99.9% of fixable AI vulnerabilities remain unpatched

Organizations build, deploy, and operate AI in the cloud, but basic cybersecurity hygiene is often sacrificed for speed, according to Orca Security’s 2026 State of AI Security Report.

AI infrastructure security risks

Building AI without security

Fifty-six percent of AI adopters have deployed agent frameworks into production, and 51.5% use AI to build custom applications. Orca also found that 81.2% of companies running AI packages have at least one known vulnerability, and 99.9% of AI vulnerability alerts with an available fix remain unpatched. These findings show how quickly AI has become operational infrastructure without a corresponding increase in security maturity.

API-based AI is embedded in development workflows with access to codebases, terminals, environment variables, and credentials, creating new attack surfaces.

Organizations deploying AI agents also deploy agent frameworks. Every production agent represents a new non-human identity with its own permissions, memory, and potential blast radius. Retrieval-augmented generation (RAG) pipelines allow LLMs to access internal documents, customer data, and proprietary knowledge at query time.

More than half of AI cloud service users, operate four or more distinct AI service types. Between 87% and 98% of organizations across the three major cloud providers have not configured customer-managed encryption keys for their AI services. They manage complex AI ecosystems connected to enterprise data, cloud services, identities, and production workflows.

“AI has introduced an entirely new operational layer into cloud environments,” said Nir Mishal, CISO at Orca Security. “Organizations now have agents making decisions, vector databases connected to enterprise data, and AI services spread across multiple cloud providers. Security teams need unified visibility across that entire environment, paired with automated prevention, to understand where risk actually exists and stop attackers before damage is done.”

Securing the AI supply chain

Attackers are moving across five layers of the AI stack: package registries, model hubs, developer tools, agent frameworks, and brand trust. Technologies across these layers are widely deployed in production environments.

Eighty-one percent of companies running AI packages have at least one known vulnerability, and 74.1% have at least one critical CVE. AI packages inherit vulnerabilities disclosed over the past five years, including CVEs published during the last 12 months, exposing production environments to both old and new threats.

A vulnerable library embedded in a dependency graph often outlives the patch cycle. AI workloads inherit the same problem despite release cycles that assume dependencies remain up to date.

In 2024, organizations often deprioritized patching AI packages because many vulnerabilities were considered difficult to exploit. Now, 99.9% of AI vulnerability alerts with an available fix remain unpatched.

Orca groups new AI-related packages vulnerabilities into three categories: SDKs for accessing hosted AI models, frameworks for building AI agents and integrations, and the rapidly expanding Model Context Protocol (MCP) ecosystem.

Managing AI agents and RAG

Despite the governance response making progress, adoption is not so many AI agents run with default permissions, logging, and no runtime separation from production systems. This gives attackers opportunity to weaponize them to execute commands and move laterally through the AI layer.

Sixty-four percent of AI adopters have deployed vector databases that connect LLMs to internal documents, customer records, and proprietary knowledge.

Businesses using retrieval-augmented generation (RAG) operate an average of 3.78 vector databases, making it more difficult to enforce consistent security policies across platforms, deployment models, and access methods.

Closing the governance gap

AI spans models, agents, packages, browser extensions, and cloud services. These technologies have spread across enterprises faster than security teams can inventory and secure them. Each introduces its own security model, encryption options, access controls, and compliance requirements.

AI coding tools can introduce vulnerabilities into software, making code review, secrets management, commit security policies, and security scanning essential.

Governments are expanding AI regulation. The EU AI Act introduces additional requirements for high-risk AI systems beginning on August 2, 2026. The United States continues to develop its AI regulatory framework, and Colorado’s amended AI law takes effect on January 1, 2027. China has expanded its cybersecurity framework with AI-specific requirements and mandatory labeling of AI-generated content.

AI services have created a new category of exposed credentials. API keys provide access to AI models, enterprise data, and AI services, making them attractive targets. Nearly 30% of AI adopters store at least one AI key in an insecure location. Keys committed to Git repositories may remain accessible even after they are removed from the codebase.

Fixing AI infrastructure exposure

Companies often deploy AI services with configurations that leave them exposed. Attackers increasingly target AI infrastructure by exploiting excessive permissions, public endpoints, weak authentication, and predictable configurations.

Common issues across platforms such as Amazon SageMaker, Azure OpenAI, and Google Vertex AI include missing encryption, broad access privileges, and internet-facing services that make lateral movement and data theft easier.

Strengthening AI encryption

Businesses that rely on provider-managed encryption keys have limited control over access to AI data. Provider-managed keys encrypt data at rest but do not allow customers to control key rotation, revoke access independently, or gain visibility into key usage.

Customer-managed encryption keys help protect training data, sensitive information, and AI models. Most organizations have not enabled them.

Don't miss