Who Actually Pays for AI Agents in 2026? We Traced the Money
Three different groups pay for AI agents, and they’re paying for three different things. — over 25B purchase of CyberArk](). — 20–90 gigs, courses with thousands of students. — it’s a small, consolidating market riding VC subsidy, not revenue at enterprise-security scale. And the thing every buyer says they need — sandboxing, approvals, an audit trail an agent can’t talk its way around — is the one layer nobody has packaged and sold yet. That’s the gap this post traces, with every number sourced.
Who pays for AI agents in 2026? Three different buyers, three different bills. Enterprises write nine- and ten-figure checks for agent security — not agents themselves — through a wave of acquisitions. Individual OpenClaw operators write small, recurring checks for hosting, setup labor, and courses. And the thing that connects both — trusted execution, the control layer that makes an agent’s actions reviewable and reversible — is the one nobody has fully productized.
We (Mumega) ran three parallel research passes on 2026-07-08 across enterprise security spend, the OpenClaw ecosystem, and agent-ops tooling, because we build a governance layer for agent fleets (mupot) and needed ground truth on where real money moves before betting further on it. This post is the compiled findings.
Who pays for AI agent security?
Enterprises pay by acquiring the companies that solve it, not by writing feature-request tickets. Since mid-2024, platform incumbents have absorbed well over $28 billion in AI-agent-security acquisitions:
- Palo Alto Networks completed its ~$25B acquisition of CyberArk on February 11, 2026 — the largest deal in security-industry history, folding CyberArk’s identity platform into Palo Alto’s Cortex and Strata stack.
- CrowdStrike announced a $740M acquisition of SGNL in January 2026 to add real-time authorization across human, non-human, and agent identities.
- Check Point acquired Lakera for ~5.7M ARR at the time of the deal.
- F5 closed its $180M purchase of CalypsoAI in September 2025; CalypsoAI’s customer list included Palantir.
- SentinelOne completed its acquisition of Prompt Security in September 2025 for cash and stock reported as 250M by other outlets](https://finance.yahoo.com/news/sentinelone-acquire-prompt-security-250m-182354008.html) — terms weren’t fully disclosed.
- Cisco’s acquisition of Astrix Security closed for roughly $400M in 2026, bringing Astrix’s non-human-identity platform — customers included Figma, NetApp, Priceline, and Workday — under Cisco.
- SailPoint completed its acquisition of Entro Security for ~$200M on June 29, 2026, adding non-human-identity and credentials security to its Agentic Fabric product.
- Zscaler closed acquisitions of SPLX and Red Canary for a combined $692M in Q1 of fiscal 2026.
Independents that haven’t been bought are growing fast on the strength of the same demand: Noma Security raised a 120M in March 2026 with new ARR growing 5x year-over-year; WitnessAI grew ARR over 500% and raised $58M in January 2026.
But the spend is lopsided relative to the underlying problem. Gartner puts [total 2026 information-security spending at 49B in 2025 — but “securing AI itself” (protecting the models, agents, and pipelines) was only 4.63M, a $670K premium over a standard breach, and 97% of organizations that suffered an AI-related breach had no AI access controls in place — 63% had zero AI governance policy at all.
Who’s paying for agent-ops and observability tooling?
This layer — logging, evaluation, and debugging for agent behavior — has real venture interest but much smaller revenue than the security layer, and it’s actively consolidating. LangSmith raised a 1.25B valuation, reporting roughly 80M Series B at an 70M in February 2025](https://arize.com/blog/arize-ai-raises-70m-series-c-to-build-the-gold-standard-for-ai-evaluation-observability/), serving Uber, eBay, and Spotify.
The rest of the category is consolidating into larger platforms rather than growing independently: ClickHouse acquired Langfuse alongside a 400M raise in January 2026](https://clickhouse.com/blog/clickhouse-acquires-langfuse-open-source-llm-observability); [Mintlify acquired Helicone in March 2026](https://www.helicone.ai/blog/joining-mintlify), and Helicone now runs in maintenance mode; [CoreWeave acquired Weights & Biases for 1.7B in May 2025. One sub-category is monetized by nobody at all: prosumer fleet-management dashboards for running multiple agents are free or open-source across the board — Anthropic bundles Claude Code’s multi-session “Agent View” into existing Pro/Max/Team/Enterprise plans rather than selling it separately, and the community-built Hermes Agent Mission Control dashboard is MIT-licensed and free to self-host with no feature gates.
