UPDATE · 2026-05-29Prisma AIRS is what Portkey became after the Palo Alto Networks acquisition. If you were on Portkey directly, PANW is routing you into their enterprise procurement track.See the alternative →

Tokenality vs Prisma AIRS

Prisma AIRS is enterprise-only. Not everyone is.

Palo Alto Networks bought Portkey (May 29, 2026) and folded it into Prisma AIRS — the AI Runtime Security bundle sold alongside Prisma Cloud and Prisma Access. If your PANW rep is scheduling enterprise-procurement calls and you don't have a PANW security org, you need somewhere else to run. Tokenality is the purpose-built alternative — in stealth today; hosted design-partner access from $99/mo, same wire-level surface, Finance-audit-ready by default.

Migrating from Portkey directly? See the Portkey-branded migration page →

What Prisma AIRS is

PANW's AI Runtime Security suite, with Portkey inside.

Prisma AIRS existed as a PANW product line before the Portkey acquisition — an enterprise DLP + posture-management play for AI. The Portkey acquisition added multi-provider routing, cost observability, and semantic caching. Verify with your PANW rep for account-specific impact.

Owner

Palo Alto Networks (PANW)

Origin

Portkey acquisition, May 29, 2026

Deal size

~$700M-class (undisclosed exact)

Product line

Prisma AIRS = AI Runtime Security suite

Bundled with

Prisma Cloud + Prisma Access (SASE)

Pricing shape

Enterprise-only, undisclosed publicly

Buyer

CISO org, PANW procurement track

Deployment

PANW cloud / hybrid on-prem appliances

Migration path

Moving from Prisma AIRS to Tokenality

Roughly a half-day of guided engineering time. Config maps over from your existing Portkey (or Prisma AIRS-encoded) setup with a short mapping guide; SDK code stays the same. The differences show up as features you didn't have before.

1

Point your SDK at Tokenality

Same wire-level surface Portkey had — swap the base URL. Anthropic runs native; OpenAI, Google, Azure OpenAI, and Bedrock run through the governed proxy; 1,900+ more via OpenRouter and LiteLLM pass-through. Your existing SDK code works unchanged.

2

Import your Portkey config

Metadata mapping and route configs port with a short mapping guide; global rate limits carry over as gateway config. If your PANW rep is offering to migrate you to Prisma AIRS instead, take the exported config and bring it to us — the wire-level position is the same, and we'll walk the mapping with you.

3

Turn on the differences

Spend Tokens, binding-key envelope, PII pre-flight, SOC 2 evidence pack, per-project chargeback CSV — all one env flag away. None of these existed in Portkey; and while Prisma AIRS has security posture, it doesn't have Finance-audit-grade attribution or per-task chargeback.

4

Skip enterprise procurement

Design-partner access is available during stealth. Hosted from $99/mo at public launch when you want us to run it. Team at $499/mo when you need SSO. Enterprise at $999+/mo when you need BYOC + SOC 2 pack + dedicated CSM — but real Enterprise deals land $5k-$50k/mo, still well under whatever PANW's Prisma AIRS SKU comes with.

In stealthRequest design-partner access — hosted on our infra during stealth. An open-source Lite edition is planned for the post-stealth public launch; a self-host curl | bash installer will ship with it.

What to say in the room

The question comes from a specific seat. The answer should too.

Prisma AIRS is genuinely stronger on classic DLP security posture — that's where PANW has 20+ years of muscle. Tokenality is genuinely stronger on Finance-audit-grade cost governance and per-task attribution.

CFO

"Show me what we spent on AI last month, by project, by team — joinable to our GL."

Prisma AIRSBundled into a PANW spend line. Not per-project unless you buy specific Prisma Cloud add-ons for FinOps.
TokenalityChargeback CSV with GL codes + cost centers, joinable to Workday. Every row signed by the SSO sub, tied to a task in your tracker.

CHRO

"Who has access to AI, and what happens when someone leaves?"

Prisma AIRSBundled with your existing PANW SASE user directory — if you have one.
TokenalityHRIS connectors (BambooHR / Workday / Rippling) ingest joiners-movers-leavers today; automatic revocation from the leaver feed is on the near-term roadmap. Identity is in the token envelope, not on a list — one click revokes every key bound to a person.

PMO

"How much did the redesign sprint actually cost us in AI tokens?"

