Subscribe

0

News

Tenable Cloud and AI Security Risk Report 2026 flags exposure gap

A widening gap between AI adoption and risk control is reshaping cloud security. As third-party code, identities and automation expand, organisations are inheriting exposure faster than teams can detect and remediate it.

author-image
DQC Bureau
New Update
Tenable Research Reveals Growing AI Exposure Gap Fueled by Supply Chain Risks and Lack of Identity Controls

Tenable Cloud and AI Security Risk Report 2026 flags exposure gap

The Cloud and AI Security Risk Report 2026 finds that organisations are facing what it describes as a zero margin AI exposure gap. As engineering velocity accelerates through AI adoption, third-party code and cloud scale, cyber risks are accumulating faster than security teams can assess and remediate them.

Advertisment

The report states that this AI Exposure Gap is largely invisible. It spans applications, infrastructure, identities, agents and data. According to the findings, most security teams are not equipped to manage this expanding risk surface.

The research is based on anonymised telemetry from public cloud and enterprise environments collected between April and October 2025, with AI-related findings extended through December 2025.

Four high-risk security areas identified

The analysis highlights severe risks across four key areas:

  • AI security posture

  • Software supply chain attack vectors

  • Least privilege implementation

  • Cloud workload exposure

Advertisment

Each of these areas, the report notes, demands immediate attention.

Among the key findings:

  • 70 percent of organisations have integrated at least one AI or Model Context Protocol third-party package, embedding AI into infrastructure without central oversight.

  • 86 percent host third-party code packages with critical vulnerabilities.

  • 13 percent have deployed packages previously linked to compromise, including worms such as s1ngularity and Shai-Hulud.

  • 18 percent have granted AI services administrative permissions that are rarely audited.

  • Non-human identities account for 52 percent of higher-risk exposure compared to 37 percent for human users.

  • 65 percent possess unused or unrotated cloud credentials, with 17 percent tied to critical administrative privileges.

  • 49 percent of identities with critical excessive permissions are dormant.

The report suggests that dormant accounts, over-privileged AI services and unmanaged third-party packages are creating layered exposure across cloud environments.

Identity risk and toxic privilege combinations

A key structural issue identified is the rise of non-human identities such as AI agents and service accounts. These identities now represent higher risk than human users.

Advertisment

The report refers to “toxic combinations” of permissions and access that fragmented security tools fail to connect. Excessive privileges, especially when rarely audited, create ready-made attack paths.

Liat Hayun, Senior Vice President of Product Management and Research at Tenable, said AI systems embedded in infrastructure pose a critical risk that security leaders must address alongside emerging cloud threats. She stated that lack of visibility and governance leaves teams exposed to over-privileged identities and new forms of cloud risk.

She added that focusing on a unified exposure path allows organisations to shift from managing accumulated security debt to managing business risk.

Advertisment

Supply chain exposure deepens

Third-party code packages are identified as a primary and persistent source of cloud exposure. With most organisations hosting vulnerable packages, the software supply chain has become an extension of internal infrastructure risk.

The report argues that third-party code and external accounts should be treated as integral components of enterprise environments rather than external dependencies.

Managing exposure through visibility and control

The Cloud and AI Security Risk Report 2026 recommends an identity-centric approach to risk management. Key steps include:

Advertisment

  • Enforcing least privilege for AI roles

  • Neutralising ghost identity risk

  • Eliminating static secrets

  • Unifying visibility across code, virtual machines, identities and cloud environments

Exposure management, as defined in the report, goes beyond traditional vulnerability tracking. It includes misconfigurations, excessive privileges, cloud gaps and shadow assets created through AI and supply chains.

A structural imbalance in cloud and AI adoption

The report’s core argument is that organisations are inheriting exposure faster than they can remediate it. AI integration, third-party packages and cloud scale are accelerating innovation. But governance and visibility are not keeping pace.

Advertisment

The result is not a single vulnerability. It is an exposure gap embedded across systems, identities and infrastructure.

The Cloud and AI Security Risk Report 2026 positions this imbalance as the central security challenge for organisations operating in AI-driven cloud environments.

Read More:

GoTo India Site Leader role expands

Amazon second largest office in Asia opens in Bengaluru

Process Intelligence in India: Celonis’ AI strategy explained

tenable