What do OpenClaw users actually pay for?
Individuals running the open-source agent framework OpenClaw pay for exactly what the framework doesn’t ship: hosting, setup labor, and education — not for security, which is the actual gap.
Hosting. At least 14 vendors offer managed OpenClaw hosting in a 12/month for a hardened, containerized droplet; typical self-hosted setups run $20–32/month all-in.
Setup labor. Fiverr and Upwork gigs run $20–5,000, with individual sellers reporting dozens to over a hundred completed orders — one Upwork listing is literally titled “Secure OpenClaw Setup w/ Sandboxing, Approvals,” which tells you exactly what buyers are asking for and not getting from the framework itself.
Education. One Udemy OpenClaw course from instructor Ankit Mistry has 9,827 students enrolled with an 880-review, 4.5-star track record; Skool communities charge $29–47/month at 114–270 paying members.
What nobody pays for through the official channel: skills. ClawHub, the official skills marketplace, lists 2,800–5,700+ skills with zero paid-listing mechanism — anyone can publish, nobody officially monetizes. Indie sellers make money anyway, reportedly $100–1,000/month off-platform through niche, vertical-specific automations.
That gap is also the security gap. Koi Security’s ClawHavoc research found 341 malicious skills that OpenClaw’s official scanner missed entirely. SecurityScorecard found over 40,000 internet-exposed OpenClaw instances, with more than a third flagged vulnerable. An eSecurityPlanet audit of 2,890 skills found 41.7% contained serious vulnerabilities, and 99.3% shipped with no permissions manifest at all — meaning a skill can request full access with no declared scope for an operator to check against. We wrote up the full picture in OpenClaw Security: Sandboxing, Approvals, and the Malicious-Skills Problem.
Then there’s pain with no product attached at all. Runaway token bills of 441,788 of tokens to a stranger after misreading decimals following a session reset — and no insurance product exists for exactly this failure mode. OpenClaw’s own creator, Peter Steinberger, estimated he was losing 20,000 a month running the project before OpenAI hired him in February 2026; Anthropic then blocked Claude subscription authentication from OpenClaw in April 2026, citing subscription-pricing abuse. A project in that financial position doesn’t have the runway to build a governance layer — which is exactly why third parties like NVIDIA’s free, open-source NemoClaw and Microsoft’s Azure/Defender guidance treating OpenClaw as an untrusted workload are stepping in around the edges rather than the core team shipping it.
The three markets, side by side
| Layer | Typical check size | Who pays | Who collects |
|---|---|---|---|
| Enterprise agent security | 25B per acquisition; enterprise contracts on top | Global 2000 CISOs, via platform vendors | Palo Alto Networks, CrowdStrike, Cisco, SailPoint, Check Point, F5, SentinelOne, Zscaler |
| Agent-ops / observability | 400M in funding rounds; ~$16M–low tens of millions ARR per vendor | Engineering teams building and shipping agents | LangSmith, Braintrust, Arize, ClickHouse (via Langfuse), CoreWeave (via W&B) |
| OpenClaw prosumer economy | 20–5,000 setup gigs; $29–47/month communities | Individual operators and solo builders | Hosting vendors, Fiverr/Upwork freelancers, course creators, indie skill sellers |
What does nobody sell yet?
Trusted execution — the layer that sits underneath all three markets and none of them fully cover. Mistral CEO Arthur Mensch named the missing pieces directly at a GTC 2026 panel: “identity management for agents, audit trails for agent actions, role-based access controls at the agent level, and centralized control planes.” Enterprise security vendors are assembling pieces of this through acquisition (identity here, non-human-credential management there), but no single acquired company owns the full stack. Agent-ops vendors log what happened after the fact; they don’t gate what an agent is about to do. And the OpenClaw prosumer economy pays for setup and hosting, but the operator who wants sandboxing and an approval step before an agent acts is the one posting a custom Upwork gig to get it — because the framework doesn’t ship it and nobody sells it off the shelf.
That’s the gap we wrote about when describing what mupot actually is: every model, asked to design safe agent operation from scratch, re-derives the same seven primitives — context, memory, tools, validation, approvals, tasks, agents — because that’s the inevitable shape of running agents safely, not a novel insight.
