Tenable Cloud has released its Cloud and AI Security Risk Report 2026, highlighting what it calls a zero-margin AI exposure gap. The research shows organizations are inheriting cyber risks faster than they can address them.

According to Tenable Cloud findings, engineering velocity driven by AI adoption, third-party code and rapid cloud scale has surpassed the human-led ability to assess, prioritize and remediate risks before threat actors exploit them. As a result, exposure is expanding across applications, infrastructure, identities, agents and data.

The report identifies this AI Exposure Gap as a largely invisible risk. Moreover, most security teams are not equipped to manage it effectively. Tenable’s analysis of cloud environments outlines severe risks across four core areas: AI security posture, supply chain attack vectors, least privilege implementation and cloud workload exposure. Therefore, the company urges immediate action.

Key findings reveal that 70% of organizations have integrated at least one AI or Model Context Protocol (MCP) third-party package. Consequently, AI is now deeply embedded in applications and infrastructure, often without centralized security oversight.

In addition, 86% host third-party code packages with critical-severity vulnerabilities. This makes the software supply chain a persistent source of cloud exposure. Furthermore, 13% have deployed packages with a known history of compromise, including the s1ngularity or Shai-Hulud worms.

The report also states that 18% of organizations have granted AI services administrative permissions that are rarely audited. This creates what Tenable describes as a “pre-packaged” catalog of privileges for attackers to exploit.

Meanwhile, non-human identities such as AI agents and service accounts now represent higher risk at 52%, compared with 37% for human users. These identities form what the report calls “toxic combinations” of permissions and access that fragmented security tools fail to connect.

Additionally, 65% of organizations possess “ghost” secrets, defined as unused or unrotated cloud credentials. Of these, 17% are tied to critical administrative privileges. At the same time, 49% of identities with critical-severity excessive permissions are dormant.

Liat Hayun, Senior Vice President of Product Management and Research at Tenable, said AI systems embedded in infrastructure pose a critical risk that CISOs and defenders must address. She added that security leaders must also anticipate emerging threats from both AI and cloud technologies. According to Hayun, lack of visibility and governance leaves teams exposed to risks such as over-privileged identities in the cloud. She noted that by focusing on the unified exposure path, organizations can move away from managing “security debt” and instead manage actual business risk.

To manage emerging threats, the report recommends securing the AI integration process through comprehensive visibility and identity-centric controls. This includes enforcing least privilege for AI roles, neutralizing ghost identity risk and eliminating static secret exposure. Furthermore, organizations are advised to treat third-party code and external accounts as extensions of their infrastructure. As a result, they should unify visibility across code packages, virtual machines, identity access and cloud environments to reduce extended supply chain exposure.

The 2026 Cloud & AI Security Risk Report presents findings from the Tenable Research team. It is based on anonymized telemetry collected from diverse public cloud and enterprise environments between April and October 2025, with AI findings extended through December 2025.

Exposure Management, as defined in the report, is the practice of identifying, evaluating and prioritizing risks across all potential attacker entry points. This includes software vulnerabilities, misconfigurations, excessive user privileges, cloud security gaps and shadow assets created by AI and third-party supply chains.

The report is available for download, along with a related blog post published by the company. Overall, the Tenable Cloud analysis underscores the growing urgency for unified exposure management across AI and cloud environments.

Related post

View all