Core Insights - The 2026 Cloud and AI Security Risk Report by Tenable reveals a significant AI exposure gap, with organizations inheriting cyber risks faster than they can manage them [1][2] Group 1: Key Findings - 86% of organizations have installed third-party code packages with critical-severity vulnerabilities, making the software supply chain a major source of cloud exposure [7] - 65% of organizations possess "ghost" secrets, which are unused or unrotated cloud credentials, with 17% of these linked to critical administrative privileges [7] - 70% of organizations have integrated at least one AI or Model Context Protocol (MCP) third-party package, often without central security oversight [7] Group 2: Security Risks - Non-human identities, such as AI agents and service accounts, represent a higher risk (52%) compared to human users (37%), leading to dangerous combinations of permissions [7] - Organizations face severe risks in four key areas: AI security posture, supply chain attack vectors, least privilege implementation, and cloud workload exposure [2][4] - The lack of visibility and governance in AI systems embedded in infrastructure poses critical risks that need to be addressed [4] Group 3: Recommendations - Organizations should secure the AI integration process through comprehensive visibility and identity-centric controls, including enforcing least privilege for AI roles [4] - Steps to reduce extended supply chain exposure include unifying visibility across code packages, virtual machines, identity access, and cloud environments [4] - The report provides actionable guidance for security and business leaders to mitigate risks in cloud and AI environments [2]