Natoma
Overview
Product details compiled from public sources, each with a citation.
- Vendor
- Natoma2
- Description
- Governed MCP gateway that treats AI agents as non-human identities, enforcing identity-aware authorization and per-tool policy over agent access to tools, with shadow-AI discovery and audit.2
- Deployment
- SaaS, Self-hosted2
- Status
- Acquired3
- Acquisition
- Acquisition by Snowflake announced 2026-05-27, pending close.3
Matrix Coverage
Where this product defends, by asset class and NIST CSF function. The Coverage column shows whether each asset is Primary, Secondary, or Adjacent to what the product does. The table omits empty rows and columns.
| Asset class | Identify | Protect | Coverage | Source |
|---|---|---|---|---|
| AI Orchestration Tools | Identify: Covered | Protect: Not covered | Secondary | 2 |
| AI Agent Identities | Identify: Not covered | Protect: Covered | Primary | 1 |
Framework Relevance
These frameworks include controls relevant to the asset classes Natoma defends. This is an editorial inference from the AI Defense Matrix asset-level crossmap, not a statement that Natoma implements these controls or is certified against them.
Expand Collapse
| Framework | Asset class | Relevant controls |
|---|---|---|
| NIST IR 8596 | AI Orchestration Tools | Agents as deployed artifacts (orchestration view; see AI Agent Identities row for the principal view); system prompts and templates |
| AI Agent Identities | Agents as autonomous principals; Keys; Integrations and permissions | |
| CSA AI Controls Matrix | AI Orchestration Tools | Application and Interface Security; Supply Chain Management |
| AI Agent Identities | IAM; Governance, Risk and Compliance | |
| ISO 42001 | AI Orchestration Tools | A.6 AI system life cycle; A.5 Assessing impacts of AI systems |
| AI Agent Identities | A.9 Use of AI systems; A.3 Internal organization; A.5 Assessing impacts of AI systems | |
| Google SAIF | AI Orchestration Tools | Secure the AI supply chain; application and pipeline security; agent orchestration controls |
| AI Agent Identities | Focus on Agents (explicit SAIF section); identity, authorization, and delegation controls | |
| SANS Critical AI Security Guidelines | AI Orchestration Tools | Secure Agentic Systems and AI Autonomy Controls (defined function scope; execution isolation; API and function-call gating); Limit Model Behavior (focused functionality; access controls outside the model) |
| AI Agent Identities | Secure Agentic Systems and AI Autonomy Controls (defined function scope; API and function-call gating; escalation and fallback); Limit Model Behavior (least-privilege focused functionality; human oversight; override capabilities) | |
| MITRE ATLAS | AI Orchestration Tools | AML.T0051 LLM Prompt Injection; AML.T0054 LLM Jailbreak; AML.T0016 Obtain Capabilities (malicious plugins) |
| AI Agent Identities | AML.T0053 AI Agent Tool Invocation; credential and delegation-chain abuse | |
| OWASP AI Exchange | AI Orchestration Tools | Development-time threats: agent framework supply chain; runtime threats: plugin abuse, prompt injection via tools |
| AI Agent Identities | Runtime threats: unauthorized agent actions, capability abuse, delegation chain exploitation | |
| OWASP LLM Top 10 | AI Orchestration Tools | LLM01 Prompt Injection; LLM05 Improper Output Handling; LLM07 System Prompt Leakage; LLM10 Unbounded Consumption |
| AI Agent Identities | LLM06 Excessive Agency; LLM05 Improper Output Handling; unauthorized actions by AI agents | |
| OWASP Agentic Security Top 10 | AI Orchestration Tools | ASI01 Agent Goal Hijack; ASI02 Tool Misuse and Exploitation; ASI05 Unexpected Code Execution (RCE); ASI07 Insecure Inter-Agent Communication; ASI08 Cascading Failures; ASI10 Rogue Agents |
| AI Agent Identities | ASI03 Identity and Privilege Abuse; ASI10 Rogue Agents; ASI09 Human-Agent Trust Exploitation; ASI02 Tool Misuse and Exploitation (when tied to agent permissions) |
Provenance
Last sourced 2026-06-09.
Expand Collapse
Changelog
-
Refined matrix coverage.
-
Enriched from Natoma documentation; recorded the Snowflake acquisition announced in May 2026, pending close.
Found an error? Corrections are welcome. Suggest an edit.
Product Strategy and Positioning
You can use the following frameworks to understand the product’s strategy and its competitive positioning. Performing this analysis is outside the scope of the AI Defense Matrix Catalog, but the following guidance can help you with such an assessment.
Expand Collapse
Product Strategy
Lenny Zeltser’s Guide to Creating Cybersecurity Products can help you understand key aspects of the product strategy. You can use your AI tool to gather the data and apply this framework.
- Market segment
- Who the product is built for: industry, size, and the persona who evaluates it.
- Go-to-market motion
- How it reaches buyers: top-down sales, bottom-up adoption, or open source.
- Pricing model
- How value is captured: per-seat, consumption, or outcome-based.
- Delivery and operations
- How it is deployed, configured, and maintained, including infrastructure-as-code and API coverage.
- Customer trust
- Certifications, transparency, and supply-chain security a buyer expects from the vendor.
- Ecosystem position
- A point solution, a platform others build on, or a component of a larger platform.
Strategy Defensibility
Ben Vierck’s rubric can help you assess the defensibility of the SaaS product’s strategy against competitive and other market forces. You can use it with your AI tool for a methodical analysis.
- Value delivery
- How much of the value is hard to replicate versus standard software a competitor could rebuild.
- Switching cost
- How costly it is to leave once deployed: integrations, data, workflow, and platform ties.
- Compliance moat
- Whether certifications or regulatory alignment are a durable advantage or table stakes for this buyer.
- Problem complexity
- How hard, adversarial, and fast-moving the underlying problem is to solve well.
- Buyer profile
- Who holds the budget, and how durable that demand is across the market.
- Layer
- Where the product operates: application, model, infrastructure, platform, or identity control plane.
- Proprietary data, content, or IP
- Whether it accumulates data, content, or IP that others would find difficult to replicate.