Tenable (NASDAQ: TENB), the exposure management company, today released its Cloud and AI Security Risk Report 2026, highlighting a critical “zero-margin” AI exposure gap as organisations inherit cyber risks faster than they can mitigate them. Accelerated engineering velocity, driven by AI adoption, third-party code, and cloud-scale deployments, is outpacing human-led capabilities to assess, prioritise, and remediate risks before threat actors exploit them.

The report identifies the AI Exposure Gap—a largely invisible form of risk spanning applications, infrastructure, identities, agents, and data—that most security teams are ill-equipped to manage. Tenable’s research points to severe vulnerabilities across four core areas: AI security posture, supply chain attack vectors, least privilege implementation, and cloud workload exposure.

Key Findings from the 2026 Report

  • 70% of organisations have integrated at least one AI or Model Context Protocol (MCP) third-party package, embedding AI deeply into applications and infrastructure, often without centralised security oversight.

  • 86% host third-party code packages with critical-severity vulnerabilities, with nearly 1 in 8 (13%) using packages with a known history of compromise, such as the s1ngularity or Shai-Hulud worms.

  • 18% of organisations grant AI services administrative permissions that are rarely audited, creating a “pre-packaged” catalog of privileges for attackers.

  • Non-human identities such as AI agents and service accounts now represent higher risk (52%) than human users (37%), forming “toxic combinations” of permissions that fragmented tools fail to correlate.

  • 65% of organisations maintain “ghost” secrets—unused or unrotated cloud credentials—17% of which are tied to critical administrative privileges.

  • 49% of identities with excessive critical permissions are dormant, representing latent risk.

“AI systems embedded in infrastructure pose a critical risk that CISOs and defenders must address, alongside emerging threats from both AI and cloud technologies,” said Liat Hayun, Senior Vice President of Product Management and Research at Tenable. “Without visibility and governance, teams are at the mercy of new exposures, including over-privileged cloud identities. By focusing on a unified exposure path, organisations can move from managing ‘security debt’ to managing real business risk.”

Recommendations for Managing Emerging Risks

Tenable advises organisations to secure AI integration through comprehensive visibility and identity-centric controls, including:

  • Enforcing least privilege for AI roles

  • Neutralising ghost identity risks

  • Eliminating static secret exposure

  • Treating third-party code and external accounts as extensions of organisational infrastructure

Unifying visibility across code packages, virtual machines, identity access, and cloud environments can reduce extended supply chain exposure and improve overall risk management.

About the 2026 Cloud & AI Security Risk Report

The report draws on anonymised telemetry collected from diverse public cloud and enterprise environments between April and October 2025, with AI-related findings extended through December 2025. The report underscores the importance of exposure management, which identifies, evaluates, and prioritises risks across all potential attacker entry points—ranging from software vulnerabilities and misconfigurations to identity risk and AI-generated shadow assets.

As AI and cloud adoption accelerate, organisations must proactively close gaps before attackers exploit them, prioritising visibility, control, and risk-informed decision-making.