What we’re doing about it
We run our own multi-agent fleet on mupot, and we built it specifically to be the trusted-execution layer the data above says is missing: every agent’s consequential action passes a signed approval gate before it fires, every action is recorded in an append-only audit trail, and control is scoped per agent rather than granted wholesale. We didn’t build this because we predicted the gap — we built it because we hit it running our own agents, and the acquisition wave, the observability funding, and the OpenClaw setup-gig economy all point at the same unmet need from three different directions. This post is the receipt for that bet, not a pitch for it — the numbers above are what convinced us it’s the right one.
Sources
- https://techinformed.com/palo-alto-closes-cyberark-deal-adds-identity-pillar/
- https://www.csoonline.com/article/4114957/crowdstrike-to-acquire-sgnl-for-740m-expanding-real-time-identity-security.html
- https://www.checkpoint.com/press-releases/check-point-acquires-lakera-to-deliver-end-to-end-ai-security-for-enterprises/
- https://getlatka.com/companies/lakera.ai
- https://www.f5.com/company/news/press-releases/f5-to-acquire-calypsoai-to-bring-advanced-ai-guardrails-to-large-enterprises
- https://www.sentinelone.com/press/sentinelone-to-acquire-prompt-security-to-advance-genai-security/
- https://finance.yahoo.com/news/sentinelone-acquire-prompt-security-250m-182354008.html
- https://www.calcalistech.com/ctechnews/article/dy5obf581
- https://www.securityweek.com/sailpoint-to-acquire-entro-in-reported-200-million-deal/
- https://ir.zscaler.com/news-releases/news-release-details/zscaler-completes-acquisition-red-canary-accelerate-innovations
- https://noma.security/blog/noma-security-raises-100m-to-drive-adoption-of-ai-agent-security/
- https://www.securityweek.com/oasis-security-raises-120-million-for-agentic-access-management/
- https://www.prnewswire.com/news-releases/witnessai-raises-58-million-for-global-expansion-and-announces-new-ways-to-secure-ai-agents-302659319.html
- https://softwarestrategiesblog.com/2026/03/24/information-security-spending-2026/
- https://newsroom.ibm.com/2025-07-30-ibm-report-13-of-organizations-reported-breaches-of-ai-models-or-applications,-97-of-which-reported-lacking-proper-ai-access-controls
- https://fortune.com/2025/10/20/exclusive-early-ai-darling-langchain-is-now-a-unicorn-with-a-fresh-125-million-in-funding/
- https://www.axios.com/pro/enterprise-software-deals/2026/02/17/ai-observability-braintrust-80-million-800-million
- https://arize.com/blog/arize-ai-raises-70m-series-c-to-build-the-gold-standard-for-ai-evaluation-observability/
- https://clickhouse.com/blog/clickhouse-acquires-langfuse-open-source-llm-observability
- https://www.helicone.ai/blog/joining-mintlify
- https://www.coreweave.com/blog/coreweave-completes-acquisition-of-weights-biases
- https://claude.com/blog/agent-view-in-claude-code
- https://github.com/builderz-labs/mission-control
- https://marketplace.digitalocean.com/apps/openclaw
- https://www.upwork.com/services/product/development-it-secure-openclaw-clawdbot-setup-on-vps-mac-mini-cloud-multi-agent-2024440038048071533
- https://www.udemy.com/user/ankitmistry/
- https://github.com/openclaw/clawhub
- https://medium.com/@0xmega/the-clawhub-skill-economy-how-builders-are-making-600-20-000-month-selling-ai-agents-0b56d4aede5e
- https://www.koi.ai/blog/clawhavoc
- https://securityscorecard.com/blog/how-exposed-openclaw-deployments-turn-agentic-ai-into-an-attack-surface/
- https://www.esecurityplanet.com/threats/over-41-of-popular-openclaw-skills-found-to-contain-security-vulnerabilities/
- https://news.ycombinator.com/item?id=46838946
- https://cointelegraph.com/news/openai-employee-s-ai-agent-accidentally-sent-442k-to-beggar
- https://www.the-ai-corner.com/p/openai-openclaw-peter-steinberger-lessons
- https://techcrunch.com/2026/02/15/openclaw-creator-peter-steinberger-joins-openai/
- https://venturebeat.com/technology/anthropic-cuts-off-the-ability-to-use-claude-subscriptions-with-openclaw-and
- https://nvidianews.nvidia.com/news/nvidia-announces-nemoclaw
- https://www.microsoft.com/en-us/security/blog/2026/02/19/running-openclaw-safely-identity-isolation-runtime-risk/
- https://newclawtimes.com/articles/openclaw-enterprise-security-governance-challenges-gtc-2026-huang-mensch-chase/