As companies rapidly adopt AI and cloud tech, a new Tenable report warns of critical security risks emerging faster than teams can handle them
Tenable, a leading company in managing cyber exposure, recently released its Cloud and AI Security Risk Report 2026. This report uncovers a significant challenge for businesses: the ‘AI Exposure Gap.’ Simply put, companies are adopting new technologies like Artificial Intelligence (AI) and cloud computing so quickly that cyber risks are popping up faster than security teams can effectively handle them. This speedy adoption, fueled by AI and relying heavily on third-party code packages, creates a complex environment where vulnerabilities can easily be overlooked.
The report highlights that this ‘AI Exposure Gap’ isn’t always obvious. It shows up across various parts of a company’s digital setup – from applications and infrastructure to user identities and data. One major finding is the widespread use of third-party code: a staggering 86% of organizations host third-party code packages that contain critical-severity vulnerabilities. This makes the software supply chain a constant and major source of security risk for cloud environments, with some even deploying packages known to have been compromised before.
AI itself introduces new layers of risk. Tenable found that 70% of organizations have integrated at least one AI or Model Context Protocol (MCP) third-party package. More concerning, 18% of companies have given AI services powerful administrative permissions, which are rarely checked. These ‘pre-packaged’ privileges become easy targets for attackers. The report also points out that non-human identities, such as AI agents and service accounts, now represent a higher security risk (52%) than human users (37%), often forming dangerous combinations of access that traditional security tools can’t detect.
Beyond AI, the report reveals other hidden dangers in cloud environments. A significant 65% of organizations possess ‘ghost secrets’ – these are unused or forgotten cloud credentials. Even worse, 17% of these ‘ghost secrets’ are linked to critical administrative privileges, essentially leaving a back door open for attackers. Furthermore, nearly half (49%) of identities with critically excessive permissions are actually dormant, meaning they’re not actively used but still pose a risk if compromised.
Liat Hayun from Tenable emphasizes that these embedded AI systems and over-privileged cloud identities are critical risks that security leaders must tackle. To manage these emerging threats, businesses need clear visibility into their entire system and strong controls focused on identities. This means making sure AI roles only have the permissions they absolutely need, getting rid of those ‘ghost’ identities, and securing static secrets. Since third-party code and external accounts are now part of a company’s infrastructure, unifying visibility across all these elements is key to reducing extended supply chain exposure.
Ultimately, Tenable advocates for ‘Exposure Management.’ This practice goes beyond just finding software bugs; it’s about identifying, evaluating, and prioritizing all potential entry points an attacker could exploit. This includes misconfigurations, excessive user privileges, cloud security gaps, and even the hidden assets created by AI and third-party supply chains. By adopting this holistic approach, organizations can shift from merely fixing problems to proactively managing actual business risk in an increasingly complex digital world.
