Matter-boundary runtime firewall that simulates every legal AI agent action before it can open, export, or email privileged documents.

1. Tenet says more than one hundred enterprise environments already show thousands of potentially exposed agents, which means firms do not need to believe in a future market; the exposure base already exists.
2. A legal-sector customer scaling from two to more than twenty agents while blocking more than ten attacks suggests law firms are crossing the threshold where spreadsheet governance and manual reviews stop working.
3. The cluster shows pre-execution simulation with explanation traces is operational now, making it newly possible to build a legal-specific control layer instead of relying on post-incident forensics.
4. Agents are already framed as high-privilege autonomous workers serving systems with more than 24 million end users, so buyers can justify runtime controls using the same risk language they use for human privileged access.
5. Seed financing and explicit go-to-market expansion indicate runtime security has become a funded category, reducing buyer skepticism that this is merely an R&D concern.

Catalyst. Tenet's source reports show legal-sector customers scaling from two to more than twenty live agents while attempted attacks are already being blocked, turning runtime control from a future requirement into a current production go-live gate.

The product sits between legal AI agents and systems such as iManage, NetDocuments, Microsoft 365, and Relativity through API proxies and scoped credentials. Before an agent can open a workspace, export a document set, email an attachment, or run a bulk retrieval, the platform simulates the intended action against matter metadata, ethical walls, client restrictions, and recent conversation context. High-risk actions are blocked or routed for human approval with an explanation trace that shows exactly which policy fired. Security and knowledge teams get a replayable audit trail of every attempted agent action plus a shadow mode that surfaces over-permissioned agents before production cutover. Because the wedge is pre-execution and matter-aware, it catches failures that generic DLP, IAM, and post-hoc logs miss.

What's different. Horizontal agent-security platforms will focus on generic policies across many apps, while legal AI vendors mostly optimize drafting, retrieval, or workflow speed and leave security to the customer. This company wins by owning the matter-policy graph itself: client walls, privilege rules, workspace boundaries, and outbound document actions. That makes the product legible to both the CISO and the knowledge team and gives it a data moat in blocked-action traces and matter-specific policy outcomes that generic DLP vendors will struggle to replicate.

Jobs to be done

flowchart LR
  Buyer[Law firm innovation and security team] --> Pain[Privileged agents can cross matter boundaries]
  Pain --> Product[Matter-boundary runtime firewall]
  Product --> Outcome[Production-safe legal agents with audit trails]

Executive takeaways

• Legal AI has crossed from experimentation into production-adjacent workflow deployment; Akin’s 65-million-document rollout and multiple surveys make the governance problem immediate, not hypothetical [11][30][32][33][35].
• The core pain is boundary control, not model access: ethical walls, privilege review, Graph permissions, and prompt defenses sit in separate control planes today [5][10][13][15][20][21][22].
• A neutral, matter-aware runtime layer still has whitespace because legal incumbents secure their own stack fragments, while horizontal AI-security vendors are not built around privilege semantics by default [10][13][15][50][54][56][59][63].
• Regulatory and privilege pressure is tightening: ICO, SRA, and EU AI Act guidance all push toward documented oversight, while UK legal commentary treats careless use of open AI tools as a live confidentiality problem [72][74][75][78].
• Competitive intensity is already meaningful because AI-security consolidation is accelerating, but the category is still early enough for a vertical wedge if it wins the production-readiness gate first [1][46][58][59][63][69].

Market definition

This market is not generic AI governance. It is pre-execution runtime control for legal AI agents that can search matters, open or export documents, and send or share privileged content across iManage, NetDocuments, Relativity, and Microsoft 365 [5][10][13][15][17].

Customer and buyer

The most credible first buyer is a large law firm or ALSP security, knowledge, or innovation leader who already runs AI inside a system of record and now needs a go-live control layer that satisfies both IT risk and client confidentiality expectations [4][11][32][33][39].

Buying triggers

• A pilot expands into real matter workflows and the firm needs a production-safe way to keep AI inside the existing DMS and review perimeter. [11][30][35]
• Client confidentiality or privilege concerns become concrete during security review, especially after guidance warns against careless use of external AI systems. [72][75][78]
• Security teams discover that agents have broad mail, document, or search permissions and are exposed to indirect prompt injection or tool misuse. [20][21][22][25][26]
• Legal operations face rising workload and budget more tech because manual review no longer scales. [32][33][39]

Willingness to pay

Budget formation looks plausible because legal teams are already increasing AI spend, expect material productivity gains, and are turning legal AI platforms into strategic workflow infrastructure rather than side experiments. [33][34][46][50]

Category dynamics

Growth signal Active GenAI use in legal organizations roughly doubled year over year in 2025, while reported corporate legal usage reached 87% in 2026.

