AI Security Shock: 86% of Firms Running Critical Vulnerabilities as “Zero-Margin Exposure Gap” Emerges

Aegiron 6 mins0

Tenable AI Exposure Report

Release date: 20 February 2026

Tenable’s latest research warns of what it calls a “zero-margin AI exposure gap” — a situation where organizations are adopting AI and cloud technologies so quickly that security teams have almost no buffer left to manage risk before attackers can exploit it.

The headline statistic is stark:

86% of organizations have installed third-party software packages containing critical-severity vulnerabilities.

Below is a clear, reader-friendly breakdown of what the report found and why it matters.

What “Zero-Margin AI Exposure Gap” Means

In simple terms:

  • Companies are adding AI tools, cloud services, and open-source packages rapidly.
  • Security teams are struggling to keep up with visibility, patching, and access control.
  • The gap between “new risk introduced” and “risk reduced” is shrinking to zero.

That leaves almost no room for error.

Third-Party Code: The Biggest Weak Point

Modern software is built heavily on external packages and open-source libraries. Tenable found:

  • 86% use packages with critical vulnerabilities.
  • 13% have deployed packages that were previously compromised.
  • Many organizations lack continuous monitoring of software dependencies.

Why this is dangerous:

  • Developers often inherit vulnerabilities indirectly.
  • A single compromised dependency can affect thousands of systems.
  • AI tools frequently rely on additional third-party components, increasing exposure.

AI Adoption Is Expanding the Attack Surface

AI services and AI-enabled development are accelerating risk:

  • 70% of organizations have deeply embedded at least one AI-related third-party package.
  • 18% have granted AI services administrative privileges.
  • AI integrations are often deployed before proper security review.

The concern isn’t just AI models — it’s:

  • The permissions granted to them
  • The APIs they connect to
  • The secrets and credentials they use
  • The automation they trigger

When AI systems have high privileges and weak oversight, they become attractive targets.

Identity Risks Are Growing Fast

One of the report’s strongest findings: non-human identities now pose more risk than human users.

Examples of non-human identities:

  • AI agents
  • Service accounts
  • Automation bots
  • CI/CD pipelines

Key findings:

  • Non-human identities account for over half of identity-related risk.
  • 65% of organizations have “ghost secrets” (unused credentials).
  • 17% of those secrets have critical administrative access.
  • Nearly half of overly privileged accounts are dormant.

Why this matters:

Attackers favor unused credentials because they:

  • Go unnoticed
  • Often bypass strict controls
  • Remain valid for long periods

Cloud Misconfigurations Compound the Problem

The report highlights a familiar issue made worse by AI:

  • Excessive permissions
  • Overexposed workloads
  • Poor segmentation
  • Inconsistent governance across teams

AI systems often operate across multiple environments (cloud, SaaS, APIs), which increases complexity and reduces visibility.

Why This Is Different From Traditional Risk

Historically:

  • Risk accumulated gradually.
  • Security teams could prioritize and remediate.

Now:

  • AI accelerates development speed.
  • Cloud services scale instantly.
  • Third-party dependencies multiply quickly.
  • Privileged machine identities proliferate.

Security remediation isn’t keeping pace.

That’s the “zero-margin” condition: risk is accumulating as fast as — or faster than — it can be reduced.

What Organizations Should Focus On

  1. Prioritize risk context, not just vulnerability count
    Focus on vulnerabilities that are exploitable in combination with high privilege and exposure.
  2. Enforce least privilege — especially for machines
    AI systems and automation accounts should have scoped permissions, regular reviews, and short-lived credentials.
  3. Clean up ghost secrets
    Rotate unused credentials, remove dormant identities, and audit service accounts regularly.
  4. Gain unified visibility
    Security teams need consolidated oversight across cloud infrastructure, AI services, identities, and third-party dependencies.

Bottom Line

The core warning is not that AI itself is insecure.

The warning is that AI adoption is accelerating organizational risk faster than security maturity is evolving.

If current trends continue, many organizations will operate with virtually no safety buffer — where a single exploited dependency or privileged AI agent could trigger a major compromise.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.