A major new report reveals that 82% of organizations are running cloud workloads with known, exploited vulnerabilities — and AI adoption is making things dramatically worse.
If you think your organization’s cloud environment is secure, a sweeping new report from cybersecurity firm Tenable suggests you may want to think again. The Tenable Cloud and AI Security Risk Report 2026, which analyzed thousands of real-world cloud environments across Amazon Web Services, Microsoft Azure, and Google Cloud Platform between April and December 2025, paints an alarming picture: companies are racing to adopt AI and third-party code at a pace that their security practices simply cannot match. The attackers, meanwhile, are keeping up just fine.
AI Is Creating a Security Governance Crisis
The report’s most striking finding concerns how AI services are quietly accumulating dangerous levels of cloud access. Tenable found that 18% of organizations have identity and access management (IAM) roles — essentially digital permission slips — with excessive, critical-level privileges that AI services like Amazon SageMaker and Amazon Bedrock can instantly assume. To make things worse, more than 70% of the default roles created for these AI services are simply sitting unused and unmonitored. Think of them as spare master keys left under the doormat: forgotten by the team that put them there, but visible to anyone who looks.
The report also found that 3% of organizations have hardcoded API keys for leading AI providers — including Anthropic and OpenAI — directly into cloud configuration files. While small today, Tenable warns this number will grow rapidly as experimental AI pilots move into full production. A leaked API key doesn’t just expose data; it can rack up enormous unauthorized cloud computing bills in what the industry grimly calls a “denial of wallet” attack.
The Supply Chain Is a Wide-Open Back Door
Most modern software is assembled rather than written from scratch. Developers pull in thousands of ready-made code packages from public repositories, dramatically accelerating development — but also inheriting whatever security flaws or malicious code those packages contain. The report found that 86% of organizations have at least one critical-severity vulnerability lurking in an installed third-party package. Nearly one in three organizations has over 100 such compromised packages deployed.
Beyond vulnerable packages, the report documented two specific attack campaigns from Q3 2025: “Shai-Hulud,” the first self-replicating npm worm, which spread through developer environments, stealing credentials and infecting new projects; and “s1ngularity,” which scraped stolen API keys and published them directly to public GitHub repositories. One in eight organizations had already deployed a package tainted by one of these campaigns. A subsequent wave dubbed Shai-Hulud 2.0 has since compromised hundreds more high-profile packages, suggesting actual exposure is now significantly higher.
External vendor access deepens the problem further. Over half of organizations (53%) have granted outside accounts — partners, vendors, contractors — the ability to assume critical-level excessive permissions. If any one of those vendors is compromised, the attacker walks straight into your environment, already with elevated privileges.
Ghost Identities and Forgotten Passwords Are Everywhere
One of the most preventable risks documented in the report is also one of the most pervasive. On average, 49% of the cloud identities holding the highest-level permissions — accounts capable of admin-level control over entire cloud environments — have not been used in over 90 days. These dormant “ghost” accounts represent a treasure trove for attackers: maximum access, zero scrutiny.
Non-human identities — service accounts, automated bots, AI agents — are now riskier than human ones, with 52% of organizations having machine identities with excessive permissions, compared to 37% for human accounts. These machine identities are rarely audited and are often over-provisioned simply to keep automated processes running smoothly.
Additionally, 65% of organizations have unused or unrotated credential keys tied to high-privilege identities — essentially unlocked doors that no one has bothered to close. This is down from 84% in 2024, which is progress, but far from reassuring.
Unpatched Systems: An Attacker’s Dream
The final major finding concerns the stubborn persistence of unpatched cloud workloads. A striking 82% of organizations are actively running systems with known, publicly exploited critical vulnerabilities — flaws that attackers don’t need any novel techniques to exploit. Meanwhile, 57% of organizations are running workloads on operating systems that have reached or are nearing end-of-life, meaning they will never receive another security update.
To illustrate how fast this can turn catastrophic, the report highlights the React2Shell vulnerability (CVE-2025-55182), a maximum-severity flaw disclosed in December 2025. Active exploitation was confirmed just six hours after public disclosure. Despite a patch being immediately available, 12% of organizations were still running vulnerable systems two full weeks later. In today’s threat environment, that delay is effectively the same as leaving the front door open with a welcome sign.
The Tenable report concludes with a clear message: the answer is not more security alerts, but smarter prioritization — focusing on the specific intersections of vulnerability, excessive privilege, and reachability that transform a single oversight into a full-scale breach. As Tenable puts it, “Perfect security is a myth; resilient security is a mandate.”
