AI, cloud adoption driving new surge in cyber exposure

Tenable has published new research linking faster adoption of AI and cloud services to rising security exposure from software supply chains and weak identity controls.

Its Cloud and AI Security Risk Report 2026 found that 86% of organisations had installed third-party code packages containing critical-severity vulnerabilities. It also found that 65% exposed high-value cloud assets through "ghost" credentials-unused or unrotated secrets that remain active in cloud environments.

Security teams are also under pressure from a growing number of non-human identities, including AI agents and service accounts. These identities now represent higher risk in 52% of organisations, compared with 37% for human users. The report also warned of "toxic combinations" of permissions and access that can go unnoticed when organisations rely on disconnected tools.

Supply chain risk

Third-party software packages have become a common way for development teams to add features quickly, including AI-related functions. The report found that 70% of organisations had integrated at least one AI or Model Context Protocol third-party package, embedding AI deeper into applications and infrastructure without central security oversight.

A smaller group had deployed packages with a known history of compromise. Tenable found that nearly one in eight organisations (13%) had used packages associated with incidents such as the s1ngularity or Shai-Hulud worms.

Supply chain weaknesses can have broad impact because vulnerable packages can spread across many applications and environments. Cloud deployments add complexity, as teams often manage workloads, identities, and code across different consoles and services.

Identity controls

Identity permissions were another focal point. Tenable found that 18% of organisations had granted AI services administrative permissions that were rarely audited, creating a "pre-packaged" catalogue of privileges an attacker could exploit if they gained access.

"Ghost" secrets were common in the data set. Tenable reported that 17% of unused or unrotated credentials were tied to critical administrative privileges. It also found that 49% of identities with critical-severity excessive permissions were dormant, increasing the likelihood that risky access remains unreviewed.

The report described an "AI exposure gap" spanning applications, infrastructure, identities, agents, and data, and said many security teams lack the visibility needed to track these connections across cloud services and AI integrations.

APAC focus

The findings come as many organisations across Asia Pacific expand cloud adoption and pursue AI-led digital transformation. Increased use of third-party packages and machine identities can add new governance and assurance requirements for companies already operating across multiple cloud platforms and jurisdictions.

Boards and senior executives have taken a closer interest in software supply chain resilience and cloud identity management after several high-profile global breaches. Tenable's report adds data points that may influence how organisations structure accountability for cloud access, secrets management, and third-party package governance.

A key theme is a mismatch between development speed and human-led risk management. The report said engineering velocity-driven by AI adoption, third-party code use, and cloud scale-has outpaced security teams' ability to assess, prioritise, and remediate issues before attackers exploit them.

One recommendation is to treat third-party code and external accounts as extensions of internal infrastructure. It also calls for identity-centric controls and least-privilege approaches for AI-related roles, along with steps to reduce static secret exposure and address "ghost" identity risks.

The report also calls for unified visibility across code packages, virtual machines, identity access, and cloud environments to connect risk signals separate tools can miss, particularly where permissions and software dependencies interact.

The Tenable Research team based the report on analysis of anonymised telemetry from public cloud and enterprise environments. Data was collected from April to October 2025, with AI findings extended through December 2025.

In a statement accompanying the report, Tenable linked the results to day-to-day operational challenges for security leaders managing cloud and AI change.

"AI systems embedded in infrastructure pose a critical risk that CISOs and defenders must address, in addition to anticipating emerging threats from both AI and cloud technologies. Lack of visibility and governance means teams are at the mercy of new exposures, including over-privileged identities in the cloud," said Liat Hayun, Senior Vice President of Product Management and Research, Tenable.

"By focusing on the unified exposure path, organisations can stop managing 'security debt' and start managing actual business risk," Hayun said.