Runlayer Raised $30 Million to Sit Between Your AI Agents and Everything They Can Touch

Runlayer, a New York startup that sells a control layer for corporate AI agents, said this week it raised a $30 million Series A. Felicis led the round, with Khosla Ventures coming in alongside. That brings the company's total funding to $42 million, about eight months after it left stealth with an $11 million seed.

The money is the easy part to report. The harder questions are what the company actually sells, whether the problem it describes is real, and whether the product does what the marketing says. The first two have clear answers. The third does not, yet.

What it actually does

Modern AI agents do not just answer questions. They take actions: read a database, file a ticket, open a pull request, refund a customer. They reach those systems through tool calls, and more and more through the Model Context Protocol, an open spec (originally published by Anthropic) that standardizes how an agent connects to an outside tool or data source. MCP is useful for exactly the reason it is risky. It turns a model that can talk into a model that can do, and every connection it opens is a door into something that matters.

Runlayer's product sits in front of those doors. The company describes a single control plane that handles identity, permissions, and policy enforcement for agents, plus audit logs and real-time visibility into what each agent did. The core piece is an MCP gateway: instead of every team wiring its own agents directly into internal systems, traffic routes through Runlayer, which checks who the user is, who their agent is, and what both are allowed to touch. Runlayer calls the platform model-neutral and says it covers the five to twenty AI clients a typical enterprise already runs, including IDEs, chat clients, vertical AI apps, standalone agents, and Salesforce's Agentforce.

Two terms worth translating once. A "shadow MCP" is an agent connection someone stood up without telling security, the agent-era version of shadow IT. "Intent drift" is when an agent starts doing something other than the task it was given, whether through a bug, a bad tool result, or manipulation. Both are real failure modes, and neither shows up in a traditional firewall log, because the traffic looks like ordinary API calls.

The threat list, and the asterisk

Here is where a reader should slow down. According to Runlayer, the platform can identify and block prompt injection, tool poisoning, data exfiltration, output manipulation, intent drift, shadow MCPs, and unmanaged agents.

That is a strong list. It is also, for now, a claim. Runlayer has not published a methodology, a test set, or a block rate, and "blocks prompt injection" earns an asterisk no matter who says it. Prompt injection (feeding an agent hidden instructions through the data it reads) is an open research problem, and nobody has a clean solution. You do not eliminate it. You shrink the blast radius: scope what the agent can reach, require human approval for sensitive actions, and log everything so you can reconstruct what happened.

The honest read is that most of what Runlayer describes is exactly that kind of containment. Identity scoped per tool, approval workflows, audit trails, and discovery of connections nobody registered are all sound engineering, and they are the parts of the pitch that hold up. The word "block" is doing marketing work the methodology has not yet earned. For a security product, the block rate against a named benchmark is the number that decides whether it works, and that number is not in the announcement.

Why the money showed up anyway

Investors are not betting on the benchmark. They are betting on the timing. Runlayer named a customer list that is unusually concrete for a company this young: Instacart, Gusto, Decagon, Opendoor, dbt Labs, AngelList, Lemonade, and what it describes as a number of Fortune 500s. Fortune reported that Vinod Khosla wanted "every available dollar" of the round. The cash is going to engineering and go-to-market hiring, per the company.

It is also not the only check being written against this thesis. NewCore left stealth on June 15 with $66 million aimed at giving AI agents verifiable identities, a closely related problem. The category forming here is the boring but necessary plumbing of the agent era: who is this agent, what is it allowed to do, and how do you prove what it did afterward. The demand is not hypothetical. Attackers are already treating agents as the target, not just the tool. Earlier this month a self-propagating campaign planted repository config files designed to fire when a project was opened in an AI coding assistant, which is the same attack surface Runlayer is trying to wrap.

Co-founder and CEO Andrew Berman framed the bet plainly: the future, he said, "is not a handful of power users experimenting with agents, but entire workforces operating alongside them." That part is probably right. Whether Runlayer's controls hold up under a real adversary is the thing to watch, and it is the thing no press release can answer.