Prisma AIRSTag it in metadata and hope engineers remember. Prisma AIRS is a security bundle, not a PMO tool.
Tokenality--task PROJ-128 at key issuance — every commit on that key is tagged automatically.

CISO

"How do we prevent prompt injection, PII leaks, and jailbreaks at the gateway level?"

Prisma AIRSNative. This is Prisma AIRS's strongest pillar — DLP + runtime scanning + inline guardrails.
Tokenality12-detector PII pre-flight (fail-closed), MCP Axis-2 hardening cluster (allowlist + RBAC + attestation), spend-token binding-key envelope. Not the same coverage AIRS has for classic DLP — that's where AIRS wins on the security dimension.

The details

Capability-by-capability, where the postures diverge.

Use this when engineering + security + finance all need to see what actually differs.

Ownership + roadmap

CapabilityPrisma AIRS (PANW)Tokenality
Current ownerPalo Alto Networks (Prisma product line)Tokenality (ServiceVision) — independent, in stealth · Lite edition planned
Buying trackPANW enterprise procurement, CISO-ledDesign-partner access during stealth · $99 Hosted / $499 Team / $999+ Enterprise at public launch
Product roadmap directionAbsorbed into Prisma AIRS security suite, PANW-directedMid-market-first, weekly design-partner reviews, roadmap shared with partners
Data residencyPANW infrastructure (cloud / on-prem PANW appliances)Hosted on our infra; BYOC available at Enterprise; self-host option coming with the Lite edition

Posture

CapabilityPrisma AIRS (PANW)Tokenality
Primary buyerCISO org with existing PANW footprintCFO — pulls in CIO / CHRO / PMO
FrameAI Runtime Security — DLP + guardrails + postureToken Ledger — every token reconciled to person × project × task
What changes Monday morningSecurity team gets AI in the same panel as SASE / CASBFour awkward stakeholder questions stop being awkward

Cost governance

CapabilityPrisma AIRS (PANW)Tokenality
Hard budget capRate limits at the gateway (soft)Budget binding signed into the token; gateway fast-fails 402 before any LLM call
Per-project chargeback CSVNot first-class; bundle-level cost onlyFirst-class — GL codes + cost centers, joinable to Workday
Semantic cachingYes (from Portkey)Yes — CACHE-01 with envelope-aware credit accounting
Real-time burn-down per projectDashboardsHard counter — UI + ledger row + 402 response in one trip

Security posture

CapabilityPrisma AIRS (PANW)Tokenality
PII pre-flightYes — DLP is a PANW core competencyYes — 12 detectors, fail-closed
Prompt injection scanningYesOn the near-term roadmap — MCP Axis-2 hardening track (policy tables shipped; enforcement wiring in flight)
SASE integrationNative — same panel as Prisma AccessExternal via OTel + your existing SIEM
SOC 2 / ISO 27001 / ISO 42001 / NIST AI RMF evidenceCustom queries + PANW compliance moduleTwo-click evidence pack across all four frameworks

OSS + deployment

CapabilityPrisma AIRS (PANW)Tokenality
LicenseProprietary (PANW commercial)In stealth · design-partner deploys today; Lite edition self-host planned post-stealth
Self-hostEnterprise appliance option, not communityLite edition planned for post-stealth public launch
Governance transparencyWhatever PANW's security team ships in their release cycleWeekly design-partner reviews · 1,299+ tests · roadmap shared with partners

Honest take

When Prisma AIRS is genuinely the right answer.

If your team is already a PANW Prisma Cloud or Prisma Access customer, the AIRS bundle likely comes with your existing contract at minimal marginal cost — that's a real economic advantage. If your primary AI risk story is DLP, prompt injection, and jailbreak prevention as a security posture extension, Prisma AIRS shares operational context with your SASE and CASB in one PANW panel. That's a meaningful UX and IR advantage for a mature CISO org.

Tokenality is a different bet: AI cost and audit governance as a Finance-owned discipline, priced for teams that don't have PANW procurement, in stealth today with an open-source Lite edition planned. If you need both — enterprise security posture AND per-task Finance-audit-grade attribution — the honest answer is you run both. Neither one covers the other's core competency.

Skip the enterprise procurement cycle.

Same wire-level surface as what Portkey was — your existing SDK code works unchanged. Bring your own LLM keys. In stealth today with hosted design-partner access; an open-source Lite edition is planned for the post-stealth public launch.