Tenable Research Reveals Growing AI Exposure Gap

Got story updates? Submit your updates here. ›

Tenable, the exposure management company, has released its Cloud and AI Security Risk Report, which reveals that organisations face a growing AI exposure gap as they inherit cyber risks faster than they can address them. The report identifies severe risks across AI security posture, supply chain attack vectors, least privilege implementation, and cloud workload exposure.

Why it matters

The AI Exposure Gap is a largely invisible form of exposure that emerges across applications, infrastructure, identities, agents and data, and that most security teams are not equipped to manage. This report highlights the critical risks that AI systems embedded in infrastructure pose, which CISOs and defenders must address in addition to emerging threats from both AI and cloud technologies.

The details

Key findings from the report include: 70% have integrated at least one AI or Model Context Protocol (MCP) third-party package, often without central security oversight; 86% host third-party code packages with critical-severity vulnerabilities; 18% have granted AI services administrative permissions that are rarely audited; non-human identities such as AI agents and service accounts now represent higher risk (52%) than human users (37%); and 65% possess "ghost" secrets, unused or unrotated cloud credentials, with 17% tied to critical administrative privileges.

• The report presents findings from Tenable Research team's analysis of anonymised telemetry from April to October 2025, with AI findings extended through December 2025.

What they’re saying

What’s next

To manage emerging risks, organisations must secure the AI integration process through comprehensive visibility and identity-centric controls, including enforcing least privilege for AI roles, neutralising "ghost" identity risk, and eliminating static secret exposure.