Tenable Research Reveals Growing AI Exposure Gap Fueled by Supply Chain Risks and Lack of Identity Controls
Report finds 86% of organizations have installed third-party code packages with critical-severity vulnerabilities; 65% expose high-value assets through forgotten cloud credentials
COLUMBIA, Md., Feb. 19, 2026 (GLOBE NEWSWIRE) -- (NASDAQ: TENB), the , today released its . The research reveals organizations face a zero‑margin as they inherit cyber risks faster than they can address them. Engineering velocity — driven by AI adoption, third-party code and cloud scale — has outpaced the human-led ability to assess, prioritize and remediate risks before threat actors exploit them.
The AI Exposure Gap is a largely invisible form of exposure that emerges across applications, infrastructure, identities, agents and data, and that most security teams are not equipped to manage. Tenable’s analysis of cloud environments identifies severe risks across four key security areas: AI security posture, supply chain attack vectors, least privilege implementation and cloud workload exposure — all of which demand immediate attention. The report includes actionable guidance for security and business leaders to reduce risk across cloud and AI environments.
Key findings from the Cloud and AI Security Risk Report 2026 include:
- 70% have integrated at least one AI or Model Context Protocol (MCP) third-party package, embedding AI deep into applications and infrastructure, often without central security oversight.
- 86% host third-party code packages with critical-severity vulnerabilities, making the software supply chain a primary and persistent source of cloud exposure. Furthermore, nearly 1 in 8 (13%) have deployed packages with a known history of compromise, such as the s1ngularity or Shai-Hulud worms.
- 18% of organizations have granted AI services administrative permissions that are rarely audited, creating a "pre-packaged" catalog of privileges for attackers to claim.
- Non‑human identities such as AI agents and service accounts now represent higher risk (52%) than human users (37%), forming “toxic combinations” of permissions and access that fragmented tools fail to connect.
- 65% possess "ghost" secrets—unused or unrotated cloud credentials—with 17% of these tied specifically to critical administrative privileges.
- 49% of identities with critical-severity excessive permissions are dormant.
“AI systems embedded in infrastructure pose a critical risk that CISOs and defenders must address, in addition to anticipating emerging threats from both AI and cloud technologies. Lack of visibility and governance means teams are at the mercy of new exposures, including over-privileged identities in the cloud,” said Liat Hayun, Senior Vice President of Product Management and Research at Tenable. “By focusing on the unified exposure path, organizations can stop managing ‘security debt’ and start managing actual business risk.”
To manage emerging risks, organizations must secure the AI integration process through comprehensive visibility and identity-centric controls. This includes enforcing least privilege for AI roles, neutralizing "ghost" identity risk and eliminating static secret exposure. Third-party code and external accounts are now extensions of organizations' infrastructure; steps to reduce extended supply chain exposure include unifying visibility across code packages, virtual machines, identity access and cloud environments.
The 2026 Cloud & AI Security Risk Report presents findings from the Tenable Research team, analyzing anonymized telemetry from diverse public cloud and enterprise environments collected from April to October 2025 (AI findings extended through December 2025).
Exposure Management is the practice of identifying, evaluating, and prioritizing the risks posed by all entry points an attacker could exploit. This includes not just software vulnerabilities (CVEs), but also misconfigurations, excessive user privileges (identity risk), cloud security gaps, and the "shadow" assets created by AI and third-party supply chains.
Download the report .
Read today’s blog post .
About Tenable
Tenable® is the exposure management company, exposing and closing the cybersecurity gaps that erode business value, reputation and trust. The company’s AI-powered radically unifies security visibility, insight and action across the attack surface, equipping modern organizations to protect against attacks from IT infrastructure to cloud environments to critical infrastructure and everywhere in between. By protecting enterprises from security exposure, Tenable reduces business risk for over 40,000 customers around the globe. Learn more at .
Media Contact:
Tenable
