Executive Summary

Key Numbers

Sources: Fortune, 2026 · Okta, Gartner, Anthropic, and others

Four numbers compress the backdrop to this investment: the size of the round, the share of companies already running agents without any way to control them, the scale of forced shutdowns that governance failures will trigger, and the adoption speed of the protocol that underpins all of it.

Start with the deal. Runlayer is a New York company that came out of stealth in November 2025. This $30 million Series A brings its total raised to $42 million. Felicis Ventures led the round, with Khosla Ventures participating. According to Fortune, Vinod Khosla said he wanted to buy every dollar of the round. It is unusual for an early investor to want the entire round, and it signals just how highly he rates the position this company holds.

The founders' track record explains that position. CEO Andrew Berman is a three-time founder. He started the baby-monitor company Nanit and built the AI video-meeting tool Vowel, which he sold to Zapier in 2024. Co-founder Tal Peretz is the person who stood up Zapier's MCP integration in just two days and turned it into the company's fastest-growing product. The advisor list includes David Soria Parra, who designed MCP. These are the people who have watched, from the closest possible vantage point, the junction where agents connect to tools.

The name Felicis's Jake Storm gave the company cuts to the core. "It's a Swiss business. No platform can own this. A neutral control layer is absolutely critical." Companies do not want to be locked into a single AI vendor. Whether it is OpenAI, Anthropic, or Google, a company runs several models and keeps swapping them out. On top of all of them, it needs a neutral zone that records and controls, in one place, who accessed what. That is the seat Runlayer is aiming for.

The picture CEO Andrew Berman paints goes like this. "Every employee will delegate their work to swarms of agents, as a core part of how work gets done." The catch is in the next sentence. "The challenge is that most companies still do not have a secure, scalable way to make that possible. That is the problem Runlayer exists to solve." In other words, what Runlayer sells is not the agents themselves, but the safeguards that let a company turn them loose with confidence.

Runlayer is a governance control layer that sits between employees and AI tools. For an agent to reach internal systems, it has to pass through this layer. At that junction, the company decides who can use which agent to access what, watches it in real time, and keeps a record. The core capabilities group into four.

• • MCP gateway and catalog — securely connects more than 18,000 MCPs to the enterprise. Which tool which person may use is decided at this gateway.
• • Shadow AI detection — catches unapproved agents, MCPs, and plugins running quietly in the background. The biggest threat is the usage no one can see.
• • Access control and identity management — sets the access scope, OAuth permissions, and runtime conditions per user and per agent. Agents get permissions the same way people do.
• • Real-time security scanning — inspects tool calls, outputs, intent, and sensitive data in real time to block prompt injection, tool poisoning, and data exfiltration.

The customer roster shows this is real demand. Twelve unicorns use it — Instacart, Gusto, Opendoor, dbt Labs, AngelList, and Lemonade among them — and so does a Fortune 500 bank running 100,000 employees across 200,000 devices. When a bank adopts agents, the first question it asks is not "Is this smarter?" but "Can we prove what this touched?" What Runlayer sells is exactly that provability.

The timing of this investment is no accident. Two currents ripened at once. First, the way agents connect to tools converged on a single standard. MCP (Model Context Protocol), which Anthropic open-sourced in November 2024, passed 97 million monthly SDK downloads and 81,000 GitHub stars by 2026. In December 2025, Anthropic donated the protocol to a foundation under the Linux Foundation, with OpenAI, Google, Microsoft, and AWS joining as co-founders. MCP has effectively become the industry standard.

A standard means a single junction that everything passes through. Once every agent connects to tools the same way, it finally becomes possible to control and record those connections in one place. That is why Runlayer started as an MCP-focused product and is widening into a company-wide interoperability layer. When the road gets standardized, the tollgate on that road acquires value.

Second, the governance gap reached a danger line. In Okta's "AI at Work 2025" survey, 91% of enterprises were already running AI agents, but 44% had no governance framework whatsoever. Gartner expects that by 2027, 40% of enterprises will be forced to take agents offline because of governance failures. Adoption is fast, the tools to control it are missing, and that gap is what makes the market.

So Runlayer is not the only one eyeing this seat. Incumbent security giants like Wiz, Palo Alto Networks, and Okta are all bolting on agent governance features, because they see this becoming the gateway to the IT security budget. Market estimates back that read. The agentic AI security segment alone is projected to grow from $1.65 billion in 2026 to $13.52 billion in 2032 — more than eightfold in six years. Whoever takes the seat first holds the gateway to that budget. Runlayer's differentiation claim is a single, model-neutral and platform-neutral layer — the "Swiss" position Storm described.

Step back, and the direction the capital moved becomes clear. Not a smarter model. The ability to record which data an agent touched and what it did. Model intelligence levels off and gets replaced quickly, but a record of behavior, once it starts to accumulate, becomes an asset the company cannot strip away. The reason Khosla wanted the entire round and the reason Felicis called it "Swiss" both point to this one thing.

For people who work with data, this trend is the next chapter of a familiar proposition. Until now, data governance was something that happened inside the database — recording who queried which table, and under what permission they saw which rows. But once agents start calling tools on people's behalf, the new object of governance is no longer the database; it is the agent's behavior log. Beyond who reached the data, you now have to prove which agent reached it, and with what intent.

The concern that has driven Pebblous to talk about "AI-Ready Data" sits in the same place. Data an agent can trust is data whose provenance, quality, and rights are traceable. Only when behavior is recorded at the junction where an agent reaches that data can the data be used as a safe asset. Runlayer's $30 million is a signal that this junction has started to carry a price. Models have grown expensive, and the ability to know what a model did is only now beginning to grow expensive too.

Industry Coverage

• 1.Fortune. (2026). "Exclusive: Vinod Khosla, Felicis back Runlayer's $30M raise for enterprise AI." Fortune.
• 2.SecurityWeek. (2026). "Runlayer Raises $30 Million in Series A Funding." SecurityWeek.
• 3.TechStartups. (2026). "Venture Capital Startup Funding Roundup — June 24, 2026." TechStartups.
• 4.TechCrunch. (2025). "MCP AI agent security startup Runlayer launches with 8 unicorns." TechCrunch.

Official Sources & Market Research

• 5.Runlayer. (2026). "Runlayer — Security and governance for enterprise AI." Official site.
• 6.Okta. (2025). "AI at Work 2025" — 91% of enterprises use AI agents, 44% lack any governance framework.
• 7.Gartner. (2025). Forecast that by 2027, 40% of enterprises will be forced to take agents offline due to governance failures.
• 8.Anthropic. (2024–2025). Open-sourcing of the Model Context Protocol (MCP) and its donation to a Linux Foundation foundation.