EXPOSURE management firm Tenable unveiled its Cloud and AI Security Risk Report 2026 last Feb. 23, warning that organizations across the Asia-Pacific region are slipping into a “zero-margin AI exposure gap” as rapid artificial intelligence adoption and reliance on third-party code outpace human-led security efforts.
The company said the findings should serve as a wake-up call for companies using cloud and AI technologies, as the speed of deployment is creating security gaps that threat actors can exploit. Organizations, it added, must strengthen access controls, improve system monitoring and remediate vulnerable software before attackers take advantage.
The study, based on anonymized telemetry from public-cloud and enterprise environments gathered from April to October 2025, with AI-specific data extending to December, found that 86 percent of organizations installed third-party code packages with critical-severity vulnerabilities, making the software supply chain a leading source of cloud exposure.
Nearly one in eight organizations, or 13 percent, deployed packages with a known history of compromise, including those associated with the s1ngularity and Shai-Hulud worms, the report said.
Artificial intelligence adoption is equally widespread. Seventy percent of firms embedded at least one AI or Model Context Protocol third-party package into applications and infrastructure, often without centralized security oversight. About 18 percent granted AI services administrative privileges that are rarely audited, creating a pool of highly privileged accounts that attackers could exploit.
Identity-related risks further compound the problem. Nonhuman identities, such as AI agents and service accounts, account for 52 percent of high-risk identities, compared with 37 percent for human users. “Ghost” secrets — unused or unrotated cloud credentials — were found in 65 percent of organizations, with 17 percent of these tied to critical administrative access.
In addition, 49 percent of identities with excessive critical permissions are dormant, giving attackers potential footholds that can remain undetected, according to the report.
Liat Hayun, senior vice president for product management and research at Tenable, described the trend as “a critical risk that CISOs and defenders must address.”
“Lack of visibility and governance means teams are at the mercy of new exposures, including over-privileged identities in the cloud,” Hayun said. “By focusing on the unified exposure path, organizations can stop managing ‘security debt’ and start managing actual business risk.”
To close the gap, Tenable recommended an identity-centric approach that includes enforcing least-privilege access for AI roles, eliminating ghost identities and static secrets, and unifying visibility across code packages, virtual machines, identity systems and cloud workloads. The report also urged organizations to embed these controls into their DevOps pipelines.
Tenable defines exposure management as the process of identifying, assessing and prioritizing every potential entry point an attacker could exploit, including software vulnerabilities, misconfigurations, excessive user privileges, cloud security gaps and shadow assets created by AI and third-party supply chains.
With engineering speed now outpacing the capacity of security teams to respond, the report underscored what it called the urgency for organizations to adopt unified and automated exposure-management practices before threat actors exploit the widening AI exposure gap.
