Gartner® Market Guide for Guardian Agents

Agentic AI creates a new oversight challenge

If 2025 was the year enterprises raced to deploy AI agents, 2026 is the year we admit we can’t supervise them.

Gartner recently published its first Market Guide for Guardian Agents. The report talks about the need for new oversight models as AI agents become more embedded in enterprise workflows. According to Gartner, “AI agents simply can’t be trusted to follow instructions as intended – making them unreliable and impossible to depend on. Use guardian agents to deliver essential trust, risk and security capabilities and to ward off adverse outcomes from aberrant behavior and new cyberthreats. And make sure you Guard the Guardians themselves.”

The Market Guide points to a growing need for oversight models built for agentic AI. From DTEX’s perspective, this challenge requires more than alert review. It requires behavioral context across users, agents, applications, files, and data movement.

DTEX Triage Guardian helps security teams investigate AI-driven risk with autonomous triage, transparent reasoning, and human review built into the workflow.

The risk most enterprises aren’t ready for

The Gartner Market Guide also notes the challenge many organizations face today. Per the Market Guide, “AI agents introduce new risks that outpace human review, yet most enterprises are unprepared to manage them due to fragmented organizational structures and ongoing challenges with discovery.”

DTEX sees a similar pattern in conversations with security and AI leaders. Agentic workflows are expanding across the enterprise, and AI agents are appearing everywhere: copilots, IDE plugins, RPA workflows, browser extensions, and weekend side projects.

Each one acts under a human identity, but at machine speed and machine scale.

In June 2025, technologist Simon Willison coined the term “lethal trifecta” for AI agents to describe the convergence that occurs when an AI agent has three capabilities in the same workflow: access to sensitive data, exposure to untrusted content, and the ability to communicate externally. Each capability may be necessary on its own. Together, they create a pathway for an agent to act on the wrong instruction, move the wrong data, or trigger the wrong action before a human reviewer ever sees it.

Tools built for humans or processes can’t always tell the two apart. Governance teams can’t catch up without context.

The threat is mostly internal

Here’s the line that should land hardest with every CISO. Gartner predicts: “Through 2028, at least 80% of unauthorized AI agent transactions will be caused by internal violations of enterprise policies concerning information oversharing, unacceptable use or misguided AI behavior rather than from malicious attacks.”

From DTEX’s perspective, this represents a new evolution of insider risk. The actor isn’t always a bad actor. In many cases, it is a well-meaning employee, a misconfigured agent, or an autonomous workflow that drifted from its intended purpose.

Either way, teams can only catch the bad outcome if they understand what normal looks like.

For DTEX, this is where behavioral context becomes essential.

Anomaly detection only works when “normal” is real

The Market Guide references anomaly detection as one common guardian agent feature. Among the common features: “Anomaly detection flags suspicious or unusual AI agent activities, such as abnormal tool use or behavioral shifts, using rule-based or machine learning methods. High-confidence anomalies trigger autoblocking and alerts, helping prevent harm and catch threats before impact.”

The phrase to underline is behavioral shifts.

You cannot detect a behavioral shift without a behavioral baseline. Most security tools watch events. DTEX watches sequences. That includes the tools, pages, files, and data flows that surround a moment of risk.

This context shows what the user or agent did before, during, and after an alert. It also shows how that activity compares to historical patterns.

DTEX Triage Guardian helps analysts evaluate intent signals, not just isolated activity. By analyzing behavioral patterns over time, DTEX can help distinguish routine experimentation from activity that may indicate elevated risk.

How DTEX approaches AI-driven triage

Traditional triage was built for a slower era of alert review. Agentic AI changes the equation. Risk signals now move faster than teams can manually investigate, and the dangerous few can hide inside the noise.

DTEX Triage Guardian is a fully autonomous, multi-agent triage system built directly on a behavioral intelligence platform. It uses rich endpoint metadata and behavioral baselines to automate the repetitive parts of an investigation.

That includes alert review, evidence collection, context assembly, and early-stage analysis. As a result, analysts can spend more time mitigating verified risk instead of chasing potential risk.

Under the hood is a guardian for the guardian.

Triage Guardian uses a novel multi-agent architecture. One agent acts as the analyst, while a second acts as the reviewer. The reviewer checks the analyst’s conclusions against quality and confidence thresholds. If the case is not compelling, the workflow loops back automatically.

The result is a narrative summary, a confidence score, and a decision trail analysts can review, challenge, and act on.

Human-in-the-loop is a feature, not a fallback

As AI workflows become more autonomous, DTEX believes security teams need oversight models that can scale without removing human accountability. The path to autonomy should be transparent, reviewable, and grounded in trust.

DTEX Triage Guardian is fully autonomous in execution and fully transparent in its conclusions. Every investigation produces a written explanation an analyst can read in seconds and either accept or reject.

Teams can ramp into autonomy at their own pace. The system also gets sharper with every decision. That’s continuous learning, with the brakes still in human hands.

The bottom line

The first Gartner Market Guide for Guardian Agents talks about an important shift in enterprise AI oversight. As AI agents become more embedded in daily workflows, security teams need more than isolated alerts.

They need context that shows how users, agents, applications, files, and data movement patterns connect over time.

DTEX Triage Guardian is our approach to that challenge. It brings autonomous triage together with behavioral intelligence, transparent investigation summaries, and human review. This helps teams evaluate AI-driven risk with greater speed and confidence.

If you’re shaping your AI agent oversight strategy this year, let’s talk. DTEX can help you evaluate AI-driven risk with the behavioral context needed to move from alert review to informed action.

Gartner, Market Guide for Guardian Agents, By Avivah Litan, Daryl Plummer, Carlton Sapp, Dionisio Zumerle, Tom Coshow, Max Gross, Lauren Kornutick, 25 February 2026.

Gartner is a trademark of Gartner, Inc., and/or its affiliates.