In yesterday’s announcement of its acquisition of SPLX, Zscaler’s press release framed it as “securing the entire AI lifecycle on one platform.” But behind the phrasing is a real change in how security vendors are starting to think about trust.
Instead of applying Zero Trust only at runtime (when users or apps are accessing data) Zscaler is pushing those controls earlier, into the AI development process itself. This “shift-left” move means trust boundaries are being established before a model or agent ever runs in production.
“AI is creating enormous value, but its full potential can only be realized when it can be secured,” said Jay Chaudhry, Zscaler’s founder and CEO. “By integrating SPLX’s technology with the intelligence of the Zscaler Zero Trust Exchange, we can secure the entire AI lifecycle on one platform, giving customers the confidence to safely embrace AI.”
What “shift-left trust” means
SPLX, a startup founded in 2023, built tools for AI asset discovery, automated red-teaming, and governance tagging. Zscaler plans to integrate those capabilities directly into its Zero Trust Exchange so that enterprises can identify, test, and govern AI systems during development.
In practice, this means Zscaler can scan code repositories and environments to locate AI and large language model assets, including shadow or unmanaged tools, giving companies a clearer inventory of what’s being built before deployment.
It can also run simulated attacks such as prompt injections or data leaks on models in staging environments, exposing weaknesses before those models reach production. Finally, SPLX’s system attaches metadata and policies to AI assets to ensure provenance and compliance requirements are in place ahead of release.
Together, these mechanisms move the idea of “trust” from network access to model provenance. Rather than blocking untrusted access, Zscaler’s goal is to prevent untrusted development in the first place.
Context: Zero Trust meets DevSecOps
The idea of “shifting left” has existed for years in DevSecOps, where security testing and compliance checks are pushed earlier into the software pipeline. What Zscaler is doing is extending Zero Trust (traditionally about runtime access) into that same pipeline.
NIST’s updated Special Publication 800-207A and its AI Risk Management Framework both encourage organizations to apply Zero Trust principles to AI systems and software supply chains. The European Union’s AI Act also pushes for pre-deployment risk assessment and documentation.
These policies explain why vendors are now investing in governance and testing tools instead of relying only on runtime protection.
Zscaler’s broader AI strategy
The SPLX deal is Zscaler’s second major AI-related acquisition in 2025. In August 2025, it acquired Red Canary to expand AI-driven detection and response capabilities. Together, the two companies cover different halves of the AI security lifecycle: SPLX focuses on pre-deployment validation, while Red Canary strengthens runtime monitoring and remediation.
Zscaler’s newer Zscaler AI product line already offers prompt inspection, data-loss prevention for generative apps, and an AI audit trail. The SPLX acquisition adds the upstream piece those tools lacked.
Zscaler says its platform now processes more than 536.5 billion AI/ML transactions through the Zero Trust Exchange, according to its 2025 ThreatLabz AI Security Report. That telemetry gives it a large data foundation to train detection systems and validate governance rules.
Industry trend: securing the AI lifecycle
Other security vendors are moving in the same direction, though their approaches vary.
- Palo Alto Networks acquired Protect AI to extend Prisma Cloud’s protection to the “entire AI lifecycle.”
- CrowdStrike bought Pangea to build AI Detection and Response features within its Falcon platform.
- SentinelOne acquired Prompt Security to provide visibility and control over generative-AI use in enterprises.
Each vendor is trying to unify data protection, runtime defense, and governance. Zscaler’s difference is emphasis: it’s embedding Zero Trust into the AI development layer, not only the runtime or endpoint layer.
Compliance and business pressure
Regulation is accelerating this shift. The EU AI Act introduces a risk-based classification for AI systems and requires documentation of testing and governance before deployment. In the U.S., the 2024 Executive Order on AI directs agencies to create guidance on red-teaming and safety evaluations.
Enterprises now need evidence that their AI systems were built, not just used, under security oversight. Embedding trust controls earlier simplifies compliance and auditability.
Analyst firms also see commercial momentum. Markets and Markets estimates the AI-in-cybersecurity market will reach about $60 billion by 2030, growing around 25–30% annually. Fortune Business Insights projects the broader AI-security segment will top $10 billion by 2027. Vendors are consolidating to meet that demand.
The trust paradox
As AI systems generate and act on more enterprise data, perimeter controls become less relevant. Organizations can no longer inspect every output; they must instead trust the process that produced it.
“Shift-left trust” reframes Zero Trust as a design principle rather than a runtime enforcement model. Trust is defined by how models are developed, tested, and documented, and not just by who can access them.
Zscaler still needs to integrate SPLX and prove these upstream controls work at enterprise scale. But the strategy points to where the market is heading.
Zero Trust began as a network concept. It is becoming a development discipline. For enterprises building and deploying AI, that may soon be the new baseline for security.
