Tenable has warned that organisations are facing a growing “AI exposure gap” as rapid artificial intelligence adoption and cloud expansion continue to outpace cybersecurity controls.
In its latest Cloud and AI Security Risk Report 2026, the cybersecurity firm found that companies are inheriting cyber risks faster than they can identify and fix them, driven by increasing reliance on AI tools, third-party code packages and large-scale cloud environments.
The report revealed that 86% of organisations analysed had installed third-party code packages containing critical-severity vulnerabilities, making software supply chains a major source of security exposure. Around 13% were also found to have deployed compromised packages linked to known cyber threats such as the s1ngularity and Shai-Hulud worms.
Tenable said 70% of organisations had integrated at least one AI or Model Context Protocol third-party package into their systems, often without centralised security oversight, embedding AI deeply into applications and infrastructure.
The study also highlighted rising identity-related risks, with non-human identities such as AI agents and service accounts now posing greater security threats than human users. According to the findings, 52% of non-human identities carried elevated risks compared with 37% for human users.
Meanwhile, 65% of organisations were found to possess “ghost” secrets, referring to unused or unrotated cloud credentials, with 17% of those linked to critical administrative privileges.
The report further found that nearly half of identities with critical excessive permissions were dormant, increasing the risk of exploitation by cyber attackers.
Liat Hayun said organisations must improve visibility and governance over AI systems and cloud identities to manage emerging threats effectively.
She said security teams are increasingly exposed to risks from over-privileged cloud identities, AI integrations and fragmented security tools that fail to connect vulnerabilities across environments.
Tenable said businesses should adopt identity-centric security controls, enforce least-privilege access policies and improve visibility across code packages, cloud systems and external accounts to reduce supply chain and AI-related exposure risks.
