The Widening AI Exposure Gap: Why Cloud Security is Falling Behind
Organisations are facing a growing cybersecurity challenge: an “AI exposure gap.” This isn’t about AI *causing* breaches, but rather the rapid integration of AI, cloud technologies, and third-party software creating vulnerabilities that security teams struggle to identify and address. A recent report from Tenable highlights this critical mismatch between engineering speed and security capabilities.
The Software Supply Chain: A Major Weak Point
The report reveals a significant risk within the software supply chain. A staggering 86% of organisations have third-party code packages installed containing critical-severity vulnerabilities. Even more concerning, 13% have deployed packages with a known history of compromise, including instances linked to the s1ngularity and Shai-Hulud worms. This demonstrates that vulnerabilities aren’t just theoretical; they’re actively being exploited.
The increasing use of AI and Model Context Protocol third-party packages – found in 70% of organisations – further complicates matters. These integrations often bypass traditional security oversight, embedding AI deeper into systems and expanding the attack surface.
Identity and Access Management: A Critical Control Point
Identity controls are proving to be a major pressure point. “Ghost” secrets – unused or unrotated cloud credentials – plague 65% of organisations. Alarmingly, 17% of these unused credentials grant critical administrative privileges. Nearly half (49%) of identities with excessive permissions remain dormant, representing a significant potential entry point for attackers.
The report also raises concerns about permissions granted to AI services themselves, with 18% of organisations giving them rarely-audited administrative access. Non-human identities, like AI agents and service accounts, now pose a higher risk (52%) than human users (37%), due to “toxic combinations” of permissions across fragmented systems.
The Rise of “Invisible” Exposure
Tenable defines this challenge as an issue of “exposure management” – the process of identifying, evaluating, and prioritizing risks across all potential attacker entry points. AI adoption dramatically expands the number of systems and components that can inherit risk, adding new layers to applications, infrastructure, identities, and data. This creates a largely invisible exposure that many security teams are ill-equipped to manage.
The report identified severe risks in four key areas: AI security posture, supply chain attack vectors, least-privilege implementation, and cloud workload exposure.
What Can Organisations Do?
The report recommends a multi-faceted approach. Improving visibility of AI integrations is paramount, alongside tightening identity-centric controls. Implementing least-privilege practices for AI roles, removing “ghost” identities, and eliminating exposure from static secrets are also crucial steps. Recognizing that third-party code and external accounts now function as extensions of an organisation’s infrastructure is vital.
Liat Hayun, Senior Vice President of Product Management and Research at Tenable, emphasizes the demand for security teams to proactively account for AI systems embedded within infrastructure. She states that a lack of visibility and governance leaves teams vulnerable to new exposures, including over-privileged identities in the cloud.
Hayun advocates for focusing on the “unified exposure path” to move beyond managing “security debt” and towards managing actual business risk.
Pro Tip
Regularly audit and rotate cloud credentials. Implement multi-factor authentication (MFA) wherever possible to add an extra layer of security.
Future Trends to Watch
The AI exposure gap isn’t a static problem; it’s likely to worsen as AI becomes more pervasive. Several trends will exacerbate the challenge:
- Increased AI Complexity: AI models will develop into more complex, making it harder to understand their internal workings and potential vulnerabilities.
- AI-Powered Attacks: Attackers will increasingly leverage AI to automate and refine their attacks, making them more sophisticated and tough to detect.
- Expansion of Non-Human Identities: The number of AI agents and service accounts will continue to grow, increasing the risk associated with non-human identities.
- Decentralized AI Development: More AI development will occur outside of centralized IT departments, leading to shadow AI and increased security risks.
FAQ
Q: What is the “AI exposure gap”?
A: It’s the growing mismatch between the speed of AI and cloud adoption and the ability of security teams to assess and remediate associated risks.
Q: How significant is the risk from third-party code?
A: 86% of organisations have third-party code packages with critical vulnerabilities, and 13% have deployed compromised packages.
Q: What is exposure management?
A: It’s the process of identifying, evaluating, and prioritizing risks across all potential attacker entry points.
Did you know?
Non-human identities (AI agents, service accounts) now present a higher risk profile than human users, according to Tenable’s research.
Want to learn more about securing your cloud environment? Explore our other articles on cloud security best practices.
