SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
International Women’s Day
392 opinions Read now

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Ai cloud puzzle shields dark gaps leaking data hidden keys
#
Malware
#
Digital Transformation
#
Public Cloud

Tenable warns of widening AI exposure gap in cloud

Mon, 23rd Feb 2026
Author image
By Mark Tarre, News Chief

Tenable has published research warning that organisations are widening an "AI exposure gap" as cloud adoption, third-party software use and AI-driven development increase cyber risks that security teams struggle to identify and fix.

Tenable's Cloud and AI Security Risk Report 2026 draws on anonymised telemetry from public cloud and enterprise environments. The dataset was collected from April to October 2025, with AI-related findings extended through December 2025.

The report describes a mismatch between the pace of modern engineering and the ability of security teams to assess and remediate weaknesses before attackers exploit them. It links the problem to AI adoption, the growing use of third-party code packages and the scale of cloud infrastructure.

Supply chain risks

A central finding focuses on software supply chain exposure. The report found that 86% of organisations had third-party code packages installed with critical-severity vulnerabilities.

It also found that 13% of organisations had deployed packages with a known history of compromise, citing examples including the s1ngularity and Shai-Hulud worms.

Separately, 70% of organisations had integrated at least one AI or Model Context Protocol third-party package. The report said this embeds AI deeper into applications and infrastructure and often sits outside central security oversight.

Identity controls

The research also highlights identity and access management as a pressure point in cloud and AI environments. It found that 65% of organisations had "ghost" secrets-unused or unrotated cloud credentials.

Among those, 17% of unused credentials were tied to critical administrative privileges. The report also found that 49% of identities with critical-severity excessive permissions were dormant.

It also raised concerns about the permissions granted to AI services, with 18% of organisations having given AI services administrative permissions that were rarely audited.

Non-human identities, including AI agents and service accounts, now present a higher risk profile than human users, according to the report. Tenable put the risk at 52% for non-human identities compared with 37% for human users, attributing the shift to "toxic combinations" of permissions and access across fragmented systems.

These findings add to a broader industry focus on identity as a key control plane for cloud security. Credentials and permissions are at the centre of many cloud incidents, particularly where long-lived secrets remain active and service accounts accumulate rights over time.

Exposure management

The report places these issues in the context of exposure management, which Tenable defines as identifying, evaluating and prioritising risks across all attacker entry points. This includes vulnerabilities, misconfigurations, excessive privileges, cloud security gaps and shadow assets created by AI and third-party supply chains.

Tenable argues that AI adoption expands the number of systems and components that can inherit risk and adds new layers across applications, infrastructure, identities, agents and data. The report describes this as "largely invisible" exposure that many security teams are not equipped to manage.

According to Tenable, its cloud analysis identified severe risks across four areas: AI security posture, supply chain attack vectors, least-privilege implementation and cloud workload exposure.

The report recommends improving visibility of AI integrations and tightening identity-centric controls. It also points to least-privilege practices for AI roles, removing "ghost" identities and eliminating exposure from static secrets. It adds that third-party code and external accounts increasingly function as extensions of an organisation's infrastructure.

Liat Hayun, Senior Vice President of Product Management and Research at Tenable, said security teams need to account for AI systems that are increasingly embedded in infrastructure.

"AI systems embedded in infrastructure pose a critical risk that CISOs and defenders must address, in addition to anticipating emerging threats from both AI and cloud technologies. Lack of visibility and governance means teams are at the mercy of new exposures, including over-privileged identities in the cloud."

Hayun added: "By focusing on the unified exposure path, organisations can stop managing 'security debt' and start managing actual business risk."

The report includes guidance for security and business leaders on reducing risk across cloud and AI environments, with a focus on improving oversight of third-party packages and strengthening identity controls as AI services and agents take on broader roles across enterprise systems.

Related stories
Critical MediaTek flaw lets attackers steal phone crypto
GTIA launches PeerTrust Circles for security-led IT peers
Open source dependencies leave apps dangerously exposed
Tetrate unveils Built on Envoy open source extension hub
DataBahn deepens Microsoft Sentinel tie-up to cut SIEM costs

Top stories

CyberCX becomes official cyber partner to AFL, AFLW
Rescue dog teams join Victorian network for safer searches
Gartner tips AI to upend work tools, hiring & data
Anthropic to open Sydney office in Australia, New Zealand
Cisco, UTS open digital innovation hub for AI in Sydney