This is a notable move from Palo Alto Networks, mainly because it frames “AI agents + AI-adjacent endpoint components” as a distinct endpoint attack surface that classic EPP/EDR visibility doesn’t fully cover.
What was announced (dates matter)
On February 17, 2026, Palo Alto Networks said it entered into a definitive agreement (intent to acquire) Koi, positioning Koi as “Agentic Endpoint Security.” ([paloaltonetworks.com](https://www.paloaltonetworks.com/company/press/2026/palo-alto-networks-announces-intent-to-acquire-koi-to-secure-the-agentic-endpoint))
Koi’s own post the same day confirms it signed a definitive agreement to be acquired by Palo Alto Networks and describes the shift toward autonomous agents with privileged access on endpoints. ([koi.ai](https://www.koi.ai/blog/koi-to-join-palo-alto-networks-a-defining-moment))
Why “agentic endpoint” is different from traditional endpoint scope
From the press release language, the core point is that the risky things aren’t only “files that execute” anymore, but also endpoint-adjacent components and automation that can act with user (or even admin) reach, such as extensions/plugins/packages/scripts/model artifacts, plus agent frameworks that can be abused via identity/credential hijacking and API-driven actions. ([paloaltonetworks.com](https://www.paloaltonetworks.com/company/press/2026/palo-alto-networks-announces-intent-to-acquire-koi-to-secure-the-agentic-endpoint))
In other words: even if the endpoint is “clean” by classic malware definitions, an approved agent/toolchain can still become a high-impact data-mover and policy-bypasser if it’s misconfigured, overly-permissioned, or abused.
Where Palo Alto says it will land in their stack
Palo Alto Networks states that after the acquisition closes, Koi’s capabilities are intended to extend Prisma AIRS (their AI security platform branding) and also enhance Cortex XDR endpoint security with more visibility into this AI-related attack surface. ([paloaltonetworks.com](https://www.paloaltonetworks.com/company/press/2026/palo-alto-networks-announces-intent-to-acquire-koi-to-secure-the-agentic-endpoint))
Practical security takeaway (even before any integration ships)
Regardless of vendor, the defensive controls that usually matter most for “agentic endpoint” risk are still the fundamentals—applied to AI tooling and its supply chain:
- Tighten least-privilege for agent tools (API tokens, OAuth scopes, local admin rights, filesystem access).
- Treat browser extensions, plugins, package managers, and “silent updaters” as a governance problem (inventory + allow/deny + update controls).
- Add monitoring for unusual “automation behavior” (mass file reads, credential access, bulk uploads, scripted data movement), not just malware execution.
- Segregate work contexts where possible (separate profiles/containers/VDI for high-trust business data vs experimentation).
- Use DLP / egress controls where appropriate, because a “legit” agent can still exfiltrate data if allowed.
Bottom line: the announcement is credible in the sense that endpoints are increasingly shaped by non-traditional, fast-changing components and autonomous tooling—but it’s still an “intent to acquire” announcement, and the real test will be what concrete controls and visibility PANW ships into Prisma/Cortex after close. ([paloaltonetworks.com](https://www.paloaltonetworks.com/company/press/2026/palo-alto-networks-announces-intent-to-acquire-koi-to-secure-the-agentic-endpoint))
Sources
www.koi.ai
www.paloaltonetworks.com
