Securing Every Pillar of AI

Security for AI: Every Pillar of Cloud Security Just Got a New Job

A smiling man wearing glasses and a pink t-shirt, sitting in a lounge in front of exposed brick.

By Amiram Shachar

Jun 04, 2026

A few weeks ago, I wrote about Upwind becoming agentic, AI for Security. We put a fleet of Agents, Blue, Red, and Green, to work investigating threats, validating exposures, and remediating risk at machine speed. That was one half of the story.

This is the other half.

Security for AI.

ai-security-rooted-in-cloud-security-2-scaled

AI has rewired our known attack surfaces

Most people think that AI lives in one place, and you can guard the door.

“AI security” is not something that can fit in a box like a scanner for models, a firewall for prompts, a checkbox for governance. It doesn’t live in one place. It lives everywhere.

AI is in the endpoint. It’s in the cloud. It has changed the way we write code, the way we ship software, and the way applications talk to each other and unfold in real time through thousands of MCP calls. It’s not a new surface sitting next to the old ones. It’s a current running through every surface we already have.

AI is stimulating everything we thought we knew about securing the cloud. Every assumption about how fast code moves, about what’s talking to what, about what’s even in your environment is being re-examined.

So the conclusion is simple, even if the work isn’t: AI security is not a pillar on its own. It has to be embedded in every pillar of cloud security. Every one of them has to step up.

Let me walk through what that actually means.

Code: The world of humans writing code is gone.

For a decade, “shift left” meant a fairly stable set of motions, SCA, SAST, IaC scanning running against code written by humans at human speed.

That world is gone.

The tools that write and push code have changed. AI is in the IDE, in the PR, in the pipeline. Velocity is up by an order of magnitude, more code, from more sources, merged faster, with more dependencies pulled in automatically. The Shai-Hulud campaign our research team broke down was a preview: a compromised package moving through the supply chain and into build pipelines before most teams knew what they were looking at.

SCA, SAST, and IaC scanning, none of them get to stand still. They have to keep pace with code that’s generated, not just authored. And here’s the upside: AI can help scan the code, too. The same force that multiplies the risk can multiply the defense, if you wire it in correctly. Shift Left isn’t being retired. It’s being asked to run at a speed it was never designed for.

Cloud: inventory has never been this critical

There have never been more ways to consume AI in the cloud. You can go through PaaS – AWS Bedrock, Azure AI Foundry, and Vertex. You can self-host open-source models. You can stand up custom SDKs, agents, MCP servers, knowledge bases, fine-tuning jobs, and inference endpoints. Every team in your company is doing some combination of these right now, often without you even knowing about it. 

Mastering cloud inventory has never been, and I mean never been, this critical.

Inventory in the cloud can be tricky. You may think you know what you have when you look at a list of resources, but the truth is that cloud resources are all about relationships, dependencies, and cataloging. Simple questions like, how many AI agents I have across my cloud usage, which models they use, which AI datastores I have, require deep understanding, tagging and cataloging.

Runtime: the action moved up the stack

This is the change I find most profound.

Runtime security used to be fundamentally about process execution, malicious signatures, malware, the transport layer, watching connections, flows, and the plumbing between workloads. That’s no longer where the interesting things happen.

Now everything is happening at the application layer. On the APIs. In the payloads. In the prompts that come and go. In the thousands of MCP communications, a single agent fires off to complete one piece of business logic.

Secure-Every-Layer-of-Cloud-and-AI-Applications-3
Upwind secures every layer of the AI stack, from infrastructure and access to agents, tools, and MCP, with runtime telemetry feeding behavioral baselines across the full application.

A model receives a prompt, calls a tool, hits an MCP server, retrieves from a datastore, calls another model, returns a payload. That entire chain is the business logic now, and every hop in it is a place where something can go wrong, a prompt injection, a data leak, an over-scoped tool call, an agent reaching somewhere it never should. You cannot see any of that by watching packets move. You have to understand the application’s behavior in real time, semantically, at the layer where the decisions are actually being made.

This is a genuinely new threat landscape, and it demands runtime that lives where the AI lives.

We are stepping up every pillar of cloud security for AI

I’m excited about what our team has built into the platform. Across Code, Cloud and Runtime. 

Code: Shift-left scanning now keeps pace with AI-generated code, surfacing supply chain risk and vulnerable dependencies before they reach production.

