In a structural shift in enterprise infrastructure, organizations are embedding artificial intelligence into applications, automating workflows, integrating third-party packages, and scaling cloud environments at a velocity that would have been unimaginable even three years ago. The strategic imperative is clear: move fast, integrate deeply, and operationalize AI across the stack.
What is less clear is whether security governance is evolving at the same speed.
That tension defines the latest Cloud and AI Security Risk Report 2026 from Tenable (Tenable, 2026). The firm describes what it calls an “AI exposure gap” as the widening disconnect between how quickly organizations adopt AI and how effectively they understand the risks embedded in that adoption.
1. Critical Vulnerabilities in Third-Party Code Impact Level: Systemic
At the top of the risk hierarchy sits the software supply chain. 86% of organisations host third-party code packages containing critical severity vulnerabilities, and 13% have deployed packages with a known history of compromise. AI-driven development accelerates dependency sprawl as developers import libraries and frameworks to reduce build times and experiment with new capabilities. Each imported component extends the attack surface, and vulnerabilities embedded in upstream packages can cascade into production environments before security teams have visibility.
As AI accelerates development cycles, dependency sprawl intensifies. Developers integrate external libraries to reduce time-to-deployment, but each imported component extends the enterprise attack surface. When vulnerabilities exist upstream, they are inherited downstream, often before security teams have full visibility.
The risk is systemic because it embeds itself deep within production environments.
2. Over-privileged AI Services with Administrative Access Impact Level: High Privilege Escalation Risk
Nearly one in five organizations has granted AI services administrative permissions that are rarely audited, effectively creating highly privileged machine identities that operate with broad access across cloud environments.
Non-human identities such as AI agents and service accounts now represent a greater aggregate risk than human users, reflecting the reality that machines increasingly hold persistent credentials and operational information. They increasingly operate with elevated privileges across cloud infrastructure. If compromised, these systems provide attackers with ready-made escalation paths.
Machines are no longer passive tools. They are active identities with authority, and that authority is often poorly governed.
3. Non-Human Identities Outpacing Human Risk Impact Level: Structural Identity Drift
Non-human identities, including AI agents, service accounts, and automated workflows, now pose a higher aggregate risk than human users, at 52% compared with 37%.
Traditional identity governance models were designed around human authentication and behavior monitoring. They are not optimized for environments where machine identities proliferate continuously, often with broad and persistent permissions. As AI adoption expands, identity sprawl becomes a silent multiplier of exposure.
4. “Ghost” Secrets and Dormant Administrative Credentials Impact Level: Invisible Access Pathways
Nearly two-thirds (65 percent) of organizations have unused or unrotated cloud credentials, often referred to as ghost secrets. Seventeen percent of those are tied to critical administrative privileges. Nearly half of the identities with excessive permissions are dormant.
Dormant credentials rarely trigger alarms. They sit quietly inside complex cloud estates, becoming exploitable footholds. Attackers do not always need sophisticated exploits when administrative access has been forgotten.
This category ranks high because it reflects a visibility failure rather than a single technical flaw.
5. Fragmented Visibility Across AI, Cloud, and Identity Layers Impact Level: Compounded Exposure
Underlying all other risks is a broader governance problem. AI systems are embedded across applications, infrastructure, identities, and data, yet many security teams lack unified visibility across these layers.
As Liat Hayun, senior vice president of product management and research at Tenable, noted, “AI systems embedded in infrastructure pose a critical risk that CISOs and defenders must address. Lack of visibility and governance means teams are at the mercy of new exposures, including overprivileged identities in the cloud.”
The absence of a consolidated exposure management approach allows individual risks to combine into realistic attack paths that fragmented tools struggle to detect.
Bottom Line
The AI exposure gap is not defined by a single vulnerability or misconfiguration. It is the cumulative effect of accelerated AI integration, inherited supply chain risk, machine identity sprawl, and fragmented oversight.
Organizations are building intelligent systems at scale. But unless governance models evolve to match machine speed, innovation will continue to outpace control.