On February 19, 2026 Tenable published its Cloud and AI Security Risk Report 2026, highlighting the rapid pace of AI integration and cloud expansion outstripping organizations’ ability to manage emerging exposures. The study assesses risk across applications, infrastructure, identities and data to quantify the so-called AI Exposure Gap.

Analysis shows 86% of organizations have installed third-party code packages with critical-severity vulnerabilities and 13% have deployed packages with a known history of compromise. Additionally, 65% possess ghost cloud credentials—17% tied to critical admin privileges—while 70% integrate at least one AI or MCP package without central security oversight.

The report finds non-human identities now represent 52% of high-risk permissions compared to 37% for human users, creating fragmented “toxic combinations” of access. Further, 18% of organizations grant administrative rights to AI services that are rarely audited, providing a pre-packaged privilege catalog for attackers.

Tenable advises enforcing least privilege for AI roles, regularly rotating secrets to eliminate ghost credentials, and unifying visibility across code packages, virtual machines, identity access and cloud environments. These steps aim to close the AI Exposure Gap by shifting from managing security debt to focusing on actual business risk.