Validation signals

• iManage’s installed-base scale and Am Law penetration imply a concentrated ecosystem for a focused go-to-market motion.
• Akin’s firmwide NetDocuments rollout shows large firms are already willing to operationalize embedded AI on sensitive repositories.
• Legal professionals using GenAI have moved from a fringe minority to a material share of the market.
• Corporate legal departments report heavy demand growth and continued intent to invest in technology.
• The Harvey–iManage integration shows the legal AI stack is becoming interconnected enough for a cross-system control point to matter.

Regulatory & technical constraints

• The product must enforce least privilege because Graph and Exchange application permissions can otherwise over-authorize autonomous workflows.
• Deployments must satisfy data-protection, confidentiality, and human-oversight expectations rather than treating AI as an ordinary SaaS feature.
• Indirect prompt injection from documents, email, and other retrieved content is now a first-class threat in agentic workflows.
• The architecture should preserve in-system auditability instead of moving sensitive content into a separate uncontrolled workspace.

The competitive set splits three ways: horizontal AI-security vendors (Prompt Security, Lakera, Zenity, Noma), cloud-native incumbents (Microsoft Purview and Copilot Control System), and legal workflow vendors that already own permissions or content systems (iManage, NetDocuments, Relativity, CoCounsel). The opening exists only if the startup is materially better at matter-aware, cross-system pre-execution blocking than each class’s native controls [5][10][13][15][16][17][50][54][56][59][63].

Why incumbents do not win by default

• Cloud platforms. Microsoft can bundle DLP, identity, and Copilot governance at massive distribution scale, but those controls are mostly scoped to the Microsoft stack and generic policy objects rather than legal matter walls.
• Legal DMS and eDiscovery. iManage, NetDocuments, and Relativity already own permissions, ethical walls, and privileged review in their own systems, but they do not yet provide a neutral action gate across the whole legal agent workflow.
• Legal AI applications. Harvey and CoCounsel can secure their own experiences, yet firms increasingly run multiple apps and connectors; the unsolved problem is cross-agent, cross-repository enforcement.
• Horizontal AI security. Prompt Security, Lakera, Zenity, and Noma address agent and LLM risk broadly, but legal-specific privilege semantics are not their default product wedge.

Matter-boundary Agent Firewall should start as an iManage-plus-Microsoft 365 runtime control layer for Am Law 200 firms, not as a general AI governance suite or a full legal AI application. The first customer is a large law firm with a centralized innovation or knowledge team, at least three live or imminent matter-workflow agents, and a security review blocking broader production rollout until agent actions can be audited and constrained before execution. The product wedge is to simulate and gate a narrow set of high-risk actions such as workspace open, bulk export, outbound email, and cross-matter retrieval using existing matter, ethical-wall, and privilege metadata. This beachhead is attractive because the research shows legal AI is moving into production-adjacent use, while incumbent controls remain split across DMS permissions, Microsoft governance, and app-specific safeguards. The company should sequence shadow mode first, blocking second, and broader workflow automation only after it proves low false positives and acceptable deployment effort in one DMS ecosystem. Market inputs support a focused but narrow initial opportunity at roughly $175.0M TAM, $50.0M SAM, and $4.4M modeled year-3 SOM, so venture upside depends on winning the legal go-live control point and then expanding to adjacent high-privilege knowledge workflows. The biggest disconfirming risks are that integrations become services-heavy or buyers accept bundled Microsoft or DMS controls as sufficient. Public inputs do not show actual standalone pricing acceptance or stable cross-system metadata coverage in production, so those gaps must be resolved in the first six pilots.

Problem

• Large law firms are operationalizing AI inside document, email, and discovery systems, but autonomous agents can inherit enough access to cross matter, client, or privilege boundaries before a human intervenes.
• Existing controls live in separate DMS permissions, ethical walls, Microsoft governance, and post-hoc logging tools, so firms either keep agents read-only or accept a confidentiality risk they cannot defend to clients and internal risk committees.