Cloud: Upwind now helps you master your cloud inventory like never before. We’ve added an intelligence layer above your flat cloud resource, one that understands what your AI workloads actually are, how they connect to each other, and what risk each one introduces.

Runtime: AI-Sensor delivers visibility into what’s actually happening at the application layer from prompts, tool calls, MCP connections, and the behavioral baselines that show when something deviates from normal.

When you open the AI inventory in Upwind, you see the actual picture:

  • Agents: every Bedrock Agent, Azure OpenAI Assistant, Vertex Agent, Copilot Studio agent, self-hosted agent, with the model behind it, whether it’s using guardrails, its last invocation, and the non-human identity it runs as.
  • Models: foundation, fine-tuned, and custom, across SageMaker, Bedrock, Azure ML, including which base model they derive from and whether they’re hosting a live endpoint.
  • Datastores: knowledge bases and buckets feeding your AI, flagged for sensitive data (PII, PHI, PCI, secrets), encryption, and public exposure.
  • MCP Servers: gateways and registries, with their endpoint URLs, public vs. private exposure, auth method, and live status.
AI Inventory
AI Inventory gives teams a unified view of AI agents across cloud and self-hosted environments, including model, guardrail, identity, and risk context.

That last category matters more than people realize. An MCP gateway that’s publicly exposed in a degraded or error state is exactly the kind of node attackers now look for first.

Cataloging this inventory accurately, understanding the real attack surface, not the one you assume you have, isn’t important. It’s a few levels above critical. Without it, neither your teams nor your agents have any chance of operating safely in a deployment landscape that changes by the hour. Inventory is the foundation that everything else stands on. It always was. AI just removed any margin for getting it wrong.

And once you have that foundation, the payoff shows up where it counts: in the issues that actually matter. A Kubernetes deployment with internet ingress and a critical exploitable CVE. A publicly exposed instance touching fifteen downstream resources. These aren’t isolated findings — they’re toxic combinations across configuration, exposure, identity, and AI usage, surfaced because the inventory underneath them is complete.

AI Security issues
AI Security overview highlights the most critical issues across AI assets, helping teams prioritize findings by severity and risk context.

The beginning of the beginning

What we’re announcing is the foundation: every part of cloud security is now AI security, across the board, from Shift Left to cloud posture to runtime. The network layer and the inventory have never been more critical, and we’ve built them to carry that weight.

There’s a piece still ahead of us, and it’s a big one. We’re moving, very soon, to secure the AI endpoints themselves. The place where prompts and responses actually cross the wire. It’s coming. Register for the private preview

We’re just getting started. Stay tuned.

Up & Up, 

Amiram.

Security for AI: Every Pillar of Cloud Security Just Got a New Job

Further Reading

Cisco-Partnership-June26
Product

Upwind Brings Realtime Intelligence to Cisco Cloud Control

SamLangrockHeadshot

By Sam Langrock

Jun 02, 2026

We are thrilled to announce that Upwind has been selected as a launch partner for Cloud Control Studio, part of Cisco Cloud Control, bringing realtime intelligence on cloud and AI security into the platform. Unveiled at Cisco Live Las Vegas on June 2, 2026, Cisco Cloud Control is the unified platform for agentic IT operations.  […]

Top-Ten-MCP-Use-Cases
Product

We Compiled the Top 10 MCP Use Cases for Upwind

dan profile Medium Eldan Talis Omer Idel

By Danilo Michelucci, Eldan Talis & Omer Idel

May 29, 2026

A new vulnerability enters the backlog. A workload is exposed. A misconfiguration affects production. An identity behaves unexpectedly. A customer asks for evidence. An audit or pentest is coming up. Each moment requires the same understanding of what is real, what is urgent, what is connected, and what should happen next. The Upwind MCP Server […]

AI Adoption Challenges-1600x960b
Product

Scale AI Adoption Securely With Upwind AI Security

Screenshot 2024-09-25 at 9.12.26 AM Morgan Pearson

By Avital Harel & Morgan Pearson

May 28, 2026

AI is entering production faster than many security teams can keep up. As teams embed AI into applications, developer workflows, and cloud operations, security teams need to know where AI runs, what it can access, and which risks need action. Upwind AI Security connects AI usage to realtime cloud context, giving teams a practical way […]