Tenable's recently released 2026 Cloud and AI Security Risk Report exposes challenges confronting organisations due to growing AI exposure gaps. As businesses rapidly adopt new technologies and integrate third-party code packages, their ability to manage resulting cyber risks struggles to keep pace.
The report highlights four major areas of concern: the security posture of AI systems, vulnerabilities in the supply chain, inadequate implementation of the least privilege principle, and exposure due to unmonitored cloud workloads. The findings reveal that these elements collectively represent a formidable challenge that demands action from security teams worldwide.
Key findings:
- Widespread Vulnerabilities: Eighty-six percent of organisations host third-party code with critical vulnerabilities, while one in eight have used compromised packages, offering hackers a gateway into their systems.
- Non-Human Identity Risks: With 52% of risk emerging from AI agents and service accounts, the "toxic combinations" of permissions are hard to track without cohesive tools.
- Ghost Secrets: Sixty-five percent of organisations possess dormant cloud credentials tied to crucial administrative tasks, raising the risk of unauthorised access.
- AI Administrative Permissions: Eighteen percent have granted AI services extensive privileges that lack rigorous oversight, providing attackers with ample opportunities.
These revelations underscore the importance of strong governance over AI and cloud technologies. As AI infiltration into supply chains accelerates with inadequate vetting, security systems must adapt. The invisible attack vectors arising from these gaps enable threat actors to covertly exploit weaknesses.
Tenable suggest that organisations should intensify their focus on exposure management by enforcing stringent visibility and identity-centric controls. This includes implementing the least privilege principle and addressing ghost identity risks to safeguard against security oversights. Steps such as consolidating visibility across code packages, virtual machines, identity access, and cloud environments can mitigate extensive supply chain exposure.
Tenable's report urges business leaders and security teams to embrace a unified exposure path. By integrating security tools and protocols holistically, companies can not only alleviate "security debt" but also manage tangible business risks more proactively.
The adoption of AI and cloud technologies presents a dual-edged sword for modern enterprises. While these innovations offer competitive advantages and efficiencies, they simultaneously expose critical vulnerabilities. By implementing robust exposure management practices and aligning security oversight with technological advancements, organisations can better protect themselves against the evolving threat landscape.