Solution

• Insert a neutral runtime gate between legal AI agents and systems of record that simulates each high-risk action against matter metadata, ethical walls, privilege rules, and scoped credentials before execution.
• Start with shadow mode and approval-backed blocking for file open, export, email, and retrieval actions across Microsoft 365 plus one legal DMS so firms can clear production security reviews without replacing incumbent tools.

Why we win

• The product is built around legal matter and privilege semantics across systems, while Microsoft, DMS vendors, and horizontal AI-security firms each control only part of the workflow.
• The wedge attaches to a current buying event: moving from AI pilot to production in a setting where one boundary breach can stall firmwide rollout.
• Blocked and approved action traces can compound into a proprietary policy and evaluation dataset that improves detection quality and procurement credibility.

Milestones

flowchart LR
  Wedge[Am Law iManage + M365 wedge] --> MVP[Shadow-mode and action-gating MVP]
  MVP --> Proof[Blocked-risk evidence and production approvals]
  Proof --> Expansion[Second DMS, more workflows, adjacent verticals]

Founding team

Experiment roadmap

Risk assessment

What must be true

• At least half of qualified target firms must plan to move legal agents into production workflows within the next 12 months.
• Microsoft 365 plus iManage metadata must support accurate matter-boundary decisions without more than 4 weeks of deployment work for most pilots.
• The product must show pilot-to-production conversion of 50% or better at price points that support at least $150k initial ARR.
• Live evaluations must prove the control layer catches meaningful boundary or prompt-driven violations that incumbent controls do not stop pre-execution.
• Early customers must expand from one governed workflow to multiple protected agents within 12 months, or the business will stall at narrow point solutions.

Open diligence questions

• Which exact action unlocks budget first: outbound email, bulk export, workspace open, or cross-matter retrieval?
• How often do target firms already have active agent rollouts versus still being in policy drafting and experimentation?
• Can iManage and Microsoft permission models be normalized into a productized policy graph without recurring custom services?
• What evidence makes a buyer choose a neutral runtime layer over Microsoft Purview, DMS-native controls, or legal AI vendor safeguards?
• How many agents and repositories does one production customer realistically protect in year 1 after the first workflow goes live?

Model sanity

• Revenue engine. Base-case Y3 revenue comes from 25 production customers by Q4Y3 at $195K blended recurring ARPU plus $40K paid pilot or onboarding revenue on each new logo.
• Must go right. The model assumes iManage-plus-M365 deployments fall to roughly four weeks and pilot-to-production conversion stays at or above the BP 50% threshold, or the sales-cycle sensitivity quickly consumes runway.
• Model breaks if. If price slips toward $180K and integrations stay services-heavy, the downside case turns cash negative before the next round even without a larger hiring plan.
• Next-round proof. Reaching 11 production customers by Q4Y2 with partner-sourced pipeline and visible multi-workflow expansion is the proof point that supports a seed round before the month-29 cash low point.

Scenarios

Sensitivity

flowchart LR
  TargetAccounts --> PaidPilots
  PaidPilots --> ProductionCustomers
  ProductionCustomers --> ARR[Subscription and module ARR]
  ARR --> GrossProfit
  GrossProfit --> Cash
  MatterMetadata --> DecisionAccuracy
  DecisionAccuracy --> PilotConversion
  PilotConversion --> ProductionCustomers

Flags: The company still depends on a narrow Am Law 200 plus iManage plus Microsoft 365 wedge, so a few delayed accounts materially move the model. · Base case assumes buyers keep paying for a neutral control layer instead of accepting Microsoft or DMS-native governance as good enough. · Gross margin only works if deployment becomes productized; any drift toward custom integration work pushes the downside case below zero cash.

• Document-system integration drag. iManage, NetDocuments, and e-discovery deployments are highly customized, which could make integration too slow and services-heavy. Mitigation: Start with the highest-risk outbound actions in Microsoft 365 plus the most common DMS APIs, ship shadow mode first, and productize policy templates from the first design partners.
• Conservative legal buying cycles. Law firms may agree the risk is real but still delay budget until more peers disclose incidents or clients demand controls explicitly. Mitigation: Sell against imminent go-live decisions and client security reviews, using blocked-action evidence and faster production approval as the near-term ROI story.
• Horizontal platform encroachment. Generic agent-security vendors could add simple legal connectors and try to bundle this use case into a broader control plane. Mitigation: Own the legal-specific policy graph, audit exports, and workflow semantics around privilege and ethical walls that horizontal vendors will find costly to model deeply.