to DNS, process, and network telemetry logs. No production data required.
Scope Minimum 50 developer endpoints generating SIEM telemetry
Touchpoints Bi-weekly 30-minute check-ins with the Product team (feedback, findings review)
Duration 30–90 days
Security All access governed by an NDA addendum. SailPoint does not extract, store, or share your raw log data.

Ideal Participant Profile

  • 500+ developer endpoints with AI tools in active use
  • Existing SIEM deployment (Splunk, Sumo Logic, Sentinel, CrowdStrike Falcon LogScale)
  • Security team concerned about AI tool sprawl and/or data leakage via AI prompts
  • Willingness to share findings (anonymized) for joint case study (optional)

Next Steps

Interested in participating? Schedule a meeting here!

